The Court of Appeal has upheld the lower court decision that supermarket chain Morrisons is vicariously liable for a data breach by an employee. The detail of this decision is interesting.
The Court found that, as Morrisons had instructed the download of personnel data to an employee laptop and, from there, onto a USB stick, its liability for the activities of its employee was directly related to what the employee was doing in the course of his employment. The fact that the individual concerned acted illegally does not change the employer’s liability.
The Court did observe that organisations that suffer data breaches as a result of system failures or employees’ negligent actions “might, depending on the facts, [face] a large number of claims […] for potentially ruinous amounts”. The solution, the Court suggested, was that organisations should be “fully insured”.
Although insurance has a key role to play in mitigating the potential impact of an event like this, I wouldn’t want to rely on it. I’d want to make sure that I eliminated as many situations as possible where employees were able or required to download personal data, and I’d want to make sure that my systems were robustly and regularly tested for vulnerabilities.
From a management perspective, I’d want to see a data flow map that indicated any areas in which there might be the possibility of data being downloaded, so that I could change the process. I’d want a robust incident response plan.
And I’d still worry.