Vicarious liability for data breaches – Beware!
04 Nov 2019
With the commencement date of the Protection of Personal Information Act 4 of 2013 (“POPI”) fast approaching (it is expected to be proclaimed by the end of the year), employers need to take urgent action to ensure that they have sufficient measures in place to protect personal information as well as to ensure that their organisations have the correct insurance cover in place to protect their businesses.
Data breaches occur frequently and happen accidentally as well as maliciously at the hands of employees. Data breaches also have wide-reaching implications – in assessing potential liabilities for organisations arising out of data breaches, it is important to be aware of liabilities imposed on organisations in foreign jurisdictions (in particular in the UK in terms of the Data Protection Act 1998 (“DPA”) on which POPI is closely modelled). In the recent UK Court of Appeal decision of WM Morrison Supermarkets plc v Various Claimants  EWCA Civ 2339 (proceeding on appeal to the Supreme Court of Appeal) the court found Morrison Supermarkets (“Morrison”) to be vicariously liable for a data breach caused by the malicious conduct of a disgruntled employee:
- Morrison (a large supermarket chain in the UK) suffered a serious data breach when the payroll data of nearly 100,000 employees (including names, addresses, dates of birth, national insurance numbers and bank details) was posted online by a disgruntled Morrison employee.
- The data breach had serious implications for Morrison’s share price and a number of employees (whose data had been leaked) brought proceedings against Morrison for damages.
- The court held that vicarious liability should be found where there was a sufficient connection between the employer and the wrongful conduct of the employee – in this instance, despite the fact that Morrison had fulfilled its own obligations under the DPA, taken swift action to contain the data breach and that the employee had committed the data breach at his home, from his own computer (on a weekend several weeks after having been given access to the data in a work capacity), the court found Morrison to be vicariously liable for the actions of its employee and ordered it to pay damages.
Importantly, POPI makes provision for a form of statutory vicarious liability for employers, in the event of a contravention of POPI by any of its employees (in particular, section 99(1) of POPI provides that a civil action for damages may be instituted against the responsible party [the employer] irrespective of whether there is intent or negligence on the part of the responsible party).
In addition, in terms of section 109(3), when determining an appropriate administrative fine for criminal offences under POPI, the Regulator is obliged to consider various factors, including whether the responsible party [the employer] or a third party [the employee] could have prevented the contravention from occurring, or whether there was any failure to carry out a risk assessment or a failure to operate good policies, procedures and practices to protect personal information.
What can organisations do to mitigate losses arising from data breaches?
- Conduct risk assessments and implement good data-protection policies, procedures and practices;
- be prepared to respond to any data breach quickly and effectively. Speedy actions can mitigate damages and losses to an organisation (see our article on incident response plans);
- check your insurance policies: the Court of Appeal warned that companies should have appropriate insurance in place if they wish to avoid financial difficulties over such breaches. The court in the Morrison Supermarkets case said:
“There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees… The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments…”
- Latest data breach shines spotlight on Protection of Personal Information
- Data protection and security as it relates to the Internet of Things
- Addressing your data breach risk
- Data breaches: What is required?