How liable is a golf club if there’s a data breach?

By Alistair Dunsmuir February 25, 2019 10:48

The National Golf Clubs Advisory Association (NGCAA) looks at what happened when an employer was found ‘vicariously liable’ – even though not at fault – for a data breach by a rogue employee.

A recent judgement by the Court of Appeal – Wm Morrison Supermarkets plc v Various Claimants [2018] EWCA Civ 2339 – may have some golf clubs feeling a little nervous in relation to what might happen if a disgruntled or rogue employee took data and subsequently published it to the wider world or disclosed it to third parties.

Even though the court in this case found that the employer had done nothing wrong, it still made the finding that the ultimate data breach was sufficiently connected with the rogue employee’s employment that it would apportion liability to the employer under the principles of vicarious liability.

What is vicarious liability?

This is where an employer can be liable for the torts (or wrongs) committed by an employee where there is a sufficient connection between the employment and the wrongdoing. The two-stage test applied to determine whether or not vicarious liability arises is:

Is there a relationship between the primary wrongdoer and the person alleged to be liable?
Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

Facts of the case

The case concerned an employee of Morrisons’ supermarkets, Mr Skelton, who had been the subject of disciplinary action in the past and because of that, he held a grudge against his employer. He was later asked to transfer some payroll data in relation to Morrisons’ staff (details included names, addresses, bank details, salary information and national insurance numbers) to an external auditor. At this point, he took the opportunity to take a copy of that information of around 100,000 Morrisons’ employees, which he placed onto a personal USB stick. He held that data until just before Morrisons was due to announce its financial reports, when he then went on to upload the data to a file-sharing website, apparently pursuing his personal grudge.

Mr Skelton did not come away from this lightly – he was convicted under the Computer Misuse Act 1990 and the Data Protection Act 1998 and was imprisoned for eight years.

In a separate action to the criminal case, approximately 5,500 Morrisons employees who were affected by the data breach also brought claims against Morrisons for breach of confidence, misuse of private information and breach of statutory duty under the Data Protection Act 1998. The claimants alleged that Morrisons was either directly liable for those breaches or it was vicariously liable. In respect of the direct liability, it was found that Morrisons was not the data controller at the time of any breach and that Morrisons owed no duty to the claimants under data protection legislation (aside from its own duty to take the appropriate technical and organisational security measures). As far as direct liability was concerned for breach of confidence and misuse of private information, the disclosures were not carried out by Morrisons, hence it was not directly liable. It was Mr Skelton who disclosed the data, acting criminally and without authority.

In respect of vicarious liability, just because the employee became the data controller, it did not exclude Morrisons’ vicarious liability. The court held that there was a sufficient connection between the position in which the rogue employee was employed and his wrongful conduct to make it right for Morrisons to be held vicariously liable, whether that was a breach of duty under the data protection legislation, the misuse of private information or a breach of the duty of confidence.

When making the decision, the Court of Appeal determined that there was a ‘seamless and continuous sequence of events’ which meant that there was a sufficient connection between the employment and the publishing of the personal data to make it just and reasonable to find Morrisons vicariously liable. The court also considered the fact that Mr Skelton’s motive had been to harm his employer, but held that the motive of the employee was irrelevant to the issue of vicarious liability

Conclusion

Some keen readers may have noted that this case was decided under the Data Protection Act 1998, which was replaced by the GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) last year, but it is assumed that similar principles would apply if this case was decided now.

The decision in this case will be concerning for golf clubs, especially those who have worked hard to put in place the appropriate data protection policies and procedures. Where the club has committed no wrongdoing itself, this case confirms that the club could still be vicariously liable for the intentional acts of one rogue employee, notwithstanding having all club policies and procedures in line. It is still important to have those in place, since that should reduce or eliminate direct liability.

When giving its judgement, the Court of Appeal suggested that employers should insure against the risks of the ‘potentially ruinous’ impact that such a data breach could have on a business.

With a golf club in particular, where it has several hundred members, a class-action for a data breach by one rogue employee could cost a significant amount in compensation and legal fees. Golf clubs are therefore advised to check their insurance policies to ensure that they are covered in the event of data breaches by employees.