Welcome to day 10 of our 12 Days of Christmas series. Today we look back on the issue of employer’s liability for data breaches committed by their employees.
Watch out for the next edition of our “12 Days of Christmas” series tomorrow.
Could Your Business Be Held Vicariously Liable for a Rogue Employee’s Data Breach?
Earlier this year, supermarket chain Morrisons was found to be vicariously liable by the UK Court of Appeal for the actions of one rogue employee, following a class-action style case taken by 5,518 Morrisons employees whose private information was made public. Although Morrisons was compliant with data protection legislation at the time and worked to remedy the leak quickly, the company was faced with large compensation costs as a result of the civil action.
While the Irish courts have shown some reluctance with regard to vicarious liability for the intentional wrongdoing of an employee, other common law jurisdictions such as the UK and Australia have been more accepting of the proposition and this may be indicative of future trends in this area. Similarly, while Ireland has yet to allow US-style class actions, Article 80 of GDPR does provide for a claims consolidation mechanism. The GDPR and the Irish Data Protection Act 2018 potentially allow for non-material damage claims such as for emotional distress, to be brought in the Irish courts.
In the meantime, while Morrisons look set to appeal to the UK Supreme Court, the decision of the Court of Appeal serves as a reminder to employers that they are now expected to have robust technical and organisational controls in place that put data protection at the core or their business.
Read our original article in full here.
Follow us @WFEmploymentLaw @WilliamFryLaw
