David Lorimer: How employers can protect against data breach liability


Last year’s case in which Morrisons was found liable for damages arising from the actions of a rogue employee had broad implications for all employers. Andrew Skelton was imprisoned for eight years after deliberately disclosing payroll records relating to almost 100,000 staff members to several newspapers and online in 2014.

This was the first class action brought by employees for data breaches and is very likely to set a trend. In turn, where breaches occur, employers may well face a triple threat of regulatory action, which from May 2018 could include fines of up to 4% of global annual turnover or €20m; class or individual actions for damages; and significant reputational damage. The latter should not be overlooked and could make attracting and retaining the trust of consumers much more difficult.

The question of what employers should do is a difficult one because data breaches such as these have always been more likely to result from an individual’s error than a systems issue. It is tricky to completely prevent these issues arising, especially where individuals are motivated to cause damage to their employer, as was the case in Morrisons.

Employers can, and should, already be taking proactive steps to gear up for the General Data Protection Regulation (GDPR) which comes into force in May. That should include action to protect against and prepare for data breaches. Some particularly important steps will include updating policies and rules relating to the acceptable use of systems, the processing of data by staff and responding to breaches; clearly communicating and training staff on those new and updated rules; and planning for and testing preparedness through penetration testing and data breach simulations.

In addition, employers should roll out or enhance content reviewing and compliance monitoring software to protect against unauthorised disclosures. Of course, rolling out such software on employees’ devices is itself likely to amount to monitoring, so employers should take care to do so in compliance with the Data Protection Act and, from May 2018, GDPR.

Both this decision and GDPR on the horizon make it vital that employers look closely at their data rules and practices.

David Lorimer is associate at law firm Fieldfisher