Can Your Business be Liable for an Employee’s Intentional Data Leak?

Many businesses are acutely aware of the dangers of a data leak that can result from the breaching of networks, computer hacks, malware, and computer espionage. These cyber threats are external threats, but businesses must also be increasingly wary of INTERNAL threats coming from vengeful and vindictive employees and ex-employees. A well-publicized lesson can be found in the recent news of a large grocery store chain in Great Britain, WM Morrisons Supermarkets, suffering from a data leak from a well-placed employee. See news report from the Guardian here.

Employee Data Leak: What Happened to Morrisons?

In 2013, a senior internal auditor in the IT department for Morrisons ran an after-hours moonlighting business on eBay. He was a well thought-of employee by day and mailed out packages to his eBay customers from the Morrisons mailroom by night. Until one day when a package containing a white powder was discovered by a coworker. With understandable concern, the police were called. The white powder was found to be diet supplement powder that was not illegal nor dangerous, but Morrisons was not pleased. The employee was given a written disciplinary warning for his misconduct.

Angry about his disciplinary warning the employee grew disgruntled and waited for an opportunity for revenge – to teach Morrisons a lesson. This lesson was delivered later in 2013 when the employee downloaded payroll data of 100,000 of his coworkers onto a thumb-drive and sent copies of the data to three newspapers. The thumb-drives included names, addresses, phone numbers, bank account details, and salaries of Morrison employees.

As described more fully here, the leak — as opposed to a hack — was timed to cause maximum embarrassment to Morrisons. Morrisons is a publicly traded company, and in May 2014, Morrisons was having profitability issues and issued a profit warning sending its shares down 12%. To allay concerns about profitability, the CEO of Morrisons touted the company’s new IT systems as key to helping Morrisons return to better performance. Within hours of this announcement the employee data was leaked and Morrisons’ shares continued to lose value.

The employee was eventually sentenced to eight years in prison for violating the 1998 British Data Protection Act.

However, about 5,500 of the employees affected by the data leak filed a class action lawsuit against Morrisons in the British courts for damages in connection with the internal information leak. In December of 2017, the court ruled that the Morrisons was vicariously liable for the employee’s intentional leak of the personal and financial employee data. Morrisons states that it plans to appeal the ruling.

Employee Data Leak: Legal Principles

The case is worrisome for many reasons. Most employee data leaks occur because of some negligence or accident (see US examples below). But here the employer is being held liable for the criminal conduct of an employee. In finding Morrisons liable, the British court specifically acknowledged that Morrisons was not at fault, that Morrisons itself did not violate the law, and that Morrisons was essentially the target of the employee’s criminal behavior. Nonetheless, the court held that Morrisons was liable for the leak on the basis of respondiat superior.

This creates, in effect, a form a strict liability for an employee data leak (at least in the UK). If the ruling is upheld, Morrisons will face a massive legal liability and, without question, the remaining 94,500 employees will join the class action or file their own lawsuits. Further, it is possible that British regulators will follow the court’s ruling and impose heavy regulatory fines and penalties.

Employee Data Leak: Legal Principles Negligence in US Courts

It is unclear whether US courts would come to the same result as the British court in the Morrisons case.

So far, US courts have only dealt with negligent or accidental leaking of employee data. In one example, a US district court held that, under theories of negligence, an employer can be held liable to employees for loss of data. See Sackin v. TransPERFECT Global, Inc., No. 17 Civ. 1469 (LGS) (US Dist. Court, SD New York October 4, 2017).

In that case, hackers successfully hacked into the company’s computers and networks and stole personal and financial data on 4,000 employees. The employees brought suit based on many claims including common law negligence, violations of various labor laws, and breach of contract. The court held that, under New York law, employers have a duty to take reasonable precautions to protect the personal data that they acquire from employees. The court held that the employees had properly alleged claims under various New York statutes. The only claims dismissed where breach of contract claims.

By contrast, in Enslin v. The Coca-Cola Co., 136 F. Supp. 3d 654 (US Dist. Court, ED Penn. 2015), the court eventually dismissed all claims by employees. In this case, per standard operating procedures, an IT employee was to dispose of obsolete Coca-Cola employee laptops. However, rather than destroy these computers the employee unlawfully sold them. But unbeknownst to the employee, the hard drives on these laptops still contained employee information, including addresses, phone numbers and SSNs for upwards of 74,000 employees. Identity thieves pounced on this data leak. Once Coca-Cola became aware that the laptops had not been destroyed the employee was fired and criminally charged. Later, several employees whose personal and private information had been stolen filed suit and attempted to have a class action certified against Coca-Cola.

Most of the claims were dismissed early at the 10(b)(6) stage in 2015. The employees asserted various state law claims that required “knowing violations” of the relevant statutes. The federal court found that Coca-Cola did not have any knowledge that data had been stolen/leaked. In addition, Coca-Cola acted very quickly to recover as many of the laptops as they could locate. As such, all claims based on “knowing violations” were dismissed.

The federal court also dismissed claims based on the Pennsylvania economic loss doctrine, which provides that no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage. The court also found that there was no “special relationship” between Coca-Cola and its employees that would be an exception to the economic loss doctrine. Negligence claims were also dismissed by the court on the grounds that various employee and company policies failed to create a duty on the part of Coca-Cola to protect employee data. The court also rejected claims based on civil conspiracy and bailments.

In the 2015 decision, the only claims NOT dismissed were ones based on breach of contract or, in the alternative, claims based on unjust enrichment. However, those were eventually dismissed on summary judgment in March 2017. See here.

Employee Data Leak: Legal Principles Intentional Conduct in US Courts

With respect to an employer being responsible for the criminal conduct of its employees, the law is complicated and depends very much on state statutes and common law. But, in general, an employer has no duty to prevent criminal activity or intentional harm to a third party victim unless a “special relationship” exists with the victim or the harm/crime is foreseeable and the victim is among the class of foreseeable victims. See e.g., Niece v. Elmview Group Home, 929 P.2d 420 (Wash. Supreme Court 1996) (nursing home liable for employee rape of nursing home resident).

A special relationship imposes a duty upon the employer to control the conduct of its employees and otherwise protect against the criminal conduct. Foreseeability depends almost entirely on the facts of the case. Liability has been found, for example, against innkeepers and owners of apartments when guests and residents have been the victim of various crimes if such crimes were foreseeable but protective steps were not undertaken. Prosser and Keeton on Torts § 56.

How these principles play out with respect to intentional data leaks is yet to be determined.