Vicarious liability for data security breaches by employees

• United Kingdom

• Technology, Media and Telecoms - General

02-11-2016

Précis

Axon v Ministry of Defence and News Group Newspapers Ltd [2016] EWHC 787 (QB)

The High Court dismissed a claim for misuse of private information and breach of confidence brought by a former Commanding Officer of a Royal Navy frigate, against the Ministry of Defence where a fellow employee disclosed confidential information to The Sun. In doing so the court held that employers can be vicariously liable for data security breaches committed by their employees.

What?

In 2004 David Axon (“Axon”) was dismissed from his position as Commanding Officer of a Royal Navy frigate. In 2014, Axon alleged that a source within the Ministry of Defence (“MoD”) had disclosed confidential information about him to The Sun. This information related an equal opportunities investigation (“EOI”) that had found Axon guilty of bullying junior officers. As a result of the EOI Axon was removed from his command. In late 2004 The Sun published three articles about the matter.

Axon argued that the fellow employee’s disclosure to The Sun interfered with his reasonable expectation of privacy and confidentiality. Axon further contended that the MoD was vicariously liable for the breach of privacy and confidentiality committed by one of its employees. The MoD joined News Group Newspapers Ltd as a third party.

The Decision

The judge held that Axon did not have a reasonable expectation of privacy for a number of reasons, including the public nature of his former role, and the fact that he could not reasonably expect his bullying to be kept private.

Consequently it was held that Axon had no claim for breach of confidence because he could not show that the informant owed him a duty of confidentiality. The informant’s duty to preserve the confidentiality of the information they received was owed either to the Crown or the MoD, not Axon.

Further, judicial remarks:

The judge stated that if the informant had committed a tort, this would have been sufficiently closely connected with their job for the MoD to be vicariously liable.

Vicarious liability requires:

1) a relationship between the wrongdoer (the informant/employee) and the defendant (the MoD); and

2) a connection between that relationship and the wrongdoer's actions.

Both of these elements were satisfied by virtue of the informant’s employment with the MoD.

The informant had been given access to classified information so that they could undertake their employment obligations. It was by virtue of their position that they obtained the information they later disclosed to The Sun.

The employment relationship was clearly connected to the wrongdoing, as without that relationship, they could not have had the opportunity to disclose such information to The Sun. As such, the judge concluded that if the Claimant had had a valid claim, the MoD would have been vicariously liable for any damages arising out of the informant’s wrongdoing.

Whilst the informant was stated to be “on a frolic of her own”, the judicial remarks reinforce the general position that an employer can be vicariously liable notwithstanding that the employee's tort was intentional, prohibited, criminal and committed for the employee's own ends. This is of a particular concern where the employee is required to deal with sensitive and confidential information as there is an inherent risk that this information may be mis-used and the employer will be vicariously liable for the employee’s actions.

So what?

This decision reinforces that employers can be held vicariously liable for data breaches committed by their employees. This is especially important given the growing trend of group litigation against organisations by their employees and/or customers who have been the victim of such data and system security breaches.