Playing "The Blame Game": Data Breach Liability in Organizations
Data security and privacy is a hot global topic right now. New laws that closely regulate data security practices seem to be popping up everywhere in order to account for all of the data people transmit electronically daily. Attorneys have been tightening their practices to protect confidential data and advising their clients to do the same. However, some organisations may not be aware that they could be liable for data breaches perpetrated by their employees – even in seemingly unrelated situations.
All employers should be familiar with vicarious liability, which is a legal theory present in many court systems to place liability on an employer for their employee’s actions. The theory creates a path for an injured party to pursue another avenue to recover their losses by way of their employer. Seeking redress through an employer can be an appealing option for individuals since, generally, the organisation has greater financial worth than an individual does. The UK is currently struggling over the limits of this theory. The Supreme Court of the UK is deliberating over case that considers whether an employer can be liable for data breaches their employees carry out, even when the employer has implemented compressive data security protocols and policies (Wm Morrisons Supermarket PLC v. Various Claimants, case number UKSC 2018/0213 (U.K. Supreme Court, pending)). If the Supreme Court upholds the appellate court’s decision, which found in favor of vicarious liability, it could result in for more data breach claims against U.K. employers. The decision could have a broad application of the vicarious liability doctrine as compared to other countries.
4 Ways To Reduce The Risk of A Data Breach
There are several ways employers can prepare for this potential liability and reduce the subsequent risk. Some of these options include implementing or updating the following practices:
Evaluate the organisation’s current security program: If upon review, the organisation discovers areas where data security is not strong enough, it should take steps to improve their systems. This could include things like implementing new software and hiring extra personnel to carry out certain security functions. As always, an organisation should analyze the cost against the benefits and risks.
Increase employee monitoring: Every organisation will have different levels of employee monitoring. This usually depends on factors like the employee’s position, nature of the work performed, whether the employee handles sensitive data, and overall company values. To decrease the risk that an employee could independently perpetrate a data breach, an organisation can decide to place more checks and balances on their employees like including work product reviews more often (especially when an employee regularly handles sensitive data), implementing more employee evaluations, and improving communication practices between employees and supervisors.
Determine risk factors: An organisation should make a list of common behaviors or patterns that could indicate a willingness to leak data or harm the company. Some factors to consider would be prior employee discipline, dishonesty, previous incidents of carelessness when handling sensitive data, and expression of a grudge or other type of ill will towards the organisation.
Update policies and protocols: If an organisation wishes to alter their security practices or employee monitoring, it should create or update any policies and protocols accordingly. It should also communicate any changes to employees so they are aware of what the organisation expects from them in the workplace.
Following this checklist can help employers prepare for a vicarious liability lawsuit resulting from an employee’s data breach. An employer can refer to these practices as a defense to some liability claims Hopefully, this could also help stop a breach before it happens. Regardless of what country or state vicarious liability laws an employer faces, organisations should remember that court’s vicarious liability analysis will be extremely fact intensive. Having more security protocols and checks in place can help with the outcome. However, employers must remember that even after taking precautions, it can be difficult to identify an employee who decides to turn against their employer and perpetrate a data breach. Organisations should make sure their insurance policies account for these types of incidents in case a vicarious liability suit moves forward. Should any of the issues discussed in this blog arise, it is important to remember to contact local legal counsel to assist you. If you found this blog informative, you may enjoy reading ABA Issues Opinion - How To Respond to Data Breaches or The Epiq Angle Blog