Data breach liability looms for Zoombombed media moguls?
4 May 2020
The art of the ‘leak’, where confidential information from an anonymous source becomes front page news, is one of the most treasured trophies of investigative journalists.
Of course this would fall foul of Data Protection laws under normal circumstances, but an exception can be made if it’s in the public interest, and there’s an unwritten rule that editors do not inquire into, nor journalists disclose, their sources.
But now in the age of Covid-19, there are untold opportunities for illicit eavesdropping through the rapid rise of video conferencing and the Zoom revolution.
Already there have been multiple issues raised about cyber security and Zoom enabling hackers to burrow into internal affairs of politics and business, yet it seems the most recent and outrageous case is not some technical flaw but a catalogue of human, all too human, elementary errors.
Step forward the main players: the illustrious Financial Times, the worthy Independent and a, now ex-, FT journalist, Mark di Stefano.
Now it turns out that Mr di Stefano had access to a Zoom conference of the Independent editorial where staff were briefed about the parlous financial state of the now online newspaper, furloughing and wage cuts.
True to type, di Stefano, a self-confessed Twitter addict, was tweeting about the meeting even as it was happening, citing an ‘insider source.’
To say that this ‘scoop’ was one self-promotion too far is something of an understatement, with potential criminal as well as civil legal implications in terms of the Data Protection Act 2018 and other legislation, not just for di Stefano, but potential liability on the facts for the Financial Times and the Independent itself.
For it seems this was neither a third party anonymous ‘leak’ nor the result of hacking the Zoom cyber security.
Subsequently the Independent carried out an analysis of the participants’ addresses and tracked a later sign-in to a mobile phone belonging to di Stefano. It was also revealed that a similar incident concerning the Evening Standard and published on the FT website, was traced to the same phone.
There was no attempt at a defence by the FT since di Stefano’s acts were in breach of its commitment to journalistic ethics and there was no ‘public interest’ in disclosing the financial woes and internal staffing implications of a rival publication.
Di Stefano was suspended and announced his own immediate resignation, appropriately enough, on Twitter.
So what might become of this monumental faux pas legally?
But in terms of the civil DPA breaches, there would appear to be a potential prima facie vicarious liability case against the FT which would test recent Data Protection case law.
In a long-running data leak case against the supermarket Morrisons, the Supreme Court held that the company was not vicariously liable for the data protection breaches affecting 100,000 of its employees, thousands of whom had joined a class action for compensation redress against the firm.
The story began when a disgruntled rogue employee misused his access to confidential staff data, releasing it to media and ‘leak’ websites. The offender in question was prosecuted and is serving a lengthy prison sentence.
But what of the rights of the affected and distressed employees?
In the Morrisons saga, the Court of Appeal originally upheld existing comparable case law on the vicarious liability of the employer for wrongs committed by staff, even though they were criminal acts that were not in the course and intention of their employment.
The Supreme Court however overturned this decision.
Morrisons were able to show that they had exercised adequate monitoring and due diligence in data security and that the criminal acts of the offender were not in any material way connected to his legitimate role.
But would the same be true of the FT?
Di Stefano, while clearly in breach of contractual ethics, was employed on the basis of high profile ‘scoops’ and it can’t be said that his enterprise was outside the course of his employment and its intention. Arguably, it was precisely that that got him his job.