4 May 2020

The art of the ‘leak’, where  confidential information from an anonymous source becomes front page news, is one of the most treasured trophies of investigative journalists.

Of course this would fall foul of Data Protection laws under normal circumstances, but an exception can be made if it’s in the public interest, and there’s an unwritten rule that editors do not inquire into, nor journalists disclose, their sources.

But now in the age of Covid-19, there are untold opportunities for illicit eavesdropping through the rapid rise of video conferencing and the Zoom revolution.

Already there have been multiple issues raised about cyber security and Zoom enabling hackers to burrow into internal affairs of politics and business, yet it seems the most recent and outrageous case is not some technical flaw but a catalogue of human, all too human, elementary errors.

Step forward the main players: the illustrious Financial Times, the worthy Independent and a, now ex-, FT journalist, Mark di Stefano.

Mr di Stefano, an Australian hack who prides himself on ‘breaking news’ which promotes the publication and himself, ahead of the pack, was employed as a media and tech reporter for  the FT after making a splash with the online news agency Buzzfeed – most notably the Waitrose magazine ‘killing vegans’ joke that ended badly for its editor.

Now it turns out that Mr di Stefano had access to a Zoom conference of the Independent editorial where staff were briefed about the parlous financial state of the now online newspaper, furloughing and wage cuts.

True to type, di Stefano, a self-confessed Twitter addict, was tweeting about the meeting even as it was happening, citing an ‘insider source.’

To say that this ‘scoop’ was one self-promotion too far is something of an understatement, with potential criminal as well as civil legal implications in terms of the Data Protection Act 2018 and other legislation, not just for di Stefano, but potential liability on the facts for the Financial Times and the Independent itself.

For it seems this was neither a third party anonymous ‘leak’ nor the result of hacking the Zoom cyber security.

Di Stefano joined the Zoom conference  signing in with his FT email address – which was visible to the 100 or so members  for 5 seconds – before it disappeared.

Subsequently the Independent carried out an analysis of the participants’ addresses and tracked a later sign-in to a mobile phone belonging to di Stefano.  It was also revealed that a similar incident concerning the Evening Standard and published on the FT website,  was traced to the same phone.

There was no attempt at a defence by the FT since di Stefano’s acts were in breach of its commitment to journalistic ethics and there was no ‘public interest’ in disclosing the financial woes and internal staffing implications of a rival publication.

Di Stefano was suspended and  announced his own immediate resignation, appropriately enough, on Twitter.

So what might become of this monumental faux pas legally?

The Data Protection Act 2018 does include criminal sanctions which might apply to di Stefano, and potentially the FT itself if it knowingly or recklessly allowed the breach amounting to a criminal offence.

But in terms of the civil DPA breaches,  there would appear to be a potential prima facie vicarious liability case against the FT which would test recent Data Protection case law.

In a long-running  data leak case against the supermarket Morrisons, the Supreme Court held that the company was not vicariously  liable for the data protection breaches affecting 100,000 of its employees, thousands of whom had joined a class action for compensation redress against the firm.

The story began when a disgruntled rogue employee misused his access to confidential staff data, releasing it to media and ‘leak’ websites. The offender in question was prosecuted and is serving a lengthy prison sentence.

But what of the rights of the affected and distressed employees?

In the Morrisons saga, the Court of Appeal originally upheld existing comparable case law on the vicarious liability of the employer for wrongs committed by staff, even though they were criminal acts that were not in the course and intention of their employment.

The Supreme Court however overturned this decision.

Morrisons were able to show that they had exercised adequate monitoring and due diligence in data security and that the criminal acts of the offender were not in any material way connected to his legitimate role.

But would the same be true of the FT?

Di Stefano, while clearly in breach of contractual ethics, was employed on the basis of high profile ‘scoops’ and it can’t be said that his enterprise was outside the course of his employment and its intention.  Arguably, it was precisely that that got him his job.

But it doesn’t end there.

While the Independent might be the wounded party, it turns out, according to media reports, that access to the Zoom conference was open to all-comers signing-in without password protection.

Clearly ‘someone’ must have tipped di Stefano off as to the meeting and access, but, if the case, the newspaper’s elementary security failure was a potential data breach against its own employees.

So while di Stefano is, wisely, ‘taking time away and logging off’ the legal repercussions from this latest data breach fiasco are unlikely to go away anytime soon.