VICARIOUS LIABILITY IN DATA BREACHES!

ARE YOU RESPONSIBLE FOR YOUR EMPLOYEE’S DATA BREACHES?

A commentary on ODPC Complaint No. 1212/2023Pauline Muhanda T/A Mudeshi Muhanda & Co. Advocates V Safaricom PLC

INTRODUCTION

Pauline Muhanda and advocate practicing in the name and style of Mudeshi Muhanda & Co. Advocates discovered, through a court application, that her law firm’s and her personal MPESA transactions from December 11th to 31st, 2022, had been accessed without her consent. These sensitive records were presented in court, revealing a severe breach of privacy. The source of this leak? A Safaricom employee who, in her regular duties, handled MPESA statements.

Outraged by the violation, Pauline filed a complaint with the ODPC on July 11, 2023, under Section 8(f) and 56 of the Data Protection Act (DPA), and Regulation 14 of the Data Protection (Complaints, Handling, and Enforcement) Regulations, 2021. She sought to hold Safaricom accountable for the unauthorized access and disclosure of her private data.

WAS SAFARICOM PLC LIABLE FOR ITS EMPLOYEE’S DATA BREACH?

At the heart of the case was a pivotal question: Could Safaricom be held liable for the rogue actions of its employee?

Safaricom contended that the employee had breached the company’s Acceptable Usage Policy and acted beyond her authorized duties. They emphasized that she had been dismissed following the breach and had no authorization to access or disclose the MPESA statements without a court order or consent.

The ODPC applied the “close connection test” to assess whether the employee’s actions were closely connected to her duties. Despite handling MPESA statements being part of her role, the unauthorized disclosure was not. The ODPC concluded that the employee’s actions did not satisfy the close connection test, as she acted outside her mandate.

SAFARICOM’S OBLIGATIONS AS A DATA CONTROLLER

As a data controller, Safaricom was required under Section 41 of the DPA to implement safeguards to protect personal data. The ODPC found that while the employee’s actions occurred within the scope of her employment, her failure to adhere to safeguards meant she acted outside her duties. Consequently, the ODPC held the employee personally liable for the breach.

ODPC’S FINDING

The ODPC’s ruling was unequivocal: by acting outside her mandate, the employee was personally responsible for the data breach. The ODPC recommended her prosecution under Section 72(3) of the DPA.

CONCLUSION

This case serves as a critical reminder that organizations must not only implement stringent data protection measures but also ensure that employees adhere to these safeguards. The story of Pauline Muhanda and the Safaricom employee underscores the delicate balance between corporate responsibility and individual accountability in data breaches. As the digital age progresses, this landmark ruling stands as a powerful testament to the importance of data privacy and the far-reaching consequences of its breach.

Arbitration And Mediation.

Banking And Financing.

Block Chain, Fintech & Regulations.

Capital Markets.

Commercial Due Diligence.

Real Estate.

Competition Law.

Contract Management.

Crisis Management.

Data Law.

Debt Recovery.

Tax Law.

Digital Currency And Cryptocurrency.

Employment And Labour Relations.

ESG Law.

Fintech Advisory.

Insolvency And Restructuring.

Legal Audit And Compliance.

Legal Training.

Loan And Debt Restructuring.

Medical Negligence.

Public Procurement.