Tim Hickman and Stephen Ravenscroft of White & Case LLP write:
In April 2016, the High Court of England and Wales issued its judgment in Axon v Ministry of Defence  EWHC 787 (QB). The court emphasised (albeit obiter) the fact that employers can be liable for data breaches caused by rogue employees (in the present case, an employee who had passed on certain information to journalists without the permission of her employer). The impact of this decision on employers is potentially significant, and it serves as another reminder to employers to implement proper data protection processes and procedures, and to ensure that employees receive appropriate training on these issues.
Read more on JDSupra.
In the U.S., employers may be able to escape liability by showing that the employee was not acting within the scope of their duties, but it’s been a mixed bag (cf, the Doe v. Guthrie case and U. Cincinnati case for examples of employers held not liable, and the Hinchy v. Walgreens case, where the employer was held liable).