• Contact Us

Employer Not Vicariously Liable for Employee's Data Breach

on Tuesday, 05 May 2020.

In a recent decision, the Supreme Court has ruled that the supermarket chain Morrisons was not vicariously liable for its employee's malicious data breach.

This case should provide some comfort to organisations in the Pharmaceuticals & Life Sciences sector, which routinely hold and process large amounts of (often very sensitive) personal data.

However, data protection and information security continue to (rightly) be key concerns for those in the pharma arena, and continues to be the subject of scrutiny by regulators.

What Happened in This Case?

Andrew Skelton was an internal auditor for Morrisons. He also operated a small business selling a slimming drug through eBay. Occasionally, he would send out the packages through Morrisons' post room (having fully paid the postage himself). One of the packages came open in the post room and white powder spilled out causing chaos. Skelton was given a verbal warning. He then got the hump with Morrisons and planned his revenge.

In his role as auditor, Skelton had access to payroll data (including personal and banking details) of around 120,000 Morrisons employees. He took a copy of most of the data, put it online and sent it to newspapers (using a false email address to try to frame a colleague in the process). He also timed this disclosure to coincide with publication of Morrisons' annual financial results in order to cause maximum damage.

Mr Skelton was sentenced to eight years in prison for this unlawful and criminal disclosure, and Morrisons spent around £2m on remedial action as a result of his breach. 9,263 current and former employees who had been impacted by the breach then took civil action against Morrisons.

What Civil Actions Were Taken?

The claimants argued - amongst other things - that, as Mr Skelton's employer, Morrisons was 'vicariously' liable for his wrongful actions. They sought damages from Morrisons for distress caused by disclosure of their data, breach of confidence and misuse of private information.

At trial, the High Court held that Morrisons was vicariously liable for the data breach, and this was upheld in the Court of Appeal too. Morrisons then appealed to the Supreme Court.

Coronavirus Legal Advice

 

Was Morrisons Vicariously Liable?

The Supreme Court allowed the appeal, finding that Morrisons was not vicariously liable for Mr Skelton's actions. The Court confirmed that for an employer to be vicariously liable for the wrongdoing of an employee, there must be a sufficiently close connection between the employee's work and the employee's wrongdoing, such that the wrongful actions of the employee could fairly and properly be considered to be in the course of their employment. In doing so, the Court reiterated the distinction between cases where an employee is engaged (however misguidedly) in further their employer's business, and cases where an employer is engaged solely in pursing their own interests.

In this case, the Court found that Mr Skelton's unlawful disclosure was not connected to his employment - it was done for his own purposes - and so Morrisons could not be vicariously liable for those actions. On this occasion, his motive (ie to harm Morrisons) was also relevant.

However, the Court did not exclude the possibility of employees being vicariously liable for employees' statutory data breaches, misuse of private information or breach of confidence completely. Organisations should therefore be wary that, under different circumstances, they could be vicariously liable for a data breach by an employee.

Regulatory Matters

Data information and security continues to be a key issue for the Pharmaceuticals & Life Sciences sector, and there have been a number of high profile incidents recently involving members of the sector. In addition to court claims by those affected, the Information Commissioner's Office (ICO) has handed out a number of high profile fines.

For example, last year, Doorstep Dispensaree, a high street pharmacy in North London, was the subject of the first fine by the ICO under the General Data Protection Regulation.

The pharmacy had been the subject of an investigation by the Medicines and Healthcare products Regulatory Agency (MHRA). Whilst the MHRA was searching the premises, it discovered 47 unlocked crates, two disposal bags and one cardboard box full of documents - around 500,000 in total - left in the pharmacy's outside courtyard.

The documents contained names, dates of birth, addresses, medical information and prescription details. Many of the individuals identified in the documents were elderly and vulnerable.

The ICO became involved. After considering the size of the pharmacy and their financial position and, in attempting to make the penalty "effective, proportionate and dissuasive", the ICO fined Doorstep Dispensaree £275,000.

What Does This Mean For You?

The Supreme Court decision did not exclude the possibility of vicarious liability for statutory data breaches, misuse of private information of breach of confidence. That decision related to the Data Protection Act 1998 (which has of course since been superseded by the new data protection regime under the General Data Protection Regulation and the Data Protection Act 2018); however, there is no reason to believe that the new regime would exclude such vicarious liability either.

As well as possible liability for civil claims, we have already seen that there can be severe regulatory consequences for organisations in the sector that do not have appropriate data protection measures in place. All organisations in the Pharmaceuticals & Life Sciences sector should therefore ensure that their policies and procedures are up to date and reflect best practice, and that these are properly enforced through training and updates to staff. If a breach does occur, it is important that you act quickly to identify and contain the risk.


We are experienced in advising organisations in the Pharmaceuticals & Life Sciences sector on information security matters and data breaches. If you have any concerns or questions about liability for data breaches, please contact Ben Holt, who leads our Information Law team, on 07715 048666 or complete the form below.

Get in Touch

First name(*)
Please enter your first name.

Last name(*)
Invalid Input

Email address(*)
Please enter a valid email address

Telephone
Please insert your telephone number.

How would you like us to contact you?

Invalid Input

How can we help you?(*)
Please limit text to alphanumeric and the following special characters: £.%,'"?!£$%^&*()_-=+:;@#`

See our privacy page to find out how we use and protect your data.

Invalid Input