Vicarious Liability For Cyber And Privacy-Related Claims: Is Your Organization Protected Against Internal Threats?1
Privacy and data breaches at universities and colleges continue to rise. In response to a Statistics Canada survey in 2017, universities reported the second highest number of cybersecurity incidents.2 This is to be expected, given the volume and sensitivity of the information in the custody and control of higher-learning institutions, including personal information of students, faculty and staff, and research project data. All of this data in the possession of one institution makes an attractive target for external hackers, but what happens if the threat is closer to home? The long-standing doctrine of vicarious liability provides that an employer can be held liable for certain acts of an employee.
Recent case law in the context of civil liability for privacy breaches suggests that vicarious liability may apply not only where an employee has negligently carried out his or her duties, but also where a "rogue" employee intentionally commits a privacy breach.
In 2012, the Ontario Court of Appeal recognized the common law tort of intrusion upon seclusion, as a basis for civil liability for privacy breaches.3 The tort has since been acknowledged by courts at a preliminary stage as a possible cause of action in other Canadian jurisdictions, including Nova Scotia and Newfoundland and Labrador. In addition, four provinces, including Newfoundland and Labrador, have a statutory tort of invasion of privacy. Depending on the type of breach, potential claims may also be framed in negligence, or breach of contract. Where the breach involves the personal information of many individuals, class action proceedings may be commenced.
Examples of civil cases arising from internal privacy breaches intentionally committed by employees include employee "snooping" cases, where personal information of others is improperly accessed, and cases where the employee has either stolen information for third parties, or maliciously released the information. Any organization can be susceptible to this risk. There is a level of trust between the employer and the employee who is granted access to sensitive personal information, and if an employee is determined to use this access to act in an improper, malicious or criminal manner, this risk is difficult for the employer to guard against. However, the fact that the employee's actions were unauthorized does not necessarily free the employer from vicarious liability.
The classic test for vicarious liability provides that an employer is vicariously liable for:
- employee acts authorized by the employer; and
- unauthorized acts so connected with authorized acts that they may be regarded as modes (albeit improper modes) of doing an authorized act.4
In the case of an internal privacy breach, where an employee has intentionally and improperly accessed or disclosed personal information without proper authority, the question becomes whether these actions were sufficiently related to conduct that was authorized by the employer, and whether there is a significant connection between the creation or enhancement of a risk by the employer and the wrong that results, such that vicarious liability should be attributed to the employer. Factors identified as being relevant to this determination include:
- the opportunity that the employer afforded the employee to abuse his or her power;
- the extent to which the wrongful act may have furthered the employer's aims;
- the extent to which the wrongful act was related to friction, confrontation or intimacy inherent in the organization;
- the extent of power conferred on the employee in relation to the victim; and
- the vulnerability of potential victims to wrongful exercise of the employee's power.5
In short, if the employer has created the situation allowing for the privacy breach, then vicarious liability provides that the employer should be held liable in order to compensate the victim(s) and to deter future breaches by motivating the employer to implement additional controls
The vast majority of the Canadian case law on this topic is from class action certification proceedings which have not proceeded to trial, and no Canadian court has yet made a finding of vicarious liability against an employer for a privacy breach arising from employee misconduct. However, there is sufficient case law to suggest a real risk that vicarious liability could be imposed. For example, in a case involving a bank employee who provided customer information to his girlfriend (which was then used to facilitate identity theft and fraud), the court found that it was not "plain and obvious" that a claim of vicarious liability would not succeed. The court highlighted that the bank had created the opportunity for the employee to abuse his power by allowing him unsupervised access to customers' private information without installing any monitoring system, and that bank customers were entirely vulnerable to this risk.6
More recently, in an ongoing class action by customers against the Insurance Corporation of British Columbia ("ICBC") for a privacy breach where vicarious liability is alleged, a claim for punitive damages against ICBC was certified. The breach occurred in 2012 when an ICBC employee improperly accessed the personal information of dozens of ICBC customers and sold it to an acquaintance involved in the drug trade. The information was used to target some customers with violent attacks. The evidence supported that in the four years leading up to the 2012 breach, at least seven employees had been terminated by ICBC for other privacy breaches. This leaves open the possibility that when the matter proceeds to trial, punitive damages could be awarded against ICBC based on the history of privacy breaches that had occurred without ICBC making appropriate corrective changes to prevent future breaches.7
Another case of significant concern is currently proceeding through the courts in the United Kingdom. In Various Claimants v W M Morrison Supermarket Plc, the UK Court of Appeal concluded that an employer should be held vicariously liable for a privacy breach committed by one of its senior IT auditors as a retaliatory measure against the employer for disciplinary action he had faced.8 The employee had been disciplined by the employer for using the work mail room to mail packages for a private business he was operating out of his home re-packaging and re-selling weight loss powder. This was at no direct cost to the employer, but a package of the white powder came open in the mail room one day and caused a disturbance, although the powder was ultimately revealed to be harmless. The employee received a formal warning on his record, which he thought was unjustified.
Part of this employee's job was to copy and provide personal and payroll information of employees to their external auditor. In retaliation against his employer for the warning he received, and at times outside working hours, off-site and using personal computer equipment, the employee copied the personal and banking information of nearly 100,000 employees and posted it to the internet. The employee was subsequently arrested and jailed for fraud. In determining whether the employer should be found vicariously liable, the UK Court of Appeal held that there was a sufficient connection between the position of the employee, who was expected in the course of his employment to handle and disclose the personal and banking information, and the wrongdoing, to find the employer vicariously liable. This was notwithstanding the fact that the lower court had concluded that the employer had largely complied with the data protection obligations placed upon it by the applicable UK legislation. This case is currently being further appealed.
In light of the developing case law in this area, and the accompanying potential for vicarious liability to be attributed to an employer for privacy breaches caused by a rogue employee, what can an organization do to help protect itself?
- Create a culture where cybersecurity is a shared responsibility. Educate employees on the value of your organization's data, different types of data and what data can and cannot be shared;
- Review your organizational, technical and administrative security safeguards:
- Is the information within your custody and control adequately protected?
- Is access to personal information limited to those trusted employees who need access to the information in order to carry out their duties?
- Be prepared for and have an action plan ready to deal with cyber-attacks – whether internal or external
- Monitor and respond to any disruptive employee behaviour and manage any negative workplace issues;
- Review your new hire and screening procedures as well as employee exit procedures; and
- Monitor and respond to any incidents and continue to test and update existing security procedures.
1 For an academic discussion of this issue, see "Direct and Vicarious Liability for Tort Claims Involving Violation of Privacy", by von Tigerstrom, Barbara, The Canadian Bar Review, Vol. 96, 2018.
2 StatsCan Canadian Survey of Cybersecurity and Cybercrime, 2017 (released Oct. 2018)
3 Jones v Tsige, 2012 ONCA 32
4 Bazley v Curry,  2 SCR 534
5. Bazley, supra at para. 41.
6 Evans v The Bank of Nova Scotia, 2014 ONSC 2135. See also Hynes v Western Regional Integrated Health Authority, 2014 NLTD (G) 137.
7 Ari v Insurance Corporation of British Columbia, 2019 BCCA 183.
8 Various Claimants v W M Morrison Supermarket Plc,  EWCA Civ 2339, leave to appeal granted April 15, 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.