When Employees Go Rogue: Are Employers Vicariously Liable for the Privacy Breaches of Their Employees?
Although there has not yet been a definitive answer to this question in Canada, based on recent UK case law, it appears increasingly likely that, at least in some circumstances, the answer may be “yes”.
In Various Claimants v WM Morrisons Supermarket Plc, (Rev 1)  EWHC 3113 (QB) (“Morrisons”), the High Court said that the supermarket chain Morrisons was vicariously liable for the actions of an employee, who leaked the payroll data of nearly 100,000 employees. The case is the first successful class action for a data breach in the UK.
More and more, Canadian courts and adjudicators have been asked to grapple with similar privacy issues, particularly in light of the privacy torts that have gained traction in some Canadian jurisdictions. Thus far, Canadian courts have not opined directly on the issue of whether vicarious liability may be extended to employers in respect of the privacy breaches of their employees, but the case law to date is consistent with the recent UK decision which holds that the test for vicarious liability of an employer for the wrongful acts of its employees is the same as it is for any other wrongful act of an employee.
Current Canadian Law
In Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (“Ari”) the BC Court of Appeal considered whether certain portions of a proposed class action ought to have been struck. In that case, the claimants alleged, among other things, that the employee’s alleged breach of the Privacy Act, RSBC 1996, c 373, imported vicarious liability on to the employer.
The Court held that the Privacy Act did not exclude the imposition of vicarious liability on the employer and suggested that the principles of vicarious liability may be applied in the context of a breach of privacy by an employee just as they would to any other wrongful act of an employee.
However, since the Court in Ari was considering the test for striking out pleadings (specifically whether it was plain and obvious that there is no reasonable claim in breach of privacy against the Defendants), rather than evaluating the whole of the Action on its merits, the case is not a definitive answer to the question of whether and when an employer is vicariously liable for the privacy breaches of its employees.
In Hynes v Western Regional Integrated Health Authority, 2014 NLTD(G) 137, the Supreme Court of Newfoundland and Labrador considered whether the proposed class action for a breach of the Privacy Act, RSNL 1990 c P-22 and for the tort of intrusion upon seclusion should be granted, partly on the basis of whether the employer could be vicariously liable for an employee’s wrongful breach of privacy.
The Court held that it was not plain and obvious that the assertion of vicarious liability would fail. The Court indicated that the issue of whether the employee’s acts were so connected to authorized acts to justify the imposition of vicarious liability (the test for imposing vicarious liability) must be resolved at trial. Therefore, the Court’s certification decision is not determinative of this issue.
In, Bigstone v St Pierre, 2011 SKCA 34 this issue was argued before the Chambers judge on an application to strike pleadings, but on appeal vicarious liability was not considered and the claim was struck on the basis that there were insufficient material facts pleaded to support the cause of action.
The Morrisons Case
Morrisons may provide an inkling as to how Canadian courts may approach the issue of vicarious liability of employers for privacy breaches committed by employees.
In Morrisons, a group of claimants brought an Action for breach of the Data Protection Act 1998 (“DPA”), as well as at common law for the tort of misuse of private information and an equitable claim for breach of confidence against Morrisons. The claimants were employees of Morrisons who had had their personal information taken and published online by a disgruntled employee, Mr. Skelton. Mr. Skelton had been a Senior IT Auditor who had obtained access to the private information of the claimants in the course of collating the data for transmission to Morrisons’ auditors.
The claimants alleged both a direct breach of the DPA by Morrisons for failing to protect their data and that Morrisons was vicariously liable for the actions of its employee, Mr. Skelton.
The Court held that Morrisons did not breach the DPA directly since it was not the “Data Controller” (as defined in the DPA) at the relevant time with respect to the data at issue. The specific acts complained of were those of a third party, Mr. Skelton, and not Morrisons.
The Court also considered whether Morrisons breached the DPA by failing to take appropriate measures to safeguard the data. Morrisons had put in place security systems which were generally considered by the Court to be adequate and appropriate.
The Court also assessed whether Morrisons ought to have done more to supervise Mr. Skelton. Although Morrisons could have taken additional measures to monitor Mr. Skelton and his work, the Court indicated that there is a level of additional supervision which is not only disproportionate to the risk but that may result in a claim by the employee being supervised that the measures are unfairly intrusive to his or her own rights.
The Court then considered whether Morrisons was vicariously liable for the actions of Mr. Skelton. The Court held that vicarious liability was not excluded by the DPA and can be imposed where the circumstances so warrant. The Court found that the principles of vicarious liability of an employer for the acts of its employees do not change simply because the wrong complained of relates to a privacy breach as opposed to a different wrongful act of the employee.
Whether liability will be imposed depends on whether one of the two bases for liability in Bazley v Curry,  2 SCR 534 are met, specifically, whether (1) the employer has authorized the acts, or (2) the unauthorized acts are so connected with the authorized acts that they may be regarded as mode of doing an unauthorized act. The Court also considered the policy rationales behind imposing vicarious liability in the circumstances.
In Morrisons, the Court found that “there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events” even though the disclosure itself did not occur on a company computer or on company time. Dealing with sensitive confidential data was expressly part of Mr. Skelton’s role. His job was to receive and pass on data to a third party. The fact that the actual third party recipient of the data was unauthorized did not disengage the act from his employment.
The Court noted that cases where vicarious liability has been upheld are those “where the employee misused his position in a way which injured the claimant” and “it was just that the employer who selected him and put him in that position should be held responsible.” Further justification for imposing liability is that the employer has at least the theoretical right to control the employee’s actions and has the ability to protect itself by insuring against the liability.
In the end result, Morrisons stands for the proposition that a company can be held liable to compensate affected individuals for loss (including non-pecuniary loss such as emotional distress) caused by a data breach, even when the breach was caused by an employee and there was no wrongdoing on the part of the company.
Importantly, the Court invited Morrisons to appeal the conclusion as to vicarious liability, considering that imposing liability in the circumstances may have served to render the Court an accessory to Mr. Skelton’s criminal aims (namely punishing Morrisons for taking disciplinary action against Mr. Skelton).
What it Means for Employers
Although there remains no definitive answer in Canada yet, this case and the preceding Canadian case law suggests that companies must consider carefully who they place in trusted roles and, in addition to the systems they use to protect data, what measures they might take to guard against human risk, which the Court in Morrisons acknowledged can never be fully anticipated or prevented.
Visit our Cybersecurity, Privacy & Data Management page and contact us with any questions or for assistance.