Data Breach And Vicarious Liability For Employee Misconduct
Published date | 08 May 2020 |
Author | Ms Ruth Promislow and Ethan Schiff |
Subject Matter | Employment and HR, Privacy, Employee Rights/ Labour Relations, Data Protection |
Law Firm | Bennett Jones LLP |
It is not only hackers who pose a risk to an organization's information security; hostile insiders do as well. According to Verizon, an estimated 34 percent of data breaches involve internal actors. Hostile insiders may be motivated by personal reasons (e.g., peeking at personal information of their employer's customer base to gain insight into a particular individual's private information), or financial reasons (e.g., theft of personal data for financial profit). If the hostile insider's actions result in harm or losses to third parties, the organization may face vicarious liability, even in the absence of company wrongdoing.
Recent UK Authority: Morrison Supermarkets
The doctrine of vicarious liability applies differently based on context, and remains relatively untested in Canada in the specific context of data breaches. A recent United Kingdom case involving a claim for vicarious liability in respect of an employee data breach serves as a useful background to understand how Canadian courts may approach a comparable matter. In WM Morrison Supermarkets plc v Various Claimants, [2020] UKSC 12 [Morrison Supermarkets], employees of Morrison (the defendant company) brought an action alleging, among other things, vicarious liability for various breaches based on publication of personal information by another employee, Andrew Skelton. Morrison provided Skelton with the plaintiffs' confidential information in the context of his position as an internal auditor for the purposes of transmitting the data to outside auditors. He published the information with the intention of harming Morrison.
In dismissing the claim for vicarious liability, the UK Supreme Court noted that, in the UK, a party is generally vicariously liable only if the employee's conduct is closely connected with the acts the employee was authorized to perform, such that the activity occurred within the course of business. Though this test may be relaxed in some contexts (in particular, cases involving sexual abuse), the Court held that the provision of data from Morrison to Skelton in the context of his employment responsibilities was insufficient to establish a close connection with Skelton's wrongful publication of the data, particularly because Skelton's motivation was in direct conflict with Morrison's interests.
The Canadian Landscape
Canada's approach to vicarious liability is distinct from that taken in Morrison Supermarkets. In Canada, the applicability of vicarious liability in a novel...
To continue reading
Request your trial