Wednesday, 25 June 2014

Can an Employer be held liable for privacy breaches by an Employee? For now, the answer is “maybe”

If an employer’s business collects and uses the personal information of individuals, there is always the risk that an employee could improperly access and misuse that information without the employer’s knowledge.  Whether or not the employer can be held responsible is the question raised by the case of Evans v. The Bank of Nova Scotia. 
Richard Wilson worked for the Bank of Nova Scotia (the “Bank”).  Unbeknownst to the Bank, Wilson provided the files of several hundred customers to an unknown third-party, who then used the information to commit identity theft and fraud.  When the Bank learned of the situation, Wilson was fired and all of the affected customers were notified.  Of the 643 customer files that Wilson accessed, 138 customers identified themselves as victims of fraud or identity theft.  The Bank compensated the affected customers for any monetary losses, and provided all of the customers whose information had been accessed with a subscription to a credit monitoring and identity theft protection service.
The affected customers commenced a class action for negligence, breach of contract, breach of fiduciary duty and good faith, the tort of intrusion upon seclusion (the “privacy tort”), and waiver of tort.  The action included a claim that the Bank was vicariously liable for Wilson’s violation of their privacy.  The Bank brought a motion challenging the certification of the class action, and alleged that an employer could not be held vicariously liable for the actions of a rogue employee who intentionally violated the privacy of customer information held by the employer.
Justice Robert J. Smith reviewed the elements of the privacy tort, laid out in the Court of Appeal decision in Jones v. Tsige, and also considered the rationale for imposing vicarious liability on an employer.  In order for the tort of intrusion upon seclusion to be made out, the plaintiff has to establish (i) that the defendant acted intentionally or recklessly, (ii) that the defendant invaded the plaintiff’s private affairs without lawful justification, and (iii) that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.  In order for conduct of an employee to attract liability on an employer, the Court must determine whether the employer’s enterprise created or enhanced the risk of harm to the plaintiff, and whether the wrongful act of the employee is “sufficiently related to conduct authorized by the employer to justify the imposition of vicarious liability” (quoted from Bazley v. Curry at para. 41).  In determining if there’s sufficient connection between the wrong committed by the employee and the nature of the enterprise, the courts will consider a number of factors, including:
(a)          the opportunity that the enterprise afforded the employee to abuse his or her power;
(b)          the extent to which the wrongful act may have furthered the employer's aims (and hence be more likely to have been committed by the employee);
(c)           the extent to which the wrongful act was related to friction, confrontation or intimacy inherent in the employer's enterprise;
(d)          the extent of power conferred on the employee in relation to the victim;
(e)          the vulnerability of potential victims to wrongful exercise of the employee's power.
(Bazley v. Curry)
Justice Smith found that the Bank afforded Wilson unsupervised access to the personal and financial data of its clients, and had not implemented any method for monitoring his access to that information.  While the actions of Wilson did not benefit the Bank, it should have been aware that Wilson had an intimate connection with confidential customer information, giving him complete power over victims who were vulnerable to his misuse of that power.  Moreover, the Bank acknowledged a complete lack of oversight of how its employees accessed the information of clients.
While Justice Smith found that there was no evidence suggesting that the Bank took any positive action intended to harm its customers, he also observed that vicarious liability is a form of strict liability, meaning that the employer need not engage in misconduct in order to be responsible for the employee’s wrongdoing.  On the current jurisprudence and the facts (which are accepted as true for purposes of such a motion), the Judge found that it was not plain and obvious that the claim for vicarious liability would fail.  The Judge also found that the claim of negligent supervision against the Bank could proceed, as such claims had succeeded in the past and the Bank had acknowledged not supervising or monitoring employees’ access and use of customer information.  Most of the other causes of action were also permitted to move forward, and the Judge concluded that there were no impediments to certifying the class action.
While it remains to be seen whether the plaintiffs will ultimately prevail on the issue of the Bank’s vicarious liability for Wilson’s violation of their private information or its negligent supervision of Wilson, the fact that these claims were allowed to proceed suggests that employers need to pay particular attention to the confidential information in their possession.  Employers need to consider who has access to such information, what level of monitoring is appropriate to ensure that the information is not misused or accessed for improper purposes, and even whether certain information should be collected and retained in the first place.  Failure to supervise an employee (including the lack of effective monitoring of customer information) may attract both direct and vicarious liability.
Do you have questions about employment policies and practices to ensure the protection of information in your organization’s possession?  Please feel free to contact Lance Ceaser for further guidance.

No comments:

Post a Comment