If an employer’s business collects and uses the personal
information of individuals, there is always the risk that an employee could
improperly access and misuse that information without the employer’s
knowledge. Whether or not the employer
can be held responsible is the question raised by the case of Evans v. The Bank of Nova Scotia.
Richard Wilson worked for the Bank of Nova Scotia (the “Bank”). Unbeknownst to the Bank, Wilson provided the
files of several hundred customers to an unknown third-party, who then used the
information to commit identity theft and fraud.
When the Bank learned of the situation, Wilson was fired and all of the
affected customers were notified. Of the
643 customer files that Wilson accessed, 138 customers identified themselves as
victims of fraud or identity theft. The
Bank compensated the affected customers for any monetary losses, and provided all
of the customers whose information had been accessed with a subscription to a
credit monitoring and identity theft protection service.
The affected customers commenced a class action for negligence,
breach of contract, breach of fiduciary duty and good faith, the tort of
intrusion upon seclusion (the “privacy tort”), and waiver of tort. The action included a claim that the Bank was
vicariously liable for Wilson’s violation of their privacy. The Bank brought a motion challenging the
certification of the class action, and alleged that an employer could not be
held vicariously liable for the actions of a rogue employee who intentionally
violated the privacy of customer information held by the employer.
Justice Robert J. Smith reviewed the elements of the privacy
tort, laid out in the Court of Appeal decision in Jones v. Tsige, and also considered the rationale for imposing
vicarious liability on an employer. In
order for the tort of intrusion upon seclusion to be made out, the plaintiff
has to establish (i) that the defendant acted intentionally or recklessly, (ii)
that the defendant invaded the plaintiff’s private affairs without lawful
justification, and (iii) that a reasonable person would regard the invasion as
highly offensive causing distress, humiliation or anguish. In order for conduct of an employee to
attract liability on an employer, the Court must determine whether the employer’s
enterprise created or enhanced the risk of harm to the plaintiff, and whether
the wrongful act of the employee is “sufficiently related to conduct authorized
by the employer to justify the imposition of vicarious liability” (quoted from Bazley v. Curry at para. 41). In determining if there’s sufficient
connection between the wrong committed by the employee and the nature of the
enterprise, the courts will consider a number of factors, including:
(a) the opportunity that the enterprise afforded the employee
to abuse his or her power;
(b) the extent to which the wrongful act
may have furthered the employer's aims (and hence be more likely to have been
committed by the employee);
(c) the extent to which the wrongful act
was related to friction, confrontation or intimacy inherent in the employer's
enterprise;
(d) the extent of power conferred on the
employee in relation to the victim;
(e) the vulnerability of potential victims
to wrongful exercise of the employee's power.
(Bazley v. Curry)
Justice Smith found that the Bank afforded Wilson
unsupervised access to the personal and financial data of its clients, and had
not implemented any method for monitoring his access to that information. While the actions of Wilson did not benefit
the Bank, it should have been aware that Wilson had an intimate connection with
confidential customer information, giving him complete power over victims who
were vulnerable to his misuse of that power.
Moreover, the Bank acknowledged a complete lack of oversight of how its
employees accessed the information of clients.
While Justice Smith found that there was no evidence
suggesting that the Bank took any positive action intended to harm its
customers, he also observed that vicarious liability is a form of strict liability,
meaning that the employer need not engage in misconduct in order to be
responsible for the employee’s wrongdoing.
On the current jurisprudence and the facts (which are accepted as true
for purposes of such a motion), the Judge found that it was not plain and
obvious that the claim for vicarious liability would fail. The Judge also found that the claim of
negligent supervision against the Bank could proceed, as such claims had
succeeded in the past and the Bank had acknowledged not supervising or
monitoring employees’ access and use of customer information. Most of the other causes of action were also
permitted to move forward, and the Judge concluded that there were no
impediments to certifying the class action.
While it remains to be seen whether the plaintiffs will
ultimately prevail on the issue of the Bank’s vicarious liability for Wilson’s
violation of their private information or its negligent supervision of Wilson, the fact that these claims were allowed
to proceed suggests that employers need to pay particular attention to the
confidential information in their possession.
Employers need to consider who has access to such information, what
level of monitoring is appropriate to ensure that the information is not
misused or accessed for improper purposes, and even whether certain information
should be collected and retained in the first place. Failure to supervise an employee (including
the lack of effective monitoring of customer information) may attract both
direct and vicarious liability.
Do you have questions about employment policies and
practices to ensure the protection of information in your organization’s
possession? Please feel free to contact
Lance Ceaser for further guidance.
No comments:
Post a Comment