It is not only hackers who pose a risk to an organization’s information security; hostile insiders do as well. According to Verizon, an estimated 34 percent of data breaches involve internal actors. Hostile insiders may be motivated by personal reasons (e.g., peeking at personal information of their employer’s customer base to gain insight into a particular individual’s private information), or financial reasons (e.g., theft of personal data for financial profit). If the hostile insider’s actions result in harm or losses to third parties, the organization may face vicarious liability, even in the absence of company wrongdoing.
Recent UK Authority: Morrison Supermarkets
The doctrine of vicarious liability applies differently based on context, and remains relatively untested in Canada in the specific context of data breaches. A recent United Kingdom case involving a claim for vicarious liability in respect of an employee data breach serves as a useful background to understand how Canadian courts may approach a comparable matter. In WM Morrison Supermarkets plc v Various Claimants, [2020] UKSC 12[Morrison Supermarkets], employees of Morrison (the defendant company) brought an action alleging, among other things, vicarious liability for various breaches based on publication of personal information by another employee, Andrew Skelton. Morrison provided Skelton with the plaintiffs’ confidential information in the context of his position as an internal auditor for the purposes of transmitting the data to outside auditors. He published the information with the intention of harming Morrison.
In dismissing the claim for vicarious liability, the UK Supreme Court noted that, in the UK, a party is generally vicariously liable only if the employee’s conduct is closely connected with the acts the employee was authorized to perform, such that the activity occurred within the course of business. Though this test may be relaxed in some contexts (in particular, cases involving sexual abuse), the Court held that the provision of data from Morrison to Skelton in the context of his employment responsibilities was insufficient to establish a close connection with Skelton’s wrongful publication of the data, particularly because Skelton’s motivation was in direct conflict with Morrison’s interests.
The Canadian Landscape
Canada’s approach to vicarious liability is distinct from that taken in Morrison Supermarkets. In Canada, the applicability of vicarious liability in a novel context is determined by weighing policy considerations, specifically fairness and deterrence. Although the application of vicarious liability in a data breach context remains largely unexplored, Canadian courts have certified class actions alleging, among other things, vicarious liability for an employee’s breach of customer personal information (under the tort of intrusion upon seclusion) (see 2014 ONSC 213, 2020 ONSC 83, 2017 ONSC 3466, 2019 ONSC 6180).
Whereas the UK Supreme Court in Morrison Supermarkets relied heavily on the conflict between Skelton’s activities and Morrison’s interests, the Supreme Court of Canada has indicated that vicarious liability may apply in the context of intentional conduct even where that conduct does not further the employer’s aims. Instead, Canadian courts focus on the significance of the opportunity the employer provided to the wrongdoer in enhancing the likelihood of the commission of the tort. For example, a company may be vicariously liable for its employee’s fraud against a third party where the employer grants the employee unchecked authority that heightens the risk of fraud.
It is therefore conceivable that a Canadian court could find against an employer based on facts analogous to those in Morrison Supermarkets. Under the Canadian approach to vicarious liability, an employer may be liable for its employee’s intentional wrongdoing (such as theft of data) if the risk of the breach was heightened because, for example, the employee was authorized to access the data without sufficient supervision or, despite not being authorized to access the data, the employee had sufficient opportunity to access the data because of the employer’s failure to put in place appropriate security controls.
Managing the Risk of Potential Vicarious Liability in Canada…
EU confirms PIPEDA’s adequacy status under the GDPR
In a Report issued two weeks ago,[1] the European Commission advised that i…