Daniel Mayer September 24 2014 Employer liability for privacy breaches by employees Fasken | Employment & Immigration - Canada Daniel Mayer Employment & Immigration FactsInvasion of privacyFailure to supervise employeesCommentA class action was recently allowed to proceed in Ontario against a major bank after one of its employees admitted to accessing and disclosing to third parties confidential information of the bank's customers. While this case is not a final decision as to whether the bank was actually liable for its employee's breaches of privacy, it serves as a reminder for employers that the law regarding breach of privacy is evolving quickly and employer policies, practices and safeguards must keep pace with it.FactsMr Wilson was a mortgage administration officer for the bank. In this role he had access to highly confidential customer information. Over the course of almost one year, Wilson accessed the files of 643 customers. More than 100 of them subsequently informed the bank that they had been the victims of identity theft or fraud. Wilson admitted that he had accessed and disclosed customers' information to a third party. The bank compensated the customers for the resulting financial losses and offered each of them a complimentary subscription to a credit monitoring and identify-theft protection service.Despite the bank's efforts, two customers started a class action against it. This action could potentially allow all of the other customers whose accounts were improperly accessed by Wilson to recover damages. Two of the alleged grounds of wrongdoing are particularly noteworthy – invasion of privacy and negligence in failing to supervise Wilson.Invasion of privacyThe legal claim of invasion of privacy (also known as 'intrusion upon seclusion') was only recently recognised in Ontario in Jones v Tsige. In that case, an employee of another major bank improperly accessed the account information of a customer. The customer later sued the employee and was awarded C$10,000 in symbolic damages. These damages were not meant to compensate the customer for actual financial losses; rather, they represented a token award to mark or recognise the invasion of privacy. The Jones v Tsige court said that the range of symbolic damages for invasion of privacy would be up to C$20,000.In the case at hand, with the class action now being allowed to proceed against the bank, the scope of the invasion of privacy claim is being expanded in two ways.First, barring a successful appeal, there no longer seems to be any doubt that such a claim may form the basis of a class action.Second, the court's ruling indicates that employers could be held responsible for invasion of privacy committed by their employees. Liability could arise even where an employer is unaware of the invasion. The court's rationale here was that the bank created the opportunity for Wilson to abuse his power. Although a full trial has not yet occurred, it appeared to the court (based on the limited evidence before it) that Wilson had unsupervised access to confidential information. If it could be proven that the bank had not installed a sufficient system to monitor access to files, a significant connection between the risk created by the bank and Wilson's conduct may be established.Failure to supervise employeesThe two customers also alleged that the bank was negligent in failing to adequately supervise Wilson. The judge agreed that the bank could have been negligent because it had the ability to monitor Wilson's activities, but admitted to doing nothing to actively supervise employees' access to confidential information.CommentEmployers should periodically revisit their privacy policies to ensure that they keep pace with the emerging and evolving law regarding invasion of privacy. These policies should include mechanisms to monitor access to highly confidential information and to quickly flag potential employee abuse. Employers should also take active measures to ensure that these policies are implemented and followed. Having good privacy policies will assist employers in defending claims that employees were not properly supervised or that confidential information was not adequately protected.For further information on this topic please contact Daniel Mayer at Fasken Martineau DuMoulin LLP by telephone (+1 416 366 8381), fax (+1 416 364 7813) or email ([email protected]). The Fasken Martineau DuMoulin LLP website can be accessed at www.fasken.com.This article was reprinted with permission from Northern Exposure, a blog written by lawyers in the labour, employment and human rights group at Fasken Martineau and produced in conjunction with HRHero.com.