Should an employer be held vicariously liable if an employee breaches the privacy of a company’s customers?  According to the Ontario Superior Court of Justice, vicarious liability for the nascent tort of “intrusion upon seclusion” could be the basis of a nation-wide class action for non-pecuniary damages.1 Employers could also face additional liability through waiver of tort or vicariously for failing to adequately supervise employees and protect their customers’ personal and financial information.

This case underscores the need for employers to monitor employee compliance with privacy principles or risk facing the consequences of a class action for more than just the pecuniary loss suffered.

The facts

The plaintiffs represent customers of a bank whose electronic files were inappropriately accessed by a bank employee. As a mortgage administration officer, the employee had access to customer profiles and gave this information to his girlfriend, who then provided it to third parties for fraudulent purposes.  

Causes of action and vicarious liability

While some of the plaintiffs’ causes of action were destined to fail, causes of action against the bank for negligence and breach of contract were allowed to proceed.  The court also found the employee may have acted in bad faith, and that the bank might be held vicariously liable for his breach of good faith.

Most notably, the bank might also be liable for the employee’s commission of the burgeoning intentional tort of intrusion upon seclusion even though some class members reside in provinces that have not yet recognized this tort.  Even though damages for the tort of intrusion upon seclusion fall into the category of symbolic or moral damages, the court found that the law is unsettled on whether vicarious liability may be imposed in such circumstances. The court allowed the vicarious liability claim to proceed against the bank for the employee’s invasion of customers’ privacy.

Although many factors for imposing vicarious liability were not present in this case, the court found that because the bank created the opportunity for the employee to abuse his position (through inadequate monitoring and supervision) there was a sufficient connection between the bank’s lack of supervision and the employee’s wrongful conduct for the doctrine to apply.  

It found that in this “unique situation” there was a potential claim for compensatory damages or damages for emotional suffering and inconvenience, in addition to the real financial damages that some class members sustained.

Waiver of tort

As an alternative to the causes of action described above, the plaintiffs sought to waive the torts and recover a disgorgement of any profits obtained by the bank as a result of its contracts with the class members. While the employee’s conduct was wrongful, there was no causal connection between his wrongful conduct and the bank’s profits; there was, however, a potential connection between the bank’s negligent supervision of the employee and profits made from reducing the costs necessary to protect its customers’ private information. Based on this analysis the waiver of tort claim was allowed to stand as a cause of action.

Class definition

The court accepted that this class could be broken down into two subgroups: the 138 identity theft victims who have reported fraud to the bank and the 505 other individuals whose profiles were accessed by the employee but who to date have not reported any fraudulent transactions. The court found the class was not overbroad even though some individuals may not ultimately be able to prove their accounts were accessed improperly.

A class proceeding is the preferable procedure

Notably, the court stated that the issues of both the bank’s vicarious liability and damages for the employee’s intrusion upon seclusion could be decided as common issues because the damages flowing from this tort are not based on actual injuries or losses suffered. Because the damages for the tort of intrusion upon seclusion are modest, this proceeding would enhance access to justice and promote deterrence because the proposed class members would otherwise be unable to seek judicial remedy due to cost considerations.

Conclusions: monitor your employees and keep personal information safe!

This case is unique in its discussion of the potential for vicarious liability on the part of employers for breaches of privacy committed by their employees.  Permitting the issue of vicarious liability for the tort of intrusion upon seclusion to proceed to a trial of the common issues could have important implications for future privacy class actions. Even solely symbolic or moral damages on a modest scale for privacy breaches of a large scale could add up to a substantial amount.  Employers who could face a data breach should examine their internal monitoring processes now and ensure they are vigilantly protecting their customers’ data.