The Ontario Court of Appeal recently released a trilogy of decisions (Winder v. Marriott International, Inc., 2022 ONCA 815; Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814; Owsianik v. Equifax Canada Co., 2022 ONCA 813) ruling that organizations which collect and store personal information (database defendants) are not liable for invasions of privacy perpetrated by third-party hackers. While those decisions limit the ability of plaintiffs to pursue an invasion of privacy claim in Ontario against database defendants for data breaches committed by unauthorized outsiders, organizations still should be mindful of potentially extensive liability for data breaches committed by their own employees under the doctrine of vicarious liability.
A recent class action in British Columbia involving a data breach highlights the potential exposure of employers for data breaches committed by their own employees. In Ari v. Insurance Corporation of British Columbia (Ari) 2022 BCSC 1475, the Court held the organization vicariously liable for its employee's invasion of privacy under British Columbia's Privacy Act, RSBC 1996, c 373 (Privacy Act) even in the absence of any wrongdoing by the organization in connection with the breach.
Under the Privacy Act, an individual has a cause of action against another who willfully and without a claim of right violates the privacy of that individual. The decision in Ari has potential implication for liability under the privacy acts in the provinces of Manitoba, Saskatchewan and Newfoundland and Labrador which set out similar causes of action. Likewise, it has potential implication for the application of the intrusion upon seclusion tort recognized in Ontario, which is principally the same as the statutory invasion of privacy tort. Intrusion upon seclusion can be advanced when a party intentionally invades the private affairs of the claimant and a reasonable person would view such invasion as highly offensive, causing distress, humiliation or anguish.
Supreme Court of British Columbia Decision
Insurance Corporation of British Columbia (ICBC) is a provincial Crown corporation that stores on its database the personal information of everyone in the province who holds a driver’s license or is a registered motor vehicle owner. In 2011, a claims adjuster employed by ICBC improperly accessed, obtained, and sold private customer information to criminal third parties, who used the information to carry out arson and shooting attacks on the customers' houses and personal property. A class action was brought against ICBC for all customers whose personal information was improperly accessed by the claims adjuster.
Breach of the Privacy Act
Section 1 of the Privacy Act creates a statutory tort if a person willfully and without a claim of right violates the privacy of another. In Ari, the Court considered whether the customers had a privacy interest in the simple contact information obtained from ICBC's database, such as names and addresses. In holding that customers had a privacy interest in the information, the Court looked to ICBC's internal policies which treated the information as highly private and sought to protect it from improper use. Additionally, the Court held that a reasonable person would expect ICBC to use such information only for relevant business purposes.
The Court held that the employee's access and distribution of the information for improper purposes constituted a privacy breach. The statutory tort requires the conduct to be willful and without a claim of right. When the claims adjuster began her employment, and throughout her time at ICBC, she signed a code of ethics that prohibited improper access and disclosure of personal information. The Court found that the employee knew her actions violated customer privacy.
The Doctrine of Vicarious Liability
Vicarious liability makes an employer liable for the tortious conduct of an employee. Vicarious liability is strict—an employer may be liable even when it has been diligent and breached no duty. As set out by the Supreme Court of Canada in Bazley v. Curry 1999 2 S.C.R. 534, the central question for vicarious liability is whether an employee’s conduct falls within an area of risk created by the employer. Any question of foreseeability on the part of the employer is not directed at whether the specific act was foreseeable, but whether there was “foreseeability of the broad risks incident to a whole enterprise.” Thus, an employer may be vicariously liable where there is a connection between the creation or enhancement of a risk and the wrong complained of, even if the conduct was unrelated to the employer's aims.
In applying the above principles in Ari, the Court found that ICBC's enterprise created the risk of improper employee access to data. ICBC adjusters frequently verified driver license information and conducted database searches related to reports of fraud, multiple-party incidents and policy and coverage issues. From this, the Court found that the breach was directly connected to the employee's employment, finding that employee access to personal data was an essential part of the job. Because vicarious liability is strict, the Court concluded that any diligence by ICBC in terms of its policies or procedures did not impact the determination that it was vicariously liable, and that such polices or procedures may be relevant to the determination of punitive damages.
Liability for the Criminal Attacks
ICBC argued that it was not liable for the property damage suffered as a result of the arson and shooting attacks because the attacks were unforeseeable intervening acts. The Court rejected this argument, noting that breach of privacy is an intentional tort, so the defendant is liable for all harm caused by its actions, whether foreseeable or not. The Court also found the use of the information for an illegal purpose was a foreseeable consequence of disseminating the information. Therefore, ICBC was found liable not only for simple damages from the data breach, but also for the property damage resulting from the attacks.
Managing the Risk of Vicarious Liability
Ari provides a cautionary reminder of the risk of extensive liability based on employee misconduct, particularly in circumstances where an organization collects substantial amounts of data including sensitive information. While ICBC had in place rules and policies forbidding improper use of its databases (which may be relevant to a negligence claim), it was still held to be vicariously liable (i.e., even if ICBC had all appropriate rules and policies in place, it was nonetheless liable for its employee's torts). There is, therefore, no simple way for an organization to avoid vicarious liability once an employee abuses its authority.
To minimize the possibility of being found vicariously liable for employee misconduct, organizations are advised to proactively develop systems and methods to limit or remove foreseeable risks for employees to abuse their authority before such abuses happen. More specifically, organizations may take the following measures:
- Strictly limit employee access to personal and other highly confidential information on a need-to-know basis.
- Implement policies that outline the specific bases on which personal and other highly confidential information may be accessed, used, transferred or disclosed by employees.
- Implement a protocol for supervision of employees with access to sensitive personal and other highly confidential information.
- Implement technological safeguards that prevent employees from downloading customer information, other than to the extent necessary, and create alerts for supervisors when sensitive personal and other highly confidential information is accessed.
- Ensure availability of logs recording access to personal and other highly confidential information and implement protocols for reviewing these logs for compliance with expected access and use.
- For highly sensitive information, consider implementing a protocol requiring two employees to sign-off to obtain access.
- Ensure data retention protocols provide for destruction of information once the information is no longer required.