Data Breach And Vicarious Liability For Employee Misconduct – Privacy | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #

It is not only hackers who pose a risk to an organization’s
information security; hostile insiders do as well. According to Verizon, an estimated 34 percent
of data breaches involve internal actors. Hostile insiders may be
motivated by personal reasons (e.g., peeking at personal
information of their employer’s customer base to gain insight
into a particular individual’s private information), or
financial reasons (e.g., theft of personal data for financial
profit). If the hostile insider’s actions result in harm or
losses to third parties, the organization may face vicarious
liability, even in the absence of company wrongdoing.

Recent UK Authority: Morrison Supermarkets

The doctrine of vicarious liability applies differently based on
context, and remains relatively untested in Canada in the specific
context of data breaches. A recent United Kingdom case involving a
claim for vicarious liability in respect of an employee data breach
serves as a useful background to understand how Canadian courts may
approach a comparable matter. In WM Morrison Supermarkets plc v
Various Claimants
, [2020] UKSC 12 [Morrison
], employees of Morrison (the defendant company)
brought an action alleging, among other things, vicarious liability
for various breaches based on publication of personal information
by another employee, Andrew Skelton. Morrison provided Skelton with
the plaintiffs’ confidential information in the context of his
position as an internal auditor for the purposes of transmitting
the data to outside auditors. He published the information with the intention of
harming Morrison.

In dismissing the claim for vicarious liability, the UK Supreme
Court noted that, in the UK, a party is generally vicariously
liable only if the employee’s conduct is closely connected with
the acts the employee was authorized to perform, such that the
activity occurred within the course of business. Though this test
may be relaxed in some contexts (in particular, cases involving
sexual abuse), the Court held that the provision of data from
Morrison to Skelton in the context of his employment
responsibilities was insufficient to establish a
close connection with Skelton’s wrongful publication of the
data, particularly because Skelton’s motivation was in direct
conflict with Morrison’s interests.

The Canadian Landscape

Canada’s approach to vicarious liability is distinct from
that taken in Morrison Supermarkets. In Canada, the
applicability of vicarious liability in a novel context is determined by weighing policy considerations,
specifically fairness and deterrence. Although the application of
vicarious liability in a data breach context remains largely
unexplored, Canadian courts have certified class
actions alleging, among other things, vicarious liability for
an employee’s breach of customer personal information (under
the tort of intrusion upon seclusion) (see 2014 ONSC 213, 2020 ONSC 83, 2017 ONSC 3466, 2019 ONSC 6180).

Whereas the UK Supreme Court in Morrison Supermarkets
relied heavily on the conflict between Skelton’s activities and
Morrison’s interests, the Supreme Court of Canada has indicated that
vicarious liability may apply in the context of intentional conduct
even where that conduct does not further the employer’s aims.
Instead, Canadian courts focus on the significance of
the opportunity the employer provided to the wrongdoer in enhancing
the likelihood of the commission of the tort. For example, a company may be vicariously liable for
its employee’s fraud against a third party where the employer
grants the employee unchecked authority that heightens the risk of

It is therefore conceivable that a Canadian court could find
against an employer based on facts analogous to those in
Morrison Supermarkets. Under the Canadian approach to
vicarious liability, an employer may be liable for its
employee’s intentional wrongdoing (such as theft of data) if
the risk of the breach was heightened because, for example, the
employee was authorized to access the data without sufficient
supervision or, despite not being authorized to access the data,
the employee had sufficient opportunity to access the data because
of the employer’s failure to put in place appropriate security

Managing the Risk of Potential Vicarious Liability in

Organizations should take steps to manage the risk of vicarious
liability for employee misconduct involving unauthorized access to
personal information in the custody of the organization. More
specifically, organizations should minimize the opportunity for
wrongdoing by employees, as well as the circumstances that could
give rise to a finding of vicarious liability. Potential measures
that an organization could take include the following:

  • Limit employee access to personal and other highly confidential
    information on a need-to-know basis;
  • Implement policies that outline the specific bases on which
    personal and other highly confidential information may be accessed,
    used, transferred or disclosed by employees;
  • Implement a protocol for supervision of employees with access
    to sensitive personal and other highly confidential
  • Implement technological safeguards that prevent employees from
    downloading customer information, other than to the extent
    necessary, and create alerts for supervisors when sensitive
    personal and other highly confidential information is
  • Ensure availability of logs recording access to personal and
    other highly confidential information and implement protocols for
    reviewing these logs for compliance with expected access and use;
  • For highly sensitive information, consider implementing a
    protocol requiring two employees to sign-off to obtain access.

To manage potential exposure from vicarious liability involving
a compromise of personal information, organizations should identify
risks that are particular to their organization and tailor the risk
management plan accordingly.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

Source link

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App







National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.