It is not only hackers who pose a risk to an organization's information security; hostile insiders do as well. According to Verizon, an estimated 34 percent of data breaches involve internal actors. Hostile insiders may be motivated by personal reasons (e.g., peeking at personal information of their employer's customer base to gain insight into a particular individual's private information), or financial reasons (e.g., theft of personal data for financial profit). If the hostile insider's actions result in harm or losses to third parties, the organization may face vicarious liability, even in the absence of company wrongdoing.
Recent UK Authority: Morrison Supermarkets
The doctrine of vicarious liability applies differently based on context, and remains relatively untested in Canada in the specific context of data breaches. A recent United Kingdom case involving a claim for vicarious liability in respect of an employee data breach serves as a useful background to understand how Canadian courts may approach a comparable matter. In WM Morrison Supermarkets plc v Various Claimants, [2020] UKSC 12 [Morrison Supermarkets], employees of Morrison (the defendant company) brought an action alleging, among other things, vicarious liability for various breaches based on publication of personal information by another employee, Andrew Skelton. Morrison provided Skelton with the plaintiffs' confidential information in the context of his position as an internal auditor for the purposes of transmitting the data to outside auditors. He published the information with the intention of harming Morrison.
In dismissing the claim for vicarious liability, the UK Supreme Court noted that, in the UK, a party is generally vicariously liable only if the employee's conduct is closely connected with the acts the employee was authorized to perform, such that the activity occurred within the course of business. Though this test may be relaxed in some contexts (in particular, cases involving sexual abuse), the Court held that the provision of data from Morrison to Skelton in the context of his employment responsibilities was insufficient to establish a close connection with Skelton's wrongful publication of the data, particularly because Skelton's motivation was in direct conflict with Morrison's interests.
The Canadian Landscape
Canada's approach to vicarious liability is distinct from that taken in Morrison Supermarkets. In Canada, the applicability of vicarious liability in a novel context is determined by weighing policy considerations, specifically fairness and deterrence. Although the application of vicarious liability in a data breach context remains largely unexplored, Canadian courts have certified class actions alleging, among other things, vicarious liability for an employee's breach of customer personal information (under the tort of intrusion upon seclusion) (see 2014 ONSC 213, 2020 ONSC 83, 2017 ONSC 3466, 2019 ONSC 6180).
Whereas the UK Supreme Court in Morrison Supermarkets relied heavily on the conflict between Skelton's activities and Morrison's interests, the Supreme Court of Canada has indicated that vicarious liability may apply in the context of intentional conduct even where that conduct does not further the employer's aims. Instead, Canadian courts focus on the significance of the opportunity the employer provided to the wrongdoer in enhancing the likelihood of the commission of the tort. For example, a company may be vicariously liable for its employee's fraud against a third party where the employer grants the employee unchecked authority that heightens the risk of fraud.
It is therefore conceivable that a Canadian court could find against an employer based on facts analogous to those in Morrison Supermarkets. Under the Canadian approach to vicarious liability, an employer may be liable for its employee's intentional wrongdoing (such as theft of data) if the risk of the breach was heightened because, for example, the employee was authorized to access the data without sufficient supervision or, despite not being authorized to access the data, the employee had sufficient opportunity to access the data because of the employer’s failure to put in place appropriate security controls.
Managing the Risk of Potential Vicarious Liability in Canada
Organizations should take steps to manage the risk of vicarious liability for employee misconduct involving unauthorized access to personal information in the custody of the organization. More specifically, organizations should minimize the opportunity for wrongdoing by employees, as well as the circumstances that could give rise to a finding of vicarious liability. Potential measures that an organization could take include the following:
- Limit employee access to personal and other highly confidential information on a need-to-know basis;
- Implement policies that outline the specific bases on which personal and other highly confidential information may be accessed, used, transferred or disclosed by employees;
- Implement a protocol for supervision of employees with access to sensitive personal and other highly confidential information;
- Implement technological safeguards that prevent employees from downloading customer information, other than to the extent necessary, and create alerts for supervisors when sensitive personal and other highly confidential information is accessed;
- Ensure availability of logs recording access to personal and other highly confidential information and implement protocols for reviewing these logs for compliance with expected access and use; and
- For highly sensitive information, consider implementing a protocol requiring two employees to sign-off to obtain access.
To manage potential exposure from vicarious liability involving a compromise of personal information, organizations should identify risks that are particular to their organization and tailor the risk management plan accordingly.