Employer Vicariously Liable for Employees’ Dangerous Data Breach

by & Lewis Waring, Licensed Paralegal, LL.B., Articled Clerk, Editor

In a recent British Columbia class action ruling, the Insurance Corporation of British Columbia (employer) was found vicariously liable for the actions of an employee who fraudulently accessed personal information maintained by ICBC. ICBC was ordered to pay damages to the members of a class action as a result of the privacy breach.

Background

The employer operated a universal compulsory vehicle insurance plan. As part of that work, the organization maintained databases that included personal information on everyone in the province who held a driver’s licence or was a registered owner of a motor vehicle. This information included names, addresses, vehicle descriptions, license plate numbers and claims histories.

The employee worked for the employer as an insurance adjuster. The employee’s duties involved complex database searches related to reports of fraud, multiple party incidents, as well as policy and coverage issues.

A person with access to those databases can, for example, use a licence plate number to find the name and address of the vehicle’s owner.

Between April 2011 and January 2012, houses and vehicles belonging to 13 individuals were targeted in arson and shooting attacks. In August 2011, the police approached the employer as part of their investigation of the attacks.

The only thing these individuals had in common was that their vehicles had at some point been parked in a specific parking lot connected to an educational organization. Data collected through their use of the parking lot had been accessed and sold to a third party by the employee. These individuals’ information had been eventually sold to individuals with malicious intent who were then able to locate them and carry out brutal attacks.

The assailant who launched the attacks had been suffering from a drug-induced paranoid belief that he was being targeted and controlled by the educational organization. To address this delusion, the assailant had acquired licence plate numbers in the parking lot and paid the employee to share information about the plates.

The employer had determined that the victims were among 79 customers whose information the employee had accessed without a business purpose. Soon thereafter, the employer dismissed the employee and notified the affected customers that their information had been wrongfully accessed.

The persons responsible for the attacks and the employee were criminally charged for their actions.

Also, in response to this data breach and mass theft of personal information, a class action was launched that sought to collect damages from the employer by establishing it was vicariously liable for the employee’s actions. The class action had been certified on behalf of all individuals whose personal information was improperly accessed but also their family members and other residents at their residences whose personal information had also been accessed by the employee, including the individuals victimized in the attacks. The class action sought to collect punitive damages, among other things, for the employee’s breach of British Columbia’s Privacy Act.

In May 2022, the parties appeared before the Court for a summary trial to settle the common issues.

Two of the main issues in this class action is whether ICBC is liable to customers whose personal information was improperly accessed and misused by its employee and if the employer would be vicariously liable for the employee’s breach of the Privacy Act.

The specific privacy violations the employee committed included her wilful accessing of records of the employer’s customers without a business purpose. In other words, unless the employee had a work-related reason to access the customer’s records, she was prohibited from accessing them. Any attempt to access the customer’s records for some non-work-related purpose was a violation of the customer’s privacy rights under the Privacy Act.

The employee’s specific privacy violations also included the fact that the records the employee accessed contained the personal information of other individuals. In other words, the privacy rights of every individual whose personal information had been contained in the records accessed by the employee had been violated. This meant that every individual whose information was contained in the records accessed had an interest in the privacy of those records and suffered harm when that privacy was violated.

Court decision and analysis

On the issue of the employee’s liability, the Court held that it was clear that the employee’s actions had breached the British Columbia Privacy Act, as she had accessed personal information wilfully and without a claim of right from the employer’s databases.

Following its review of the principles for attributing vicarious liability to an employer, the Court concluded that the employer had “clearly created the risk of wrongdoing by an employee in [her] position and that her wrongdoing was directly connected to her employment.”

Vicarious liability makes an employer liable for the wrongful conduct of an employee even when there has been no wrongful conduct or breach of duty by the employer. In order for it to apply in an employment setting, there must some connection between the employee’s wrongful conduct and their relationship to the employer.

In this case, the employer was found to be vicariously liable for the employee’s actions for a number of reasons.

  • First, the employer was responsible for creating a work environment in which one of its employees was in a position to access records. As the employer was the one who ultimately held the records and allowed individuals it hired to access them, it was responsible for mitigating possible risks of privacy violations.
  • Second, the employee’s wrongdoing was directly connected to her employment. That is, the employee had accessed the records during working hours while at work performing her work duties. If the employee had accessed the individual’s home address or any other personal information while at home and while using resources the employer had no control over, the employer would not be implicated. However, as the employee had gained access to this information by accessing the employer’s records while at work, the employer was responsible for her conduct.
  • Finally, the employer had actually foreseen the risk of its employee engaging in wrongdoing. The employer had told its employees of the need to protect the privacy of customers’ personal information and were warned of adverse consequences if they accessed that information for reasons unrelated to the employer’s business. Although the employer had policies in place prohibiting improper use of its databases, the possibility of an employee ignoring them was clearly foreseeable. Not only that, but the employer lacked any system or method that would have prevented or detected that conduct at the time it happened.

Moreover, the Court decisions state:

The Court also held that the type of risk that had arisen in this case was foreseeable and could potentially have been addressed, writing:

[74] […] The risk of such conduct by an employee was not only foreseeable, it was actually foreseen. Employees were told of the need to protect the privacy of customers’ personal information and warned of adverse consequences if they accessed that information for reasons unrelated to ICBC’s business.

[75] ICBC had in place rules and policies forbidding improper use of its databases, but the possibility of an individual employee choosing to ignore them was clearly foreseeable and there is no evidence of any system or method that would have prevented or detected that conduct at the time it happened.

Due to the reality that the employer understood the risk of privacy violations, that the employee had accessed the information using the employee’s work records during work and that the employer was ultimately the one who had created the records and permitted the employee to access them, the employer was vicariously liable for the actions of the employee. In plain terms, this meant that the class action was able to recover damages from the employer as well as from the employee.

After establishing that the employer was vicariously liable for the employee’s wrongdoing, the Court concluded that all of the Class Members were entitled to an award of non-pecuniary damages arising from the mere fact that their privacy was violated, without proof of loss.

The Court reviewed the standard of “reprehensible conduct” required of an employer to warrant an award of punitive damages and concluded that, while the employer could have done more to prevent the employee’s misconduct, there was nothing to suggest that its conduct was high-handed, malicious or arbitrary to justify such an award.

While this judgment settles the common issues in the class action, the parties must now decide upon the quantum of common issue damages and will then turn to litigate individual issues, such as the claims of any Class Members with pecuniary damages claims.

Takeaways

Vicarious liability is a crucial issue for employers to understand. When an organization employs a worker, it becomes in some measure responsible for the conduct of that employee while he or she is performing work on the employer’s behalf.

Vicarious liability can be an unpleasant surprise for employers who in some cases might not have fully understood the risks associated with having inadequate policies and practices. Employers should understand that vicarious liability really reflects the fact that employers are responsible for managing the conduct of their employees. An employer may not be liable for an employee who engages in conduct outside of work or an employee that goes to great lengths to outmaneuver an employer’s safeguards. However, an employee’s wrongful conduct is always a serious risk for employers that need to be handled with great care to avoid costly liability.

Understanding vicarious liability is all the more important for organizations that handle the personal information of their customers. While this case involves a behemoth organization that held formal records for a large sector of a province’s population, this ruling is relevant for most employers. Most employers, after all, take information from their customers and store it. Any time an employer is engaged in such practices, it has privacy obligations to those customers. As such, most employers have similar obligations to the employer in this case, obligations which are ultimately to respect the privacy rights of individuals that entrust an organization with their private information. By understanding these rights and enshrining them into a clear and thorough policy that is enforced consistently, employers can take simple proactive steps that avoid risks of liability connected to privacy rights.

Companies should continue to adopt measures to safeguard any personal information they collect, and educate employees on the importance of their obligations in safeguarding this information. Clear policies on permitted use of personal information, and the serious consequences of violating those policies, will assist an employer in demonstrating any rogue employee was truly off “on a frolic of his own.”

Comments are closed.