An employer who is innocent of negligence or other misconduct can be vicariously liable for the tort of intrusion upon seclusion based on a data breach committed by one of its employees.
Grossman v.
Facts + Issues
In
The Court noted that "[a]t all material times, the unknown employee was an employee authorized to conduct business on behalf of the Defendants" and that "[t]his authority included accessing the information at issue for some purposes." (para 50).
The B.C. Privacy Commissioner investigated and was "satisfied that [Nissan] has made every reasonable effort to mitigate any potential harm to the affected individuals that may result from the breach and that appropriate steps have been taken to prevent future breaches".
Two years later there was no evidence that any of the stolen data had been disclosed publicly or misused. There was no evidence of any fraud or identity theft perpetrated against Nissan's customers. Since the customers' out-of-pocket expenses arising from the data breach were acknowledged to be "minimal to non-existent" they sought certification of a class action against Nissan alleging vicarious liability for the employee's commission of the tort of intrusion upon seclusion. The Plaintiffs relied on Jones v. Tsige, 2012 ONCA 32 which had recognized that tort and held that nominal damages were available even in the absence of evidence of actual harm suffered.
Nissan opposed certification arguing, inter alia, that the minimal damages claim did not merit certification of a class action.
HELD: For the Plaintiffs; class action certified.
- The Court held that the Plaintiffs' claim to a cause of action in vicarious liability for the tort of intrusion upon seclusion committed by one of its employees was not doomed to fail, following Evans v.
Bank of Nova Scotia , 2014 ONSC 2135; lv. to app. ref'd 2014 ONSC 7249. In that case the Court had certified an action against a bank in vicarious liability where one of its employees had disclosed personal information of bank customers to his girlfriend who, in turn, disclosed it to third parties for fraudulent purposes. (see paras 20 - 21.) -
The Court found that the Plaintiffs shared common issues, including vicarious liability for intrusion upon seclusion (para 60).
- The Court held that although each individual's damages would be modest, a base amount "could be reasonably determined without proof by individual class members" (para 57)
- The Court held that a class action was preferable than requiring the Plaintiffs to bring their own individual claims, even though they could be brought in Small claims court:
64 Here, however, I have also certified the vicarious liability/intrusion issue and the related aggregate (base amount) damages issue. These are more contentious questions and their answers would not only advance but probably end the litigation. A class proceeding would allow both the vicarious liability and the aggregate damages issues to be decided once and for all on a class-wide basis.
[footnotes omitted]
COMMENTARY:
This decision recognizes the existence of the tort of intrusion upon seclusion and that an employer can be vicariously liable for such a tort as committed by one of its employees. Liability in vicarious liability, by definition, is imposed where the employer itself is innocent of any negligence or wrongdoing. Accordingly, a blameless employer can be liable for a data breach committed by one of its employees. However, with respect, this decision is somewhat shaky as a precedent in light of recent authority from the
There has been recent
In my view, the
In Evans v.
22 In this case, the Bank created the opportunity for Wilson to abuse his power by allowing him to have unsupervised access to customers' private information without installing any monitoring system. The release of customers' confidential information by Wilson to third parties did not further the employer's aim of generating profits on good loans. Also, Wilson's wrongful acts were not related to friction, or confrontation inherent in the Bank's enterprise, but they were related to his necessary intimacy with the customers' personal and financial information. Wilson was given complete power in relation to the victims' (customers) confidential information, because of his unsupervised access to their confidential information. Bank customers are entirely vulnerable to an employee releasing their confidential information. Finally, there is a significant connection between the risk created by the employer in this situation and the wrongful conduct of the employee.
The Court in Evans did not refer to any of the
In Daniels v. McLellan, 2017 ONSC 3466 a class action was certified by consent against a hospital in vicarious liability for the improper access to a number of patients' records. A patient (Daniels) who was also a hospital employee was visited by a number of other employees who ought not to have known that Daniels had been admitted. When Daniels complained the hospital investigated and discovered that 14 people on hospital staff had accessed Daniels' records and that another employee (McLellan) had improperly accessed the health records of 5,803 other patients (for which McLellan was dismissed). There was no analysis of whether or not the improper data access was sufficiently connected to McLellan's employment duties, as this was not in issue. The hospital admitted that the Plaintiffs had a cause of action against the hospital and, indeed consented to the certification.
In our view, the Evans and Daniels are not clearly inconsistent with principles set out in the
However, with respect, the Grossman decision is quite arguably inconsistent with the
Accordingly, the law in
Originally published June, 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Mr
400 - 444 7 AVE SW
AB T2P 0X8
CANADA
Tel: 403260 8500
Fax: 403264 7084
E-mail: faston@fieldlaw.com
URL: www.fieldlaw.com
© Mondaq Ltd, 2020 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source