No Vicarious Liability of Employers for Data Breach – A Good News Story from the UK

Print Friendly, PDF & Email

A continuing anxiety for Canadian business is their liability for the deliberate wrongdoing of an employee, who for reasons of his or her own, steals personal information and releases it publically. Employers with even the most robust of cybersecurity and privacy protections can still fall victim to a rogue employee.

There is currently no final decision in Canada on whether a corporation can be vicariously liable for the actions of a rogue employee who breaches the privacy of the company’s employees or customers. To date, that issue has been addressed only at the certification stage of class proceedings on a preliminary basis.

It will therefore come as a welcome development for employers that this issue has now been addressed by the United Kingdom Supreme Court (“UKSC”) at a final hearing on the merits in WM Morrison Supermarkets plc v Various Claimants, [2020] UKSC 12 (released April 1, 2020). In its decision, the UKSC held that the defendant was not vicariously liable for the actions of the former (rogue) employee in that case. Although the test for vicarious liability is slightly different in the UK than in Canada, there is no doubt that Canadian employers will seek to rely on this case in various data breach cases involving rogue employees.

Facts

This case involved a senior auditor at the defendant who had faced disciplinary proceedings for misconduct. The employee had access to certain payroll data of approximately 126,000 employees as part of the audit process (including name, address, gender, date of birth, phone numbers, national insurance number, bank account information and salary). This employee subsequently uploaded a file with the information of 98,998 employees to the internet. He did so from a personal copy of the data he had made, while at home, using a cell phone and fake email account.

The employee then informed three UK newspapers (anonymously) about the disclosure of this information online in an effort to harm the company. As the court said, “he harboured an irrational grudge” against the company, which led him to disclose this personal information.

One of the newspapers contacted the defendant. The defendant then took steps to ensure that the data was removed from the internet, and to investigate the matter. It spent more than £2.26 million doing so. The rogue employee was arrested and eventually convicted of a number of criminal offences.

Findings

The claimants, whose information had been posted online, subsequently started litigation. A group litigation order was made and ten claims proceeded to a hearing on liability (but not on damages). The trial judge found that the defendant company was not directly liable for the breach but went on to find that  it was vicariously liable for the rogue employee’s breaches of UK privacy legislation, and other wrongful conduct.

The UK Court of Appeal upheld that decision, finding that the tortious acts of the employee were “within the field of activities assigned to him” by the defendant, and that the employee’s motive to harm his employer was irrelevant.

The UKSC held that the UK “Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects” and therefore considered the issue of vicarious liability afresh. It applied the test from Dubai Aluminium Co Ltd v Salaam, [2002] UKHL 48 – namely, whether the rogue employee’s disclosure of the data “was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”

This test is very similar to the test for vicarious liability in Canada, where the employee’s acts must have been authorized by the employer, or the unauthorized acts so connected with authorized acts that they may be regarded as modes of doing an authorized act for there to be vicarious liability. The question is whether the wrongful act is sufficiently related to conduct authorized by the employer to justify the imposition of vicarious liability (see Bazley v Curry, 1999 CarswellBC 1264 (SCC) at paras. 6 and 41).

In this case, the employee’s acts were connected to the conduct authorized by his employer because “he could not have made the disclosure if he had not been given the task of collating the data and transmitting it” to the auditor. But – and this is an important “but” – “the mere fact that [his] employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability.”

The UKSC noted that there did not appear to be any prior case law that involved an employer being held vicariously liable for wrongful conduct that was specifically designed to harm the employer. Rather, where an employee is engaged in an “independent personal venture,” or is on a “frolic of his own,” the employer will not be liable. Citing Dubai Aluminium, the court held: “The matter stands differently when the employee is engaged only in furthering his own interests, as distinct from those of his employer.”

Likewise, in Canada, employers are not generally vicariously liable when employees are on a “frolic” of their own and are not “somehow furthering the interests of the defendant employer” (see Krokosz Estate v Soucy Estate, 1992 CarswellMan 330 (QB) at para.40).

In the current case, the UKSC held that it was “abundantly clear” that the employee was not furthering his employer’s interests. Rather he was “pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” In those circumstances, the employee’s wrongful conduct was not so closely connected with acts that he was authorized to do that, for the purposes of the defendant’s liability to third parties, it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment. The defendant was not vicariously liable.

Takeaways

This decision is important not only because Canadian courts often look to developments in UK case law, but also because Canadian law on vicarious liability is similar to that in the UK, even using the same language about employees who are on a “frolic” of their own. Accordingly, the application of these same principles in Canada should lead to the same result – that where a rogue employee discloses personal information that he or she obtains in the course of employment to cause harm to an employer, the employer should not be vicariously liable. This case will therefore be of interest to employers in Canada who may be concerned about this type of action.

Companies should continue to adopt measures to safeguard any personal information they collect, and educate employees on the importance of their obligations in safeguarding this information. Clear policies on permitted use of personal information, and the serious consequences of violating those policies, will assist an employer in demonstrating any rogue employee was truly off “on a frolic of his own”.

Companies should not misinterpret this case as meaning vicarious liability is no longer a risk. There may still be vicarious liability for privacy breaches particularly where it is not as “abundantly clear” that the employee is pursuing their own personal agenda, or where the employer’s actions or processes in terms of employee supervision or safeguards fell below what would normally be expected.


For more information about Denton’s data and litigation expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every businessincluding enterprise privacy audits, privacy program reviews and implementation, and training.