Common Ground? Class Action Updates
Court Holds Employer Vicariously Liable for the Privacy Breaches of Former Employee in Class Action Lawsuit
Date: September 7, 2022
The law of vicarious liability is important to employers because it sets a framework to establish when employers will be liable for the misconduct of their employees. The principle was recently applied in Ari v. Insurance Corporation of British Columbia, where the British Columbia Supreme Court (the Court) found that the Insurance Corporation of British Columbia (ICBC) was vicariously liable for the actions of an employee (Employee) who fraudulently accessed personal information maintained by ICBC. ICBC was ordered to pay damages to the members of a class action (Class Members) as a result of the privacy breach.
Factual Background
ICBC is the operator of a universal compulsory vehicle insurance plan and maintains databases that include the personal information of everyone in the province who holds a driver’s licence or who is a registered owner of a motor vehicle.
The Employee had improperly accessed the personal information of the Class Members and sold it to a third party. That information, in turn, was used by others to carry out shooting attacks and arson on the houses and vehicles of 13 of the Class Members (Subclass). There was a total of 78 Class Members whose information had been breached, including the individuals victimized in the attacks.
The persons responsible for the attacks and the Employee were criminally charged for their actions. The victims of the privacy breach also commenced a civil proceeding against ICBC, which was certified as a class action proceeding in 2017. In 2019, on appeal by the plaintiff to the British Columbia Court of Appeal, the common issues of the class action were expanded to include a claim for punitive damages, among other things.
The Court’s Analysis and Decision
In May 2022, the parties appeared before the Court for a summary trial to settle the common issues.
On the issue of the Employee’s liability, the Court held that it was clear that the Employee’s actions had breached the British Columbia Privacy Act (Act), as she had accessed personal information wilfully and without a claim of right from ICBC databases.
The Court then turned to the key issue for ICBC: whether ICBC would be vicariously liable for the Employee’s breach of the Act. Following its review of the principles for attributing vicarious liability to an employer, the Court concluded that ICBC had “clearly created the risk of wrongdoing by an employee in [her] position and that her wrongdoing was directly connected to her employment.”
The Court also held that the type of risk that had arisen in this case was foreseeable and could potentially have been addressed, writing:
[74] […] The risk of such conduct by an employee was not only foreseeable, it was actually foreseen. Employees were told of the need to protect the privacy of customers’ personal information and warned of adverse consequences if they accessed that information for reasons unrelated to ICBC’s business.
[75] ICBC had in place rules and policies forbidding improper use of its databases, but the possibility of an individual employee choosing to ignore them was clearly foreseeable and there is no evidence of any system or method that would have prevented or detected that conduct at the time it happened.
After establishing that ICBC was vicariously liable for the Employee’s wrongdoing, the Court concluded that all of the Class Members were entitled to an award of non-pecuniary damages arising from the mere fact that their privacy was violated, without proof of loss. In addition, Class Members who claimed to have suffered non-pecuniary damages over and above the award could advance that claim in a future process to deal with individual issues.
The Court also considered the common issues of the Subclass. ICBC had argued that no amounts were owed to the Subclass because the attacks stemming from the privacy breach were too remote to be considered “foreseeable.” In the alternative, ICBC took the position that the Subclass members were not entitled to additional damages (in addition to the common damages). The Court disagreed. It concluded that the attacks were foreseeable intervening acts, and that members of the Subclass may be entitled to damages over and above those general damages awarded to the whole class.
The final issue was whether ICBC’s conduct in the circumstances of the Employee’s breaches of the Act justified an award of punitive damages against ICBC. The Court reviewed the standard of “reprehensible conduct” required of an employer to warrant an award of punitive damages and concluded that, while ICBC could have done more to prevent the Employee’s misconduct, there was nothing to suggest that its conduct was high-handed, malicious or arbitrary to justify such an award.
While this judgment settles the common issues in the class action, the parties must now decide upon the quantum of common issue damages and will then turn to litigating individual issues, such as the claims of any Class Members with pecuniary damages claims.
Key Takeaways
This decision is an important reminder for employers about the potential pitfalls of vicarious liability and a reminder to carefully review internal policies and training protocol on confidentiality and the appropriate use of company data, which may include personal information.
Employers should routinely and thoroughly brief their employees on the importance of appropriate access and use of company data, as failure to do so could create legal and financial risk, as this decision demonstrates.
The article in this client update provides general information and should not be relied on as legal advice or opinion. This publication is copyrighted by Hicks Morley Hamilton Stewart Storie LLP and may not be photocopied or reproduced in any form, in whole or in part, without the express permission of Hicks Morley Hamilton Stewart Storie LLP. ©
