When Employees Go Rogue: Are Employers Vicariously Liable for the Privacy Breaches of Their Employees?
Sara D.N. Babich of McCarthy Tétrault LLP has a commentary on employer liability for employee wrongdoing under Canadian law. Her analysis includes discussion of the recent UK decision in the Morrisons data breach case. Here’s how Babich’s article begins:
Although there has not yet been a definitive answer to this question in Canada, based on recent UK case law, it appears increasingly likely that, at least in some circumstances, the answer may be “yes”.
In Various Claimants v WM Morrisons Supermarket Plc, (Rev 1)  EWHC 3113 (QB)(“Morrisons”), the High Court said that the supermarket chain Morrisons was vicariously liable for the actions of an employee, who leaked the payroll data of nearly 100,000 employees. The case is the first successful class action for a data breach in the UK.
More and more, Canadian courts and adjudicators have been asked to grapple with similar privacy issues, particularly in light of the privacy torts that have gained traction in some Canadian jurisdictions. Thus far, Canadian courts have not opined directly on the issue of whether vicarious liability may be extended to employers in respect of the privacy breaches of their employees, but the case law to date is consistent with a recent UK decision which holds that the test for vicarious liability of an employer for the wrongful acts of its employees is the same as it is for any other wrongful act of an employee.
Read more on CyberLex.