Saturday, 21 June 2014

Employee's Invasion of Customer's Privacy can be Employer's Responsibility

Can an employer be held legally responsible if one of its employees deliberately invades upon the privacy of the employer’s customers? That question was one of the key issues in the recently decided class action certification motion in Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 (CanLII).

The case involves a class action proceeding against the Bank of Nova Scotia and one of its former employees for breaching the privacy of the Bank’s customers.

The case was filed in Ottawa and the certification motion was decided by the Honourable Mr. Justice Robert Smith of the Ontario Superior Court of Justice, sitting at Ottawa.

Sean Bawden, editor and primary author of this blog, formerly worked with plaintiff’s counsel and assisted in the formative stages of the case before transferring to Kelly Santini.

While the court did not expressly say that the answer to the question raised at the start of this post was “yes,” it did expressly refuse to say that the answer to the question is “no.”

Facts

According to the overview of the case prepared by Justice Smith in his reasons for decision, the basic facts of the case are as follows.

Richard Wilson, an employee of the Bank, has admitted to providing private and confidential information of Bank customers to his girlfriend, who then disseminated the private information to third parties for fraudulent and improper purposes. As a result of the Bank employee’s conduct, a substantial number of the Bank’s customers became victims of identity theft and fraud, which has negatively affected their credit rating.

Wilson was employed by the Bank as a Mortgage Administration Officer, from September 24, 2007, until June 12, 2012. In this position he had access to highly confidential customer information.

The Bank identified a marked spike in the number of customer files accessed by Wilson commencing on or about July 1, 2011. The Bank has identified 643 Bank customers (the “Notice Group”) whose files were accessed by Wilson from July 1, 2011, until his computer access was terminated on May 18, 2012.

In June of 2012, the Bank wrote to the Notice Group and advised them that it was possible that there had been unauthorized access to their private information held by the Bank. The Bank offered them a complimentary subscription to a credit monitoring and identity theft protection service. To date, 138 members of the Notice Group have advised the Bank that they have been the victims of identity theft or fraud in the past year. The Bank has compensated these victims for the pecuniary losses that they have suffered.

Arguments

On the motion for the court’s certification of the claim as a class action, the Bank argued, among other things, that it cannot be held vicariously liable for the tort of intrusion upon seclusion for a deliberate breach of customers’ privacy rights by one of its employees.

Decision

Justice Smith certified the proceeding as a class action, finding that the plaintiff’s had met the five-part test established by section 6 of the Class Proceedings Act, 1992. For those interested in that element of the decision, I would direct you to the decision itself.

With respect to the issue of the employer’s vicarious liability for its employee’s actions, Justice Smith wrote the following:

[12] As against the Bank, [the plaintiffs’] claim alleges negligence, a breach of contract, the tort of intrusion upon seclusion, breach of fiduciary duty and of the duty of good faith, and waiver of tort. The claim further alleges that the Bank is vicariously liable for Wilson’s wrongdoing for each of the above claims.
[14] The Bank has admitted the following facts:
(a) Wilson wrongfully accessed the confidential financial information of an indeterminate number of the Bank’s customers and provided that information to unknown third parties;
(b) The Bank owed the plaintiffs a duty of care subject to the standard of a reasonable person and had an implied contractual obligation to the plaintiffs to make reasonable efforts to maintain the confidentiality of their personal information;
(c) Wilson was an employee of the Bank; and
(d) The Bank is vicariously liable for any pecuniary losses that Wilson’s conduct may have caused to the Bank’s customers.
[18] In the decision of Jones v. Tsige, 2012 ONCA 32 (CanLII), 2012 ONCA 32, 108 O.R. (3d) 241, at para. 71, the Court of Appeal set out the three elements required to establish the tort of intrusion upon seclusion, which are as follows:
a) The defendant’s conduct must be intentional (which could include recklessness);
b) The defendant must have invaded the plaintiff’s private affairs or concerns without lawful justification; and
c) A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
[19] In this case, the plaintiffs do not allege that the Bank acted intentionally with respect to the unauthorized access by Wilson. However, they claim that the Bank is vicariously liable for Wilson’s tort of intrusion upon seclusion. While the Bank agrees that the claim discloses a reasonable cause of action against Wilson, it submits that the claim does not disclose a cause of action for this tort against the Bank and that the Bank is not vicariously liable for Wilson’s wrongful conduct.
[20] In Bazley v. Curry, 1999 CanLII 692 (SCC), [1999] 2 S.C.R. 534, at para. 37, the rationale for imposing vicarious liability on an employer was set out as follows:
Underlying the cases holding employers vicariously liable for the unauthorized acts of employees is the idea that employers may justly be held liable where the act falls within the ambit of the risk that the employer's enterprise creates or exacerbates. Similarly, the policy purposes underlying the imposition of vicarious liability on employers are served only where the wrong is so connected with the employment that it can be said that the employer has introduced the risk of the wrong (and is thereby fairly and usefully charged with its management and minimization). The question in each case is whether there is a connection or nexus between the employment enterprise and that wrong that justifies imposition of vicarious liability on the employer for the wrong, in terms of fair allocation of the consequences of the risk and/or deterrence.
[21] In Bazley, at para. 41, McLaughlin J. (as she was then) stated:
The fundamental question is whether the wrongful act is sufficiently related to conduct authorized by the employer to justify the imposition of vicarious liability. …
In determining the sufficiency of the connection between the employer's creation or enhancement of the risk and the wrong complained of, subsidiary factors may be considered. These may vary with the nature of the case. When related to intentional torts, the relevant factors may include, but are not limited to, the following:
(a)the opportunity that the enterprise afforded the employee to abuse his or her power;
(b)the extent to which the wrongful act may have furthered the employer's aims (and hence be more likely to have been committed by the employee);
(c)the extent to which the wrongful act was related to friction, confrontation or intimacy inherent in the employer's enterprise;
(d)the extent of power conferred on the employee in relation to the victim;
(e)the vulnerability of potential victims to wrongful exercise of the employee's power.
[22] In this case, the Bank created the opportunity for Wilson to abuse his power by allowing him to have unsupervised access to customers’ private information without installing any monitoring system. The release of customers’ confidential information by Wilson to third parties did not further the employer’s aim of generating profits on good loans. Also, Wilson’s wrongful acts were not related to friction, or confrontation inherent in the Bank’s enterprise, but they were related to his necessary intimacy with the customers’ personal and financial information. Wilson was given complete power in relation to the victims’ (customers) confidential information, because of his unsupervised access to their confidential information. Bank customers are entirely vulnerable to an employee releasing their confidential information. Finally, there is a significant connection between the risk created by the employer in this situation and the wrongful conduct of the employee.
[23] The plaintiffs have pleaded, and the Bank has acknowledged, a complete lack of oversight by the Bank of its employees, including Wilson, with regard to improper access to personal and financial customer information. While the Bank itself was not directly involved in the improper access of customer information, vicarious liability “is strict, and does not require any misconduct on the part of the person who is subject to it”: Straus Estate v. Decaire, 2011 ONSC 1157 (CanLII), 2011 ONSC 1157, 84 C.C.L.T. (3d) 141 at para. 49.
[26] The tort of intrusion upon seclusion has only recently been recognized by the Ontario Court of Appeal and is settled in Ontario. However, until the matter is ultimately decided at the Supreme Court of Canada, I find that the law in Canada is not settled on this issue… For this reason, I find that it is not plain and obvious that the plaintiffs’ claim that the Bank is vicariously liable for its employees’ tort of intrusion upon seclusion would be unsuccessful.
[27] Finally, the Bank further submits that damages awarded for the tort of intrusion upon seclusion fall into the category of symbolic or moral damages. The Bank submits that moral damages awarded in such a case are analogous to punitive damages, and that vicarious liability is not been imposed for punitive damages. I find that the law is not settled on this issue and that it is not plain and obvious that the plaintiffs would be unsuccessful for this reason.
[30] … I find that it is not plain and obvious in these circumstances that the Bank would not be held vicariously liable for the serious wrongful conduct of its employee in these circumstances considering the five factors set out in Bazley and especially because of the connection between the risk created by the Bank and the wrongful conduct of its employee. I further find that it is not settled law that damages awarded for the tort of intrusion upon seclusion are treated in the same manner as an award of punitive damages where an employer, such as the Bank, gives an employee unsupervised access to customers’ private information.

Relying on the case of Blackburn v. Midland Walwyn Capital Inc., 2003 CanLII 41421 (ON SC), (2003), 32 B.L.R. (3d) 11 (ON SC), Justice Smith further held that “the plaintiffs’ claim discloses a cause of action in negligence and that it is not plain and obvious that this cause of action would be unsuccessful against the Bank” and that, “it is not plain and obvious that the plaintiffs’ claim for breach of contract cannot succeed.”

However, Justice Smith did find that it was “plain and obvious” that the bank did not owe its customers a fiduciary duty with regard to its customers, nor did it owe its customers a “duty of good faith.”

Commentary

It is important to again highlight that Justice Smith did not say that the Bank of Nova Scotia is legally responsible for its employee’s actions, only that it is not “plain and obvious” that the Bank is not legally responsible. The case still has to go to trial (unless it is settled) on that issue.

Notwithstanding the legal technicality that the actual issue remains unresolved in the Evans case, what Justice Smith’s decision shows is that employers might be held responsible for such actions.

More importantly, it is important to note that Evans really is not breaking any new ground. Jones v. Tsige, cited in Justice Smith’s decision also concerned a bank employee’s invasion of a customer’s privacy. In that case, the defendant employee Tsige was an employee of the Bank of Montreal. For a summary of that case, have a look at the post Ontario Recognizes Torts of Invasion of Privacy.

What is different in Evans is, unlike the Jones case, the employer is still involved. The Bank of Montreal settled with Ms. Jones prior to the court’s decision.

Whether the Bank is ultimately found liable in the Evans case or not, and frankly my money is on a finding of liability, what the decisions in both Evans and Jones v. Tsige, not to mention the Supreme Court of Canada’s decisions in the criminal law context of R. v. Cole, 2012 SCC 53 (summarized by this blog in posts including Supreme Court of Canada: Employees’ Rights to Privacy with Work Equipment) and the more recent decision of R. v. Spencer, 2014 SCC 43, indicate is that the Canadian courts are moving more and more towards a strong recognition of an individual’s right to privacy.

Takeaways for those with Labour Pains

As the law moves towards a stronger recognition of a right to privacy, what cases like Evans show is that the court will expect more from employers to ensure that the right is protected. Technology is great. It enables so many incredible opportunities to share information. However, the same technology also easily enables the sharing of information that one would prefer to keep private, not the least of which being financial information.

This blog has previously looked at reasons for why an employer needs a strong policy on the use of technology; see for example the post Why Your Organization Needs a Social Media Policy. Technology is not going away. If anything the ways by which information can be shared are only getting easier.

Thus, the takeaway from the Evans case for employer is this: if you do not already have a use of confidential information and technology policy, and a program to oversee that the policy is being followed, now may be the time to consider developing one.

If you are an employer in Ontario and are considering introducing new policies for your employees with respect to the use of confidential information or anything else, it may be prudent to speak with an experienced employment lawyer. The professional, experienced and cost-effective employment lawyers for employers at Ottawa's Kelly Santini LLP would be happy to be of service to your business or organization.

To reach the author of this blog, Sean Bawden, email sbawden@kellysantini.com or call 613.238.6321 x260.

--

As always, everyone’s situation is different. The above is not intended to be legal advice for any particular situation. It is always prudent to seek professional legal advice before making any decisions with respect to your own case.

Sean Bawden, publisher of Labour Pains, can be reached by email at sbawden@kellysantini.com or by phone at 613.238.6321.

Sean P. Bawden is an Ottawa, Ontario employment lawyer and wrongful dismissal lawyer practicing with Kelly Santini LLP. He is also a part-time professor at Algonquin College teaching Trial Advocacy for Paralegals and Small Claims Court Practice.



No comments:

Post a Comment