Tips for HR on how to be proactive when it comes to 'rogue' employees behaving badly
“For the most part, employers are doing everything they can to make sure these things don't happen. But sometimes they still happen.”
So says Eleni Kassaris, a partner at Dentons’ Vancouver office, in talking about a recent decision in B.C. dealing with vicarious liability after an employee improperly accessed confidential customer information.
And these risks are only going to increase, she says, citing higher standards of privacy regulation overseas, along with changes federally and in Quebec.
“Organizations need to be aware that regulatory risk… is only going to increase as well.”
RCMP investigation leads to privacy breach
The case involved Candy Rheaume, who was a claims adjuster for the Insurance Corporation of British Columbia (ICBC), and accessed the personal information of 78 customers for no apparent business reason. She searched for the data by running license plate numbers provided to her by a non-employee, and sold that data to him. There was no monitoring of staff access to personal information in the database during the time Rheaume was carrying out these activities.
Between April 2011 and January 2012, the homes and vehicles of 13 of the 78 customers were targeted in arson, shootings, and vandalism. And in August 2011, the police informed ICBC about Rheaume’s activities. As a result, the crown corporation terminated her employment on Sept. 1. Later, she pleaded guilty to fraudulently obtaining a computer service and received a suspended sentence with nine months’ probation.
Those customers whose personal information was improperly accessed brought a class action against ICBC. In the trial, the corporation was found vicariously liable for its employee’s breach of the Privacy Act, and general damages were awarded on a class-wide basis.
But ICBC appealed the finding that it was vicariously liable – which holds a person or company responsible for actions committed by others or by their employees – saying the information accessed by the claims adjuster was not private and instead was contact information that people regularly provide.
However, the appeal court dismissed the appeal in an Aug. 15 decision.
“Whether a right to privacy has been breached pursuant to the Privacy Act requires consideration of the context, including the nature, incidence, and occasion of the act, the relationship of the parties, and degree of privacy to which a person is entitled,” said the court. “Customers had a reasonable expectation that the information they provided ICBC would only be used for legitimate ICBC business purposes, and they otherwise had the right to control use of their personal information.”
As for the finding of vicarious liability, “ICBC materially created the risk and provided the opportunity for this employee to commit the wrong and the employee’s conduct was sufficiently related to her authorized duties to justify the imposition of vicarious liability,” said the court. “Policy reasons support the imposition of liability.”
‘If it’s a breach, it’s a breach’
ICBC was trying to say this was only business contact information that was readily available, which is a recognized category of privacy laws that doesn't necessarily fall within personal information, says Kelly Osaka, partner at Dentons in Calgary.
“The interesting point there is that the court really broke down the fact that, first of all, it was compulsory for these class members to provide that information to ICBC. And then, secondly, the justice who wrote the decision went through and looked at the privacy policies, the code of ethics that ICBC had on how they treat this type of information… as well as the way that [the corporation] had described the information to the notified individuals in describing it as a privacy breach, basically.”
The court’s analysis of the Privacy Act made it very clear that you don't have to show that it was like a highly offensive breach or that it was actually caused any harm, says Kassaris.
“If it's a breach, it's a breach.”
It appeared as though this “rogue” employee had engaged in some training, and there was a privacy policy in place, but the enforcement piece was missing, says Osaka.
“This type of personal information has to be siloed on a need-to-know basis. So if an employee needs access to that information, then they should have access to it and then there should be some oversight of that access,” she says.
“I think it's very clear that [Rheaume] had relatively unrestricted access to data. And I think they could have had her have less access, and maybe less damage would have been done.”
‘Reasonable’ security measures to maintain privacy
There is a general duty under British Columbia privacy laws – both the Freedom of Information and Protection of Privacy Act (FIPPA) that applies to ICBC and private sector legislation – that you're supposed to be taking reasonable security measures to make sure that information is not accessed for unauthorized purposes, says Kassaris.
“Any attempt in this decision that ICBC was making to try to say, ‘But we complied with FIPPA, we're doing everything right,’ I think just fell on deaf ears with the court in that they were not having it, because what [Rheaume] did was egregious, and they did it on the employer’s watch. So whatever safeguards they say they had in place, I think the court found that it just wasn't good enough.”
While not knowing exactly what processes ICBC had in place, the decision suggests that that as part of her job duties, Rheaume had free rein to access databases, she says.
“When you are handling what the court found to be sensitive information, you have a duty to do certain practical things to make sure that laws are being complied with, like spot checking. I think one of the recommendations that had been made previously to ICBC was just to spot check, to see periodically what employees are doing and how they're accessing data and what's going on.”
Over collection and retention of data
When it comes to data privacy, there are two other important considerations, says Osaka.
First of all, only take the information you need -- over collection is unlawful.
“For legitimate business purposes, you're supposed to have need-to-know access, not everybody in the company needs to access the same pot of information. If you need it to do your job and to fulfill the purposes for which the information was collected, that's fine, but everybody else doesn't need access.”
Also important? Retention policies, and when you should be getting rid of information, she says.
“A lot of organizations keep buckets and piles of information for a lot longer than they need it. Because you can't have a data breach if you've properly disposed of old information.”
So employers should be asking, “How long do we need it? Why are we still keeping it? How and when should we be destroying it?” says Osaka.
“That's individual and very fact-specific. But a lot of companies haven't been as focused on cleaning up the data that they have.”
Understanding vicarious liability
Of course, the other big challenge for ICBC was the finding of vicarious liability. So what does that mean exactly?
“Vicarious liability is not automatic,” says Kassaris. “Not all employers will be on the hook for the rogue actions of criminal or quasi-criminal behaviour by their employees – you know, ‘She wasn't given permission to do this, she did this of her own accord.’ But the court will try to simplify it, and it's not simple, it's very fact-specific.”
The courts tend to draw a line between someone who had an opportunity and ability to undertake bad conduct connected to their job duties, like a “job-conferred power,” she says, versus it's not connected to your job at all but it happened anyways.
As an example, if you're a dormitory supervisor in school, you have access to students and the employer should know that you might abuse those students; if you're a janitor working after hours, they don't actually have any duties directly connected to the students, so the employer is less likely to be held vicariously liable if that janitor does something to the students, says Kassaris.
“Here, there was a direct finding that [Rheaume], as part of her regular duties, is supposed to be accessing databases and dealing with this information. And because of that, the connection to her job-conferred power, and her bad conduct was made for the court. So they were able to say vicarious liability.”
If the employee had an unrelated job and was rooting around people's offices after, then it’s unlikely the court would have imposed the vicarious liability, she says.
“But it is a very complicated analysis of what's connected versus not connected.”
How to be proactive in avoiding vicarious liability
A big part of what the court will consider on vicarious liability will be the actions of the employer. And while it's clear that the court didn't think that ICBC did enough to protect the public from this rogue employee, “if you can show a good track record of trying to do all the right things, the court might see it differently and not necessarily connect the duties to the employer and, therefore, wouldn't necessarily find vicarious liability.”
The best that an employer can do is to have more hands-on attention, says Osaka. So that means recognizing an employee has access to different things, and evaluating how they are conducting themselves.
That can involve audit systems and surveillance, she says.
“With any kind of surveillance in the workplace or monitoring, you have to think about the privacy impacts, and that's OK, it can still be done, you just have to do it in accordance with privacy laws, human rights laws.
“These laws that are meant to protect people from breaches of privacy don't interfere with you running your business, you just have to be cognizant of those laws, take them into account and conduct your business with those laws in play.”
Even though the training provided to this employee was not enough to get ICBC off the hook, says Osaka, the more an employer creates a culture of respect for privacy and understanding of the risks within the organization, then at least it can say, “We did everything we can to really instil in our people how important these things are, so that they would act cognizant of the risks.”
Read more: When would an organization need a privacy breach lawyer
