Written by Ruth E. Promislow and Ethan Z. Schiff
While corporate executives are increasingly becoming aware of their obligation to be informed of cybersecurity threats and the steps being taken by their company to prevent data breaches, it is equally important for executives to ensure that the employees are educated with respect to cyber threats. The data breach prevention protocol of a company may only be as strong as its weakest link.
Negligence or recklessness by a company’s employee which contributes to a successful data breach may expose the company to liability. For example, employees may create risk by negligently clicking on what is deemed to be an obvious phishing link, or recklessly updating social media.
The scope of negligence in the cyber context remains largely unexplored by case law. However, given the increasing awareness of the frequency and nature of cyber threats, the standard of care owed by a company to those individuals whose personal data is stored may expand. With this expanded duty, companies could be exposed to increased vicarious liability for their employees’ mistakes.
Vicarious Liability: The Test
A company may be vicariously liable for an employee’s negligent acts if the acts are committed in the course of employment. This test gives rise to two questions: (1) who is an employee and (2) what activities are committed in the course of employment?
Who is an employee?
The question of who is an employee for purposes of determining vicarious liability is not as simple as determining whether an individual is designated an employee by the company.
Generally, a party is not vicariously liable for the tortious actions of an independent contractor.1 In determining whether a party acts as an employee or as an independent contractor, courts consider a number of factors including the amount of control exercised over the worker, whether the worker uses his or her own equipment, whether the worker hires independent help, whether the worker takes on financial risk, the degree of responsibility for investment and management held by the worker and the worker’s opportunity for profit.2
Do not assume that because someone is not designated as an employee, that liability for cyber breaches do not flow from their negligent, reckless conduct or intentional conduct.
What activities are committed in the course of employment?
Activities committed in the “course of employment” include activities that the employer authorizes, as well as activities carried out by the employee using the authority granted to them by the employer.3 If the employer did not authorize the wrongful activity, the court will consider whether the employer “introduced the risk of the wrong”.4 Put another way, the court may consider whether the employer cloaked the individual with the authority through which they committed the wrong.
Do not assume that because an employee is not authorized to engage in particular tasks that the company will not be exposed to the employee’s negligent or reckless conduct in connection with cyber threats.
Conclusion: Application in Cybersecurity
In the world of cybersecurity, the actions of an organization's employees are critical. Companies must train employees around cybersecurity risks and ensure sufficient oversight of employees with access to personal data.
Data breaches are inevitable; but liability for those breaches may be minimized. Proper training and supervision of employees is an essential element of data breach prevention.
1 M.A.N. – B & W Diesel v Kingsway Transports Ltd, 1997 CarswellOnt 1086 (CA) at para 7. Some British Columbia courts have held parties liable for the actions of independent contractors: See e.g. A(C) v C(JW) (1998), 166 DLR (4th) 475 (BCCA) and Thiessen v Mutual Life Assurance Co of Canada (2001), 8 CCLT (3d) 134 (BCSC).
3 Triplett v Steadman, 1981 CarswellAlta 297 (QB) at para 5.
4 Bazley v Curry,  2 SCR 534, 1999 CanLII 692 (SCC) at para 37 [Bazley].