Site icon Siskinds Law Firm

A cautionary tale: Employee misconduct creates employer liability

Consider this scenario: An employee steals co-workers’ personal information and uses it in an attempt to blackmail his employer, threatening to release it publicly unless a ransom is paid. Who’s stuck with the liability in this story? You may be surprised. 

Grossman v. Nissan is a class action in which the representative plaintiffs are Nissan employees whose personal information was used by their co-worker (who has never been identified and is therefore referred to as the “unknown employee”) in his blackmail scheme. It appears very little information was stolen and none was released to third parties.   

However, the plaintiffs claimed four causes of action against Nissan: (a) vicarious liability for the unknown employee’s intrusion upon their seclusion (effectively a breach of their privacy); (b) breaches of provincial privacy statutes; (c) negligence; and (d) breach of contract. They indicated that, if certification of the vicarious liability claim was successful, the statutory claims would not be pursued. 

The plaintiffs argued that Nissan had a responsibility to protect their information, that the tort of “intrusion upon seclusion” has been recognized by the Court, and that symbolic or moral damages can be awarded even if no financial or out-of-pocket losses are incurred. 

The Court certified the class action, stating “I cannot say that the plaintiffs’ vicarious liability for intrusion claim has no chance of success.” The negligence claim was also found to disclose a cause of action. 

Of course, this is not the end of the story. If the action goes to trial, Nissan could be successful in defending the claims. Some international precedents suggest that this outcome is possible.1

However, in the meantime, the Superior Court’s application of the principle of employers’ vicarious liability in situations like this – a rogue employee deliberately instituting a data breach – should cause employers to tread carefully in permitting access to sensitive data. Only trusted employees with a genuine need-to-know reason should be granted such access. 


1 E.g. Various Claimants v. Wm Morrisons Supermarket PLC, [2017] EWHC 3113 (Q.B.); aff’d [2018] EWCA Civ 2339 (Eng. C.A.); rev’d [2020] UKSC 12. 

Exit mobile version