Supreme Court Of British Columbia Holds Employer Vicariously Liable For Its Employee’s Breach Of Privacy

On August 24, 2022, the Supreme Court of British Columbia (the Court) in Ari v. Insurance Corporation of British Columbia, 2022 BCSC 1475, found that the Insurance Corporation of British Columbia (ICBC) was liable for its employee’s violation of its customers’ privacy under the British Columbia Privacy Act (the Act).

The defendant, ICBC, is the operator of a universal compulsory vehicle insurance plan and maintains a personal information database of British Columbians who hold a driver’s license or is a registered owner of a motor vehicle. This class action commenced in 2012 after the houses and vehicles of a number of ICBC customers were targeted in arson and shooting attacks after their personal information, including names and addresses, had been accessed and sold to a third party by an ICBC employee.

The plaintiff, representing the class members who have had their personal information accessed by the ICBC employee for non-business purposes, and the family members and other residents at the residences of those persons, sought a summary trial judgement on a number of previously certified common issues. Those issues related to liability, including whether the rogue employee had committed a privacy breach under the Act and, if so, whether ICBC was vicariously liable for the employee’s misconduct. The Act provides for an intentional tort, actionable without proof of damage, where a person violates the privacy of another “wilfully and without a claim of right”.

The Court held that the ICBC employee had breached the class members’ privacy pursuant to the Act when she accessed their personal information from ICBC database for purposes unrelated to her job responsibilities. The Court concluded that the employee “clearly knew or ought to have known” that she was violating ICBC’s policies around privacy and protection of personal information, as well as the conditions of her employment.

On the issue of vicarious liability, the Court found ICBC vicariously liable for any damages caused by its employee’s breaches of the Act. The Court determined that ICBC created the risk of wrongdoing and although ICBC had in place rules and policies forbidding improper use of its database, the possibility of an employee choosing to ignore them was “clearly foreseeable”. Further, there was no evidence of any system or method that would have detected or prevented the improper use of the ICBC database.

Lastly, with respect to damages, the Court held that (i) the class members are entitled to general, non-pecuniary damages on a class-wide basis for the breaches of the Act; (ii) individual class members are entitled to pecuniary damages for losses incurred due to such breaches and any individual non-pecuniary damages, subject to proof of those damages during the class proceeding; and (iii) ICBC’s conduct in these circumstances does not justify an award of punitive damages against ICBC.

Summary By: Anna Troshchynsky