The Supreme Court of the United Kingdom has decided an important vicarious liability case in favour of a company whose rogue employee stole payroll information and posted it online.
The company entrusted the employee with payroll data pertaining to over 120,000 of its employees to facilitate an audit. The employee – who was still aggrieved about some discipline the company had earlier imposed – passed the data to the auditor as instructed, but kept a copy and posted it online as part of a personal vendetta.
As in Canadian law, United Kingdom law deems employers to be responsible for the wrongful acts of their employees that are not authorized if there is a “sufficient connection” between the wrongful act and the work that is authorized. The creation of “opportunity” to commit the wrong is a factor, and the analysis is to be conducted with a view to the policy-implications, leading some to argue that data security concerns justify broadly-imposed vicarious liability.
Nonetheless, the Court held that cause (or the creation of opportunity) was not enough to warrant this employer’s liability for its employee’s data theft. That is, the employee’s theft (and his public disclosure) was caused by the company’s provision of data to the employee, but the employee was still motivated to harm the employer and “on a frolic of his own” that did not warrant employer liability.