During the pandemic, businesses and organizations in the CKL are exploring new, online delivery and operations.
With this new way to do so business, the risk of privacy and data breach increases.
Every business should have a privacy breach protocol policy, for example, delineating the steps that will promptly be taken in the event of a breach of personal information.
But did you know a business can also be held vicariously liable for an employee who, intentionally or otherwise, breaches the privacy of a customer or client?
Ontario Courts have found employers liable for vicarious liability for an employee's wrongdoing, including breach of data, if the risk of the breach was heightened because, for example, the employee was authorized to access the data without sufficient supervision or, despite not being authorized to access the data, the employee had sufficient opportunity to access the data because of the employer’s failure to put in place appropriate security controls.
As the “new normal” continues to develop, CKL businesses and organization should take steps to protect against this potential for vicarious liability, including by:
- limiting employee access to personal and other highly confidential information on a need-to-know basis;
- adopting policies that outline the specific bases on which personal and other highly confidential information may be accessed, used, transferred or disclosed by employees;
- implementing a protocol for supervision of employees with access to sensitive personal and other highly confidential information;
- putting in place technological safeguards that prevent employees from downloading customer information, other than to the extent necessary, and create alerts for supervisors when sensitive personal and other highly confidential information is accessed;
- ensuring availability of logs recording access to personal and other highly confidential information and implement protocols for reviewing these logs for compliance with expected access and use; and
- for highly sensitive information, consider implementing a protocol requiring two employees to sign-off to obtain access.
To manage potential exposure from vicarious liability involving a compromise of personal information, organizations should identify risks that are particular to their organization and tailor the risk management plan accordingly.