Teresa Scassa - Blog

Thursday, 06 August 2015 09:57

Data Security and the Rogue Employee

Written by  Teresa Scassa
Rate this item
(0 votes)

Data security breaches are frequently in the news, contributing to a growing anxiety regarding the security of the vast stores of personal information held by so many public and private sector organizations in Canada (and abroad). The recent passage of Bill S-4 (The Digital Privacy Act) will impose a data security breach notification requirement on private sector organizations covered by Canada’s Personal Information Protection and Privacy Act. This requirement has yet to come into effect; it awaits the drafting of regulations that will set out the manner and form of breach notifications.

Data security breaches occur in many different ways. While the paradigmatic breach is the malicious intruder who hacks his or her way past corporate firewalls to steal data, this is not the only (or even the most common) form of breach. In many cases, data breaches occur when devices such as USB keys or laptops that contain (often unencrypted) personal data go missing. Whether lost or stolen, it is often impossible to tell whether the data was or will ever be accessed or used. The laptop thief, for example, may have been seeking a laptop rather than the data it contains. Carelessness may take other forms as well; repeatedly faxing sensitive customer information to the wrong fax number is just one example.

The type of breach that perhaps causes the most anxiety for organizations comes from the ‘rogue employee’. Employees of organizations often, of necessity, have a great deal of access to sensitive customer information as a normal part of their duties. Organizations put in place policies regarding access and privacy, and may have other checks and balances within the institution to guard against (or to detect) unauthorized access. Unfortunately, an increasing number of security breaches seem to arise precisely because an employee has accessed personal information in contravention of these policies. This may be done for personal reasons (complicated interpersonal relations following the breakdown of relationships, for example), for financial gain, or for reasons that are not entirely clear. The breaches may affect only one or two individuals, or may be with respect to a significant number of people. Rogue employees are a security weak spot; they already have regular access to the data – all they require is motivation, whether it be personal or financial.

In March 2015, the BC Court of Appeal handed down an interesting decision in a case (Steel v. Coast Capital Savings Credit Union) involving an employee who had wrongfully accessed the personal folder of another employee. The folder was on the company’s server. The case was not a suit for invasion of privacy; the Credit Union for which the employee had worked had fired her following the detection of the breach. The employee had sued for wrongful dismissal, arguing that the penalty of dismissal was too severe given her 21 years of faultless service to the company. The employee worked in the IT department of the Credit Union, and had a high level of access to the company’s systems. She had accessed the personal folder of a manager at the credit union in order to see where she stood on a list setting out priority entitlement to parking. The breach was detected when the manager tried unsuccessfully to access the file at the same time that the employee was looking at the list.

The judge at first instance had upheld the dismissal of the employee, and she had appealed that decision to the Court of Appeal. What the case came down to, in essence, was whether a long-time employee with an excellent record could be dismissed for a one-time accessing of a file in a personal folder of another employee to view a list regarding the assignment of parking spots. The majority of the Court of Appeal ruled that dismissal was an acceptable response. Writing for the majority, Justice Goepel observed that the Supreme Court of Canada made it clear that “dishonesty going to the core of the employment relationship carries the potential to warrant dismissal for just cause.”(McKinley v. BC Tel, at para 57). Such conduct is that which “violates an essential condition of the employment contract, breaches the faith inherent to the work relationship, or is fundamentally or directly inconsistent with the employee’s obligations to his or her employer.”(McKinley at para 48). While other factors (such as length and quality of service) may be relevant, the key issue is whether there has been a fundamental breakdown in the employment relationship. In this case, the Court of Appeal accepted the assessment of the trial judge that the clear breach of internal privacy policies by someone in the position of the appellant employee (whose level of system access created a relationship of trust) led to a “fundamental breakdown of the employment relationship”. (at para 34).

The dissenting justice would have given more weight to the long service of the employee and to the non-critical nature of the information she accessed. Justice Donald also noted that the company policies did not require dismissal for breach of the policies on privacy and access. Disciplinary action could be “up to and including termination of employment”, based on a range of contextual factors which included “the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s).” (at para 15) He would have found that termination was an excessive consequence on the facts of this case. That this approach was not accepted by the majority of the Court may be an indication that courts are beginning to recognize the broader concerns over the risks posed by “rogue employees” to both their employers (in terms of their potential liability) and to the public.

Login to post comments

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law