Employee Misconduct and Corporate Liability

From the standpoint of a corporation, the Supreme Court of Canada decision in Deloitte & Touche v. Livent Inc. (Receiver of) 2017 SCC 63.sets out guiding principles for determining many issues around potential liability. Among these is an important question: Where employees of a corporation engage in fraud or other misconduct, how broad is the corporation’s duty of care to prevent loss or damage to others?

The Background in Broutzas v. Rouge Valley Health System

This was one of several legal questions in Broutzas v. Rouge Valley Health System [2018] O.J. No. 5528. It involved misconduct by three employees of two different public hospitals, which by the time of trial had merged into one (the “Hospital”). All three employees had improperly accessed the confidential health records of about 26,000 female patients – specifically new mothers who had recently given birth at the Hospital. These consisted of their names and contact information, but not medical information or health records.

Two of the employees then took the mothers’ contact information and sold it to the sales representatives of a Registered Education Savings Plan (RESP) investment dealer. The third employee was himself a sales representative while also working on staff at the Hospital. In both scenarios, the sales reps used the confidential contact information to phone the new mothers, and try to sell them RESPs for their newborns.

Feeling aggrieved by these sales solicitations, a group of the new mothers brought a court motion to have two proposed class actions certified against the Hospital, the RESP investment dealer, and the rogue employees personally. Collectively, they sought damages exceeding $450 million from these parties, based on various legal claims for negligence, breach of contract, intrusion on seclusion, and breach of privacy legislation.

The court assessed the mothers’ various claims to determine whether their class actions should be certified. Ultimately, it dismissed them both.

First – and while there was indeed a cause of action for “intrusion on seclusion” – the invasion of the mothers’ privacy was not significant. It involved only names and contact information but not health records, clinical notes, or examination notes. While some new mothers were emotionally upset over being pitched to buy RESPs, a reasonable person would not conclude that they would suffer distress, humiliation, or anguish, as some women claimed.

Likewise, breach of contract claims against the hospital could not go forward, since it was plain and obvious they would not succeed. The relationship between the hospital and the patients, for the provision of medical services, was not considered to be one based in contract.

On the other hand, respecting their claims for negligence and breach of privacy, the new mothers did have feasible claims against the Hospital and its employees. Yet the court dismissed this aspect of the certification motion as well, finding that a class proceeding was not the preferable procedure for advancing these kinds of claims, in light of overall fairness, efficiency and manageability of the class proceedings process as compared to other avenues.

Corporate Liability of RESP Dealers, Based on Duty of Care

Against this background, the ruling in Broutzas contained an embedded corporate issue: Whether the new mothers proposed class action for negligence should include the RESP investment dealer (the “Dealer”).

The mothers’ claims were innovative: They that the Dealer owed a duty of care to them, as prospective clients in the referral arrangements set up by the three rogue employees. The Dealer breached the standard of care expected of it in the circumstances, since it knew or ought to have known that its employees were obtaining leads from the Hospital through access to confidential health records. It should have supervised its sales reps better, the mothers claimed, and should have monitored them to protect the personal information of the Hospital’s patients. Their negligent failure to do so caused themothers to suffer damages and losses.

The court disagreed. Citing the Supreme Court of Canada decision in Deloitte & Touche v. Livent (Receiver of) the court in held that the Dealer had no duty of care to protect the new mothers from the type of conduct perpetrated by the rogue Hospital staff.

Logically, the flaw in the mothers’ argument was this: From the Dealer’s perspective, the breach of privacy was not reasonably foreseeable; the conduct of its sales representatives came after that of “hospital employees who had already hacked the patients' information and who then hawked the information.” Put a different way: Even if the Dealer had supervised its sales staff more closely, it would not have prevented the rogue Hospital employees from invading the new mothers’ privacy.

Legally, the court also concluded that the legal claim against the Dealer was a novel one, but it was not one that merited recognition as a new type of action. The Dealer did not have a duty of care toward the

Disclaimer: The content in this article is provided for general information purposes only. It does not constitute legal advice. All rights are reserved.