In cases of information loss, we are judged based upon our actions (the practices that take place when information was exposed), and not our intentions (policies written to satisfy regulations that do not address our actual business practices).
Perhaps the most overlooked liability in preparing for information loss or breach is the notion of Vicarious Liability. Vicarious Liability is a legal doctrine that imposes tort liability, or legal responsibility on one person for the negligence or actions of another. Under this doctrine, owners, Board members, executives, and employees can be held civilly and criminally responsible for damages that individuals incur based upon how lost information is misused.
In other words, there is a shared liability between the organization and the employee for the way in which information is handled. Dr. John White, the Criminal Justice Coordinator at Martin Methodist College states,” Therefore the question, as it regards vicarious liability as courts have defined it, is not what you knew, but what you should have known to execute the proper level of care in relation to the injury or harm caused.” The administrator’s level of expertise related to assessing information exposure risks and the employee’s adherence to prudent practices comes into question in these types of cases.
“A defensible position for personal liability must be derived from assessing risks in your privacy, security, usage, and notification practices, and using this knowledge as a basis for your Identity theft Prevention Program.”
A Medium to Large Organization A Small Business
