Confidential data leaks – what are the vicarious liability risks for sports organisations?Tim Meakin , Tim Walker, Richard Davies
Vicarious liability is a legal principle that renders a person, company (or certain organisations) liable for the “tortious” (wrongful) acts of another. The principle is well established in the sports law arena. For example, the tortious “on-field” act of a professional sports person (typically a reckless tackle causing career-ending injuries to another participant) has been deemed as impliedly authorised by the employer (or as an unauthorised way of undertaking the professional employment duties) and thus constitutes acting in the course of employment1.
The principle can also extend beyond the employer/employee relationship (as we explore below). For example, an amateur sports club that places its junior players under the supervision of volunteer coaches may find itself vicariously liable for the negligence or deliberate torts of those coaches.
This article addresses a particular area of potential liability of sports organisations, namely the risks associated with unauthorised disclosure of confidential information held by such organisations (which ranges from commercial information regarding sponsors to personal and medical information relating to sports people). Specifically, it looks at:
- Part 1 - outlines the legal principles of vicarious liability and recent decisions which have expanded the scope of the doctrine;
- Part 2 - sets out a number of scenarios applicable to sports organisations demonstrating the potential reach of vicarious liability claims in the event of unauthorised disclosure of confidential information; and
- Part 3 - discusses practical steps that organisations may take in order to mitigate such risks.
Part 1 - Key vicarious liability principles and recent developments
Historically, the scope of vicarious liability has developed to encompass not only sports personnel, but also sports governing bodies and other related organisations, which may be held vicariously liable for the negligence of their members2.
The decision of Lister v Hesley Hall3 further broadened the range of potential defendants by formulating the “close connection test” to determine vicarious liability4. This is particularly relevant to unauthorised acts (foul play is an example), which historically were found to be outside the scope of employment. The test determines that in the appropriate case, the negligent, or reckless, foul play of the employee player will be deemed as authorised by the club based on the close connection between the tortious act and what the employee player was employed to do5.
The principles of vicarious liability have recently been considered by the Supreme Court. In Various Claimants v Catholic Child Welfare Society (the “Christian Brothers” case), Lord Phillips declared, “...vicarious liability is on the move.6.” And in Cox v Ministry of Justice7 (“Cox”) Lord Reed commented that Cox and the Supreme Court case of Mohamud v WM Morrison Supermarkets8 (“Mohamud”), “provided an opportunity to take stock of where it has got to so far”.9
Key sports law commercial from the Cox case
To read about the facts and decision in Cox please see the footnotes.10
The key takeaway points11 arising from Cox are:
(1) Once the criteria for the imposition of vicarious liability are established then a club or other sporting organisation cannot defend liability on the basis that it took all reasonable precautions to prevent the tort in question occurring (for example, by adequate risk assessments and/or training). There is therefore no defence of reasonable practicability for a company, or organisation.
(2) Vicarious liability does not depend on the classification of the relationship for the purposes of taxation, or national insurance12. Essentially, defendant companies and sporting organisations cannot avoid vicarious liability on the basis of technical arguments about the employment status of the individual who committed the tort.
(4) A critically important criterion is the extent to which a business, through its activities, creates the risk of injury/loss that eventuated13. The more risk it created the more likely vicarious liability will be invoked. Moreover, a “business activity” does not require the defendant to be a conventional business entity, or that there was an underlying commercial profit motive. Careful consideration therefore has to be given to the particular types of commercial activity undertaken and the consequent potential for a claim based on vicarious liability to arise.
(5) That a company, or organisation is a non-profiting making one will not, of itself, prevent the imposition of vicarious liability. This was a core point expanded upon in Cox:
“It would be as naïve to imagine that all employees are subjectively committed to the interests of their employer as to imagine that no prisoner working in a prison kitchen derives any satisfaction from doing his job well or from obtaining the vocational qualifications available to him. The fact that a prisoner is required to serve part of his sentence in prison, and to undertake useful work there for nominal wages, binds him into a closer relationship with the prison service than would be the case for an employee. It strengthens, rather than weakens, the case for imposing vicarious liability.”14
The implications are clear for many amateur sports clubs and organisations, as well those which operate on a “non-profit-making” basis. A previous defence based on the contention that the acts of the third party did not attract vicarious liability as the tortfeasor was not an employee and/or that the institution was not a business consistent with an employer-employee relationship, will no longer provide a complete defence.
(6) Vicarious liability ultimately always has to satisfy the test that it is imposed where it is fair, just and reasonable. The criteria for its imposition set out in the Christian Brothers case are designed to ensure that it is imposed where that test is satisfied. The approach of the courts, therefore, ought to be to determine whether the Christian Brothers criteria for its imposition are satisfied. Where they are satisfied, it should not generally be necessary to re-assess the fairness, justice and reasonableness of the result in a particular case.15.
The Mohamud case saw the Supreme Court again endorsed the application of the “close connection” test, which focused on the relevant tortious act of the employee and what he was employed to do. For a detailed review of Mohamud, please see the footnotes.16
For more on Mohamud and Cox, please see this LawInSport article: “Who shoulders the blame? An analysis of vicarious liability in the sports industry”.17
Wider commercial sports law implications
The Supreme Court’s judgments are already being applied more widely and have additional direct effects on companies and organisations other than in purely personal injury related cases. Recently, Axon v Ministry of Defence18 (“Axon”) held that vicarious liability can be found based on the mis-use of confidential data. The claimant was the commanding officer of a Royal Navy vessel, who was accused of bullying officers on his ship, and this was reported in the national press. The claimant resigned in 2007. He was later informed that a national newspaper had an unauthorised source of information in the MOD, who had been prosecuted for divulging information to the newspaper. In 2014, the claimant sued the MOD relating to the unauthorised disclosure of private information.
The main cause of action on the misuse of private information was dismissed, but Nicol J considered that if there was a (data breach) tort committed against the claimant by the MOD employee then the MOD would have been vicariously liable. [para 95] :
“If this was the case, then it would ….be just to require the MOD to assume vicarious responsibility. This is not simply an example of the employment being the opportunity for the wrong to be committed. As part of her work, she needed to have access to security sensitive and confidential information….. There is always an inherent risk that those entrusted with such information will abuse the trust reposed in them, but rather than this being a reason why vicarious liability should not be imposed, I think, on the contrary, it is a reason in its favour. …. What she did was prohibited… If I had held that Ms Jordan-Barber had committed a tort (contrary to my findings), I would have concluded that that hypothetical tort would have been sufficiently closely connected with her job for it to be just for the MOD to be vicariously liable.19”
Relevant points from a commercial perspective
First, the context of the case law is that there is always an underlying risk that confidential information entrusted to employees will be mis-used, but this will not preclude the imposition of vicarious liability; in fact it strengthens the case20. It was of no consequence that divulging confidential information was done without the knowledge of the MOD, or that it gave the MOD no discernible advantage.
Secondly, that this expansive approach to vicarious liability has significant ramifications for sports companies, public bodies and other sporting organizations. Vicarious liability has developed into areas previously considered outside its scope and now many commercial actions and decisions are clearly no longer “off limits”. Thirdly, the unauthorised disclosure, and/or use of such information by employees of companies, sports governing bodies and public bodies, particularly those in security-sensitive roles, risks the imposition of vicarious liability.
The governing body approach to vicarious liability in commercially sensitive sports law data
Aside from liability in tort enforced through the courts, sports organisations may also face sporting sanctions and financial penalties imposed by governing bodies for misuse of confidential information by employees (whether authorised or otherwise). Governing bodies are concerned to enforce codes of conduct rather than apply strict legal tests regarding the imposition of vicarious liability. Misuse of confidential information by employees may have significant consequences, even where no claims for vicarious liability are made or could not be established.
For example, in 2007 following the "Spygate" controversy in Formula 1, the governing body, the FIA, withdrew all points awarded to McLaren in the constructors’ championship and fined the team $100m after establishing that employees of McLaren had collected and exploited confidential information relating to a rival team.
More recently, in the USA the Major League Baseball (MLB) Commissioner held in January 2017 that the Astros’ Baseball Team’s email system had been hacked.21 The result was that a database was accessed, which held commercially sensitive data in 2013, including a scouting database. Following an investigation, the St Louis Cardinals’ executive, Chris Correa, was found to have obtained unauthorised access and he was sentenced to a term of imprisonment and ordered to pay restitution. The Cardinals were to be held vicariously liability as a matter of MLB policy. The Cardinals had indirectly obtained an “unfair competitive advantage”, even if the actions of Correa were contrary to his sanctioned conduct and were not known to the Cardinals.
In both cases, it is arguable that the innocent teams whose information was accessed could have maintained actions in tort that the wrongdoing team was vicariously liable for the conduct of its employees, with potential damages including the costs of investments in creating the accessed data and impact on prize money and sponsorship due to diminished performance of the innocent team or the enhanced performance of the wrongdoing team. Therefore there are clear consequences for sporting originations that stretch beyond the need for sports to protect their data, but also to take additional action to ensure that all staff are trained and warned in the appropriate use of management systems.
Part 2 – Scenarios
As outlined above, the risk of sporting organisations being held vicariously liable for the actions of their employees (and potentially others with looser connections) appears to have heightened following recent case law decisions. This section outlines some scenarios in which the unauthorised disclosure of confidential information by individuals connected with a sporting entity may result in vicarious liability being imposed.
Scenario 1 – release of medical information
Facts - A football club holds a medical for a potential new signing, which is failed due to the club’s assessment of a previously undisclosed knee injury. The unauthorised public disclosure of this information by a physio employed by the football club results in the player’s negotiations with a second club, which had not picked up the knee injury during a medical, breaking down and the player being unable to find a new contract. The manager of the second club publicly confirms that news of the injury led to the club withdrawing a contract offer.
Analysis – As an employee, the physio satisfies the relationship test between tortfeasor and defendant and in line with the reasoning in Mohamud and Axon, the act of disclosure can be seen as within the scope of activities entrusted to the physio (particularly as access to the information came directly as part of carrying out contracted duties). A waiver signed by the player prior to undertaking the medical may not exclude liability in tort relating to unauthorised disclosure. Accordingly, it is plausible that an action for the tort of breach of confidence by the player against the physio’s club could potentially be sustained. Potential damages may include the value of the contract with the second club (though there may be difficulties with causation due to the existence of the pre-existing injury).
Scenario 2 – Release of performance data
Facts – A rugby club holds performance data collected from wearables relating to a former player. The data demonstrates a decline in the player’s fitness over the previous two seasons. The former player enters contract negotiations with a second club during which time the performance data is published online by a consultant engaged by the club to analyse data. During negotiations, the second club mention the released data and concern relating to fitness and move to offering a package heavily based on appearances rather than base salary. After an injury hit season, the player is released by the second club.
Analysis – The player may claim that the unauthorised disclosure caused a decrease in earnings, as the original base salary offered would have resulted in higher remuneration. In accordance with Cox, notwithstanding the absence of an employment relationship, the first club may be held vicariously liable for the actions of the consultant analyst. The issue is likely to depend on the extent to which the consultant engaged was "embedded" in the club as an analyst (akin to the priest in the Christian Brothers case, or the prisoner in Cox), or whether he was providing his services as a professional to the club as his client, e.g. a one off job for which he was supplied a bundle of data for analysis of the performance of a number of players. If the former, subject to contractual provisions of the player’s expired employment contract with the first club, an action in breach of confidence may potentially be sustained against the first club. If the latter, the action will lie against the analyst, who would have been on notice of the confidential nature of the information. The player could seek to recover the difference between his actual earnings against the earnings that would have accrued under the higher base salary offer.
Scenario 3 – Release of commercially sensitive information
Facts - a governing body holds commercial details of its arrangement with an ex-sponsor, including the value of sponsorship fees and the poor performance of activation campaigns. An employee leaks a copy of the contract and an internal report detailing the failure of the relationship to the media. The ex-sponsor had entered into negotiations with a third party relating to another sponsorship opportunity. The disclosure leads to the ex-sponsor paying a higher sponsorship fee.
Analysis – the ex-sponsor may have a claim against the governing body in breach of contract, however, the terms of the contract and the potential for damages in tort may permit and result in the sponsor making a claim for breach of confidence in tort. In line with the analysis in Scenario 1, the governing body may potentially face a vicarious liability claim, with damages claimed in relation to the increase in sponsorship fees under the subsequent deal.
Scenario 4 – Release of disciplinary records
Facts - a football club held internal investigations into allegations of bullying and harassment by its manager who has since moved to another club. The allegations were found to be untrue. An employee of the club leaks the internal investigation report to the media. Disclosure of the allegations causes reputational damage and the ex-manager loses a number of endorsement contracts with third party sponsors, who terminate pursuant to broadly drafted reputational damage provisions.
Analysis – In line with the Scenario 3, the governing body may potentially face a vicarious liability claim, with damages claimed in relation to the anticipated revenue from lost endorsement contracts.
In summary, the above scenarios demonstrate that sports organisations may face claims in tort relating to the release of confidential or commercially sensitive data. A variety of such sensitive data is customarily held by sports organisations and the media interest in sport enhances the risks associated with unauthorised disclosure. Although successful claims face a number of hurdles, including contractual restrictions (where a contract existed between claimant and defendant), proving loss and causation and the reputational risks to a claimant of instigating (and thus publicising) such a claim, sports organisations are advised to consider how the risk and impact of such claims can be minimised.
Part 3 – How to mitigate risk and avoid vicarious liability
Whilst a contribution can be sought from the tortfeasor in a negligence action pursuant to the Civil Liability (Contribution) Act 1978, there may be many situations where the relevant tortfeasor cannot provide suitable recompense. Even where a highly paid athlete is the tortfeasor, organisations may have strong incentives not to pursue the athlete, such as the continued relationship with the athlete and the reputational damage further publicity may cause.
Therefore sports organisations, governing bodies and companies face significant challenges in preventing a finding of vicarious liability in the commercial sports law context. From the organisation’s perspective the imposition of vicarious liability appears unfair, as it can be imposed relating to acts which were not authorised, or even known about. However, that outcome is a product of a policy based decision and that trend is unlikely to be reversed in the near future. Therefore what can be done to protect the position against vicarious liability?
- Employee indemnities - one potential solution is to insert indemnities in employment contracts covering losses suffered by the employer as a result of the employee’s tortious acts. However, indemnities of this nature may be of limited practical value for three reasons:
- as noted above, the tortfeasor may not have the ability to pay (and in case of highly paid sportsperson – likely incentive not to sue if still employed),
- such indemnities are likely to be difficult to enforce in practice; and
- standard form contracts which exist in certain leagues may make the insertion of such indemnities more difficult (although separate, and unregulated, contracts such as image rights deals could be include an indemnity against vicarious liabilities).
Despite the limited enforcement value of such clauses, organisations may still consider the deterrent value of including such clauses. They are likely to be of more value where the tortfeasor is an independent consultant rather than an employee, e.g. a medical practitioner or marketing consultant;
- Procedures and training - care should be taken to vet suitable employees and to limit the type of information to which they have access and/or which they use as part of their employment duties. Confidential data in a sports context will include, medical records on sports personnel, personal information, recruitment, training and performance data, all of which could provide an unlawful competitive advantage and/or result in damage being caused to third parties. Information management and data security systems can ensure that access is restricted to sensitive electronic data. Additionally, organisations may adopt policies and impose training requirements that ensure all employees are aware of the wider implications of their actions, including relating to identifying, and the consequences of disclosing, confidential information. Risk-management policies can be revised to adopt negligent conduct but the irresponsible one-off actions of an employee is difficult to prevent in practice;
- Contractual protections – a number of contractual protections can be inserted into commercial agreements to limit the consequences of unauthorised disclosures, including:
- including appropriate entire agreement and exclusion of liability clauses which restrict parties with which the organisation has a contractual relationship to claiming only in breach of contract (and not in tort) and excluding damages in tort;
- including clear rights to injunctive relief in case of unauthorised disclosure of confidential information; and
- in sponsor contracts, limit rights of termination in event of reputational damage. Such clauses are typically heavily negotiated and often do not require actual wrongdoing or defined events in order to trigger a termination right. The potential for such contracts to be terminated in the event that unauthorised disclosures lead to reputational damage may compound the consequences of such an event for the organisation in question;
- Insurance – review insurance cover to ascertain the level and limits of protection relating to claims in tort; and
- Incident management and settling claims – have effective incident management procedures in place to ensure that events are contained. When settling claims, ensure effective confidentiality provisions are included to avoid further reputational damage – this is often be a key consideration for claimants as well as defendants.
The number of recent appellate court decisions in the field of vicarious liability demonstrates the continuing expansion of the doctrine and the content of those decisions is likely to ensure more activity in this area. This article has demonstrated circumstances in which vicarious liability could attach to sports organisations holding confidential information relating to third parties. Sports organisations are particularly likely to be targets of such actions due to the profile and deep pockets of professional organisations in many sports.
Additionally, the risks for sports organisations relating to unauthorised disclosure of confidential information are heightened as such information is often highly news-worthy, increasing the likelihood of damage being caused to affected parties. In designing processes and policies to restrict the unauthorised disclosure of confidential information, sports organisations are advised to recognise and mitigate the potential for vicarious liability claims.
This work was written for and first published on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport Ltd. Permission to make digital or hard copies of this work (or part, or abstracts, of it) for personal use provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work owned by parties other than LawInSport must be honoured.
- Who shoulders the blame? An analysis of vicarious liability in the sports industry
- The Tom Arscott Case - players' duties of confidentiality & the RFU's rules on leaking "inside information"
- The legal remedies for victims of child abuse in English football
- An overview of key case law relating to negligent liability for sports injuries (Part 1)
- An overview of key case law relating to negligent liability for sports injuries (Part 2)
About the Author
Tim Meakin is a barrister at Seven Bedford Row. His practice covers a wide range of sports, including doping cases, and other sports disciplinary cases, child safe-guarding, in addition to specialist personal injury and professional negligence claims (including claims relating to doctors, physiotherapists and coaches). He has been instructed on a wide range of issues from individual sports personnel to major sporting bodies, (including the Rugby Football League, UK Athletics and British Cycling Federation). Tim provides both advice and representation in courts and tribunals and has undertaken a wide range of civil litigation and disciplinary cases before sports governing bodies as diverse as the Football Association, British Gymnastics and the British Canoe Union. Tim also writes on issues relating to Sports Law and he is a member of the British Association for Sport and Law (BASL).
Tim's practice focuses on the problems faced by small and medium sized enterprises in the commercial and employment fields. As a former international hockey player and qualified coach, distinctly average golfer, road cyclist and long term Liverpool fan, Tim also has a keen interest in sport and legal matters relating to sport.
Richard specialises in commercial contracts, with a particular focus on the technology, media, sport and retail sectors. He has experience advising on a wide range of commercial contracts, IP, consumer and data protection matters. Richard has particular expertise in e-commerce and the use and monetisation of digital content. He has experience advising and drafting and negotiating agreements for a range of businesses from start-ups to major UK PLCs.
Richard is admitted to practise in England and Wales.