The Price of Privacy
Litigation in privacy breach cases in Canada is quickly becoming commonplace and losses are mounting. But the costs of a breach spread well beyond the courtroom
Where a few years ago it was easy to find examples of breaches but difficult to find examples of losses arising from them, the environment in the US, and increasingly in Canada, has changed. The new reality of individual and class actions tend to involve disclosure of personal information through insecure disposal of records, theft and loss of unencrypted data on mobile devices, and unauthorized access to records.
The year 2013 began with a shocking disclosure as Human Resources and Skills Development Canada (HRSDC) admitted to the loss of a portable hard drive containing unencrypted personal and financial information, including SIN numbers and birth dates, of more than half a million people who took out student loans and 250 employees. Reports allege a two-month delay in notification to the public of the breach. Three class actions have been launched and both the RCMP and the Privacy Commissioner are investigating. Affected persons are being notified by letter and a hotline set up to handle inquiries has reportedly received over 40,000 calls. This announcement follows the recent disclosure by HRSDC of another breach involving the loss of a USB key from an office in Quebec, containing personal information of more than 5,000 Canadians.
The year 2012 saw a number of high profile breaches in the health industry resulting in losses. In May, the Peterborough Regional Health Centre fired seven employees who inappropriately accessed patient records. In BC, the provincial government disclosed that in three instances of data breaches in October 2010 and June 2012 more than five million persons’ personal-health data had been accessed without permission. This led to the costs of responding to an investigation by the Privacy Commissioner and notification of more than 38,000 individuals by letter. Furthermore, the government is dealing with costs associated with the termination of seven employees, at least two of whom have launched separate lawsuits in response to their terminations.
In 2011 the Ontario Superior Court granted certification of a class action against Durham Region Health when a nurse employed by the Durham Region Health Department allegedly lost a USB thumb drive containing personal and confidential health information relating to flu vaccinations to patients. The action followed an investigation and Order by the Ontario Information and Privacy Commissioner citing numerous breaches of the privacy health legislation. In the action, the plaintiffs sought $40 million in damages, citing risk of identity theft as a factor. The action was settled shortly after certification, with the Region agreeing to pay up to $500,000 on account of the plaintiffs’ costs, and individual payments to those affected individuals who can prove financial loss.
In a major private sector case, Honda Canada, Inc. is facing a class action launched in 2011 on behalf of 283,000 customers after their personal information, including names, addresses, VINs, and financial account numbers were accessed by hackers. The action seeks $200 million and faults delayed notification of the breach to affected individuals by Honda.
Class actions have not been the only forum for litigation of privacy breaches in Canada. Examples of individual suits resulting in damage awards have shown Canadian courts are willing to put a value on the damage caused by invasion of an individual’s privacy, even where there are no actual losses. Although the cases are specific to their individual facts and to the law applicable in the jurisdiction in which the action was brought, they may be useful in predicting the likelihood of an award, and the quantum of such an award, in future breaches. These cases include:
- Recognition by the Ontario Court of Appeal of a new tort for invasion of privacy in the 2012 landmark decision in Jones v Tsige where the Court awarded $10,000 in damages to a man whose former wife, a bank employee, inappropriately accessed personal banking information about her ex-husband’s new partner 174 times. The Court imposed a cap of $20,000 where there has been no pecuniary loss, and although the possibility exists for punitive or aggravated damages on top of this amount, they would only arise in exceptional cases. It is important to note that this is a common law cause of action, separate and apart from any remedy under Personal Information Protection and Electronic Documents Act (PIPEDA) or other similar privacy legislation. It remains to be seen whether entities subject to PIPEDA or similar legislation will be subject to duties and remedies under both this new common law action and the relevant statute. Furthermore, this new tort will be available to plaintiffs in class actions alleging privacy breaches.
- An award of $100,000 for punitive damages by the Quebec Court of Appeal in a 2010 decision against Standard Life. The plaintiff had been receiving disability benefits and as a result of surveillance by Standard Life, the investigators accidently recorded the plaintiff’s brother engaging in very active tasks, which led to the termination of the plaintiff’s benefits.
- An action in BC by a business woman against her ex-husband, a doctor who accessed private information about her on an old home computer and published the information online and in emails. The BC Supreme Court awarded the plaintiff $20,000 for breach of privacy and defamation.
- An action in the Federal Court of Canada in which a businessman was awarded $5,000 plus costs for humiliation arising from the provision of inaccurate credit information by a credit reporting agency.
In a health sector case, in May 2011 the B.C. Supreme Court issued an Order to proceed in a class action against the Provincial Health Services Authority over the collection and storage of BC and Yukon newborns’ blood. The issue relates to the use of the stored information for medical research, and for indefinite storage, without permission.
Privacy litigation is still in its early stages in Canada. Many of the cases noted above are still at the preliminary stages, or have settled with little, if any, judicial pronouncement. The emergence in Canada of mandatory notification to individuals, and/or the Privacy Commissioner when a privacy breach has occurred, although not yet fully enacted in Canada, will without doubt fuel litigation. The simple fact of being alerted to the potential of harm is enough to persuade some people to sue.
In this changing environment companies are taking more care to learn about, and put in place effective solutions to these risks, including specialized Privacy and Network Liability Insurance. These products are not a one size fits all solution. Expert advice in assessing risks and ensuring the proper insurance coverage is in place is essential.
Murn Meyrick is the founding partner of Grey Swan Advisory Inc. She can be reached at firstname.lastname@example.org.
Copyright 2013 Rogers Publishing Ltd. This article first appeared in the May 2013 edition of Canadian Insurance Top Broker magazine.