Recent Developments in Canadian Privacy and Cybersecurity Law

Posted by Mark Greisiger

Q&A with Alex Cameron
In Canada, litigation and regulatory activity regarding privacy and data breaches have increased dramatically. I spoke with Alex Cameron of Fasken Martineau, a leading attorney in this area in Canada, about the factors contributing to the increasing risk and potential liability for organizations doing business in Canada. With the recent landmark changes to Canadian privacy law, discussed here, including mandatory breach notification, record keeping for all breaches, and fines, the trends identified below are sure to continue.

Can you give an overview on the general uptick in Canadian litigation for privacy/ data breaches? What’s driving this?
Canada has seen an unprecedented increase in data breach litigation and class action certifications. As reflected in the Table of Cases below, we have seen claims advanced in cases involving unauthorized access or loss (e.g. hacking, rogue employees, lost hard drives), as well as business practice cases (e.g. using information for commercial purposes without obtaining adequate consent). The prevalence of breach notifications, and broader awareness about privacy rights and remedies, have caught the attention of individuals and class action lawyers and is contributing to the increase in litigation.

Another significant factor that has encouraged litigation is the potential for plaintiffs to obtain awards in the absence of harm, whether through claims for invasion of privacy, waiver of tort, or breach of contract. Individuals do not need to show that they are victims of fraud or identity theft as a result of a breach in order to obtain an award of damages. Individual plaintiffs have obtained awards ranging from several hundred dollars to tens of thousands of dollars for relatively minor privacy breaches, which has translated to staggering damages claims in class actions with a large number of affected individuals.

Can you give an overview of the tort of ‘intrusion upon seclusion’ and its ramifications?
The Jones v. Tsige case, released in 2012, recognized for the first time in Canada a form of the United States’ common law tort of invasion of privacy: intrusion upon seclusion. In the Jones case, the defendant, an employee of a bank, viewed the plaintiff’s banking information without authorization on a number of occasions—there was no use or disclosure of information, no humiliation, and ultimately no harm that flowed from the breach.

The Jones case is important because it introduced not only the right to sue for invasion of privacy but also the possibility of obtaining damages for the breach itself, without showing harm. Although the defendant’s conduct in invading the plaintiff’s privacy must be intentional (or reckless) and highly offensive (causing distress, humiliation or anguish), proof of harm is not an element of the cause of action. The plaintiff in Jones obtained an award of $10,000 in damages to “mark the wrong that has been done.”

The historic Jones decision has unquestionably contributed to the increase in privacy litigation in Canada. In virtually every privacy claim launched since the decision was released, plaintiffs have claimed intrusion upon seclusion and alleged that the defendant’s conduct was “reckless.” Claims for intrusion upon seclusion have been certified to proceed in a number of recent class actions.

What are you seeing in terms of the plaintiff’s evolving claims and arguments for recovery in the wake of a privacy breach?
Plaintiffs have advanced a variety of legal theories and claims in this area. We’re seeing statutory claims such as breach of data protection laws and statutory privacy torts in certain provinces, the common law tort claim for intrusion upon seclusion discussed above, as well as claims for vicarious liability, negligence and misrepresentation, among others.

More recently, plaintiffs have sought recovery based on “waiver of tort” whereby they are seeking a disgorgement of the profits made by the defendant in breaching privacy for commercial gain or in failing to incur costs for measures necessary to protect privacy. This claim is at issue in a number of cases and has recently been certified to proceed as part of a prominent class action. The emergence of the waiver of tort claim in this field is significant because recovery could be substantial, and because plaintiffs will undoubtedly seek broad discovery of documents and information regarding the defendant’s profits and internal business decisions in relation to privacy.

Breach of contract is another important claim emerging in this area. Plaintiffs in some cases are alleging that their contractual relationship (e.g. with an employer, business or other organization) includes the obligation to protect privacy, including on the basis that privacy policies form a part of the contract. As we have seen in a recent case, since a court can award nominal damages for a breach of contract in the absence of harm, this line of argument may have significant ramifications for class actions. If plaintiffs can demonstrate that a large class had the same contract with the defendant, and that it was breached, even a nominal award for each plaintiff could translate into a significant claim if the class is large.

Can you give us a summary of Canada’s Anti-Spam Law (CASL) and penalties for violators?
CASL is an onerous opt-in regime that has serious ramifications for all organizations that do business in Canada and for those that promote their products and services to Canadian markets. The law regulates two main areas. The first is the sending of commercial electronic messages to and from Canada, including marketing and other promotional messages. Under CASL, it is prohibited to send such messages unless the recipient has expressly opted-in in the prescribed manner, or one of a variety of exemptions applies. CASL has considerably narrowed email marketing and related activities in Canada, including in both the consumer and business-to-business context. The second area regulated by CASL regards the installation and update of computer programs, including apps, and in many cases requires express consent in the prescribed manner.

Violations of CASL can lead to the imposition of significant administrative monetary penalties (up to $1 million for individuals and $10 million for organizations) by the regulator. Damages and statutory damages (i.e., no proof of harm required) will also be available through a private right of action that will come into force in 2017. We have already seen enforcement activity under CASL which resulted in a $1.1 million penalty in one case involving inadequate consents, an undertaking to pay $150,000 in a case where consents were not proven and an undertaking to pay $48,000 in another case involving an inadequate unsubscribe mechanism. Directors, officers and others can also be held liable for penalties and damages if they directed, authorized, assented to, acquiesced in or participated in the commission of the violation.

Have you seen many recent uninsured losses that may not be in the public eye?
I routinely work on data breach and related matters (both in Canadian matters and in international matters with a Canadian component) and it is by far the exception that organizations have been insured in Canada. At the outset of a breach response which has not come to us through an insurer, the usual response I am met with when I ask if the organization has cyber or related insurance is: “No. Organizations can buy insurance for this?” I am confident that this is changing in Canada. There is unquestionably a growing awareness of the role for insurance in this area, which has translated into increased purchase of cyber and related products. Our clients and service providers now frequently raise the question of cyber insurance as part of an overall risk management and privacy strategy.

Are you seeing an increased initiative by plaintiff lawyers to promote these law suits or claims once the privacy regulators get involved?
Plaintiffs typically commence litigation long before privacy regulators take action, particularly in the class action field where class counsel may file competing claims in different provinces. Breach notifications often trigger interest in a potential claim. Regulators will not always take action in a particular file and, even in cases where they do so, it may be many months, or up to a year or more before findings are made public. That said, whether litigation is commenced before or after commissioners take action, it is certainly the case that commissioners’ investigations and findings can have a significant impact on the litigation. Commissioners’ investigations can assist plaintiffs in understanding the factual and evidentiary basis for litigation claims. Although adverse commissioners’ findings are not binding on the courts in litigation, they can change the landscape of the litigation.

What are your views on the Breach Coach® initiative for large clients. Are you seeing them built into incident response plans? If not, do you feel they should be?
Based on what I’ve seen, incident response plans for data breaches have not been developed in Canada as a matter of course, and nor has the role of Breach Coach® been built into such plans where they are developed. They should be. The importance of the specialized experience and competence that a Breach Coach brings to the table cannot be overstated. As we have seen again and again in the Canadian cases, an organization’s response to an incident is of crucial importance.

A botched response can create additional reputational harm and legal liability over and above that which may be associated with the initial incident. In Canada, many of the plaintiff’s statements of claim in in this area include allegations relating to the organization’s response to an incident (e.g., that the organization did not act quickly enough, that it did not share sufficient or accurate information in its notification, or that it did not take steps to mitigate harm). On the other hand, a well-handled response can both reduce the likelihood of litigation and also potentially eliminate or mitigate liability for the initial incident. Another important aspect is that a Breach Coach can help ensure that solicitor-client and litigation privilege considerations are taken into account in respect of communications and other information generated in the wake of an incident.

In Conclusion…
We want to thank Alex for his expert insight cyber risk and the state of litigation in Canada regarding data breach liability. Many companies in the U.S., Canada and other countries have cross-border legal/regulatory exposure, especially when they handle information about individuals. The evolving landscape in Canada is one to keep watch on. In addition, it is important to be aware that sending electronic messages to Canada and installing software on systems or devices located in Canada can attract significant liability under Canada’s Anti-Spam Law, including for directors and officers.

 

Table: Highlights of Privacy Litigation and Damage Awards in Canada 2013-2015

Case Allegations Claims Status
Tucci v People’s Trust, 2013 Hacking banking firm affected 12,000. Proposed class action seeking $13 million. No reported decision or settlement.
Grant v Montfort Hospital, 2013 Lost USB (later recovered) affecting 25,000 patients Proposed class action seeking $40 million. No reported decision or settlement.
Doe v. The Queen, Fed. Ct. T-1931-13 Envelopes with “Marihuana Medical Access Program” Proposed class action affecting 41,514. Violation of Privacy Act. Pending.
Albilia v. Apple Inc., 2013 QCCS 2805 Collecting and sharing information without consent. Breach of privacy, contract and misrepresentations. Class action certified.
Chitrakar v. Bell TV, 2013 FC 1103 Unauthorized credit check. Negative impact on credit. Breach of PIPEDA $10,000 in damages, $10,000 in exemplary damages
MacEachern v. Ford, Ontario SCJ, No. CV-13-18955 10,000 employees’ information uploaded to an unsecure site. $14 million class action for risk of ID theft, costs of preventative measures, etc. Pending
Maksimovic v. Sony, 2013 CanLII 41305 Sony PlayStation network hacked affecting 77 million. $1 billion class action. Court-approved settlement providing for various benefits.
Plimmer v Google, 2013 BCSC 681 Collection and use of information in Gmail messages for ads Breach of Privacy Act, confidence, common law privacy, Competition Act etc. Pending
Condon v Canada, 2014 FC 250 Lost USB key/drive affecting 583,000 (incl. SIN, DOB). Class action. Breach of contract, warranty, confidence, privacy tort etc. Class action certified. See also R v Horstman, 2014 SKQB 114.
Douez v. Facebook Inc., 2014 BCSC 953 Names & images used in Sponsored Stories w/o consent Breach of the Privacy Act and other claims. Class action certified. Appeal pending on forum and certification..
Sofio c. IIROC 2014 QCCS 4061 Lost unencrypted laptop with 52,000 clients. Claim was for $1,000 per individual. Not certified due to lack of actual harm. Follows Mazzonna.
Hynes v. Western Regional Health, 2014 NLTD(G) 137 Hospital employee snooped on 1,043 individuals. Breach of: statutory tort, common law privacy tort, negligence etc Second phase of class certification to follow.
Broutzas v. Rouge Valley Centenary, 2014 14,000 patients informationsold to RESP companies. $412 million class action, including claims in contract, , intrusion upon seclusion, etc. Pending. See also IPC Order HO-013.
Lozanski v. Home Depot, CV-14-51262400CP) Hacking affecting an estimated 56 million, incl in Canada. $500 million proposed class action. Pending.
Henry v. Bell Mobility, 2014 FC 555 Information of mobile account to an unauthorized person Breach of PIPEDA. $49,500 sought. $2,500 in damages. Breach admitted and practices changed.
McIntosh v. Legal Aid Ontario, 2014 ONSC 6136 Snooping case. Threat to report plaintiff to Childrens’ Aid. Privacy tort. $100,000 claimed for lost wages, lost benefits, tuition, wages, etc. $7,500 for general damages. Impact on mental state minor.
Ladas v. Apple Inc., 2014 BCSC 1821 Devices record and store locational data in unencrypted form etc.. Statutory and common law privacy tort, deceptive business practice, etc. Class certification denied.
Evans v. Scotiabank, 2014 ONSC 2135; 2014 ONSC 7249 Employee provided information to others, resulting in fraud. Privacy tort, negligence, contract, breach of fiduciary duty, and waiver of tort. Class action certified and leave to appeal dismissed.
Hopkins v Kay, 2014 ONSC 321; 2015 ONCA 112 Dissemination of medical records of 280 patients. Intrusion upon seclusion. Proposed class action. Tort claim is available against PHIPA-regulated organizations.
Belley v. TD Auto Finance, 2015 QCCS 168 Lost data tape. Actual fraud and ID theft alleged. Negligence leading to breach, and negligence in response. Punitive damages. Class certified. Reformulated version of Mazzonna, case.
Zuckerman v. Target, 2015 QCCS 1285 Hack impacting credit cards, PIN, etc. of 700,000 Canadians Negligence. Certification dismissed for forum/jurisdiction. Follows Mazzonna.
Albayate v. Bank of Montreal, 2015 BCSC 695 Unauthorized change of address associated with bank account. Breach of Privacy Act, negligence, breach of contract (privacy policy). Negligence dismissed due to no harm. $2,000 damages for breach of privacy and contract.
Bell Canada and Bell Mobility, 2015 (Relevant Ads Program litigation) Use and disclosure of information for profiling and advertising purposes. $750 million sought for breach of contract, statute, intrusion upon seclusion, waiver of tort. Pending.