trendspotting: privacy litigation in 2013scenario •contrary to company policies and procedures,...

Trendspotting: Privacy Litigation in 2013

Alex Cameron, Partner

Fasken Martineau DuMoulin LLP

IAPP Canada Privacy Symposium, May 23, 2013

Scenario

• Company privacy statement states:

• “We take privacy seriously…”

• “We are committed to protecting your privacy…”

• “We have implemented strict safeguards…”

• Employee has access to customer personal information as

needed for the employee’s job functions

Scenario

• Contrary to company policies and procedures, employee:

• copies personal information to unencrypted USB key

• takes USB key home to work on the weekend

• texts his friends about what his neighbours purchased

• inadvertently uploads information to a file-sharing network

• posts embarrassing customer information to Facebook

Scenario

• PIPEDA complaint filed with Office of the Privacy

Commissioner of Canada (and accountability guidelines

invoked as a benchmark)

• Class action launched against company and employee for:

• Invasion of privacy

• Breach of contract

• Misrepresentation

• Negligence

• Is the company liable for the employee’s actions?

• What are the damages?

Overview

• Damage awards under PIPEDA

• Key issues in tort claims

• Meaning of ‘invasion’

• Impact of ‘recklessness’

• Vicarious liability

• Continued rise of privacy class actions

Damages under PIPEDA

Step 1: Complaint to Commissioner under PIPEDA

Step 2: Commissioner investigation/mediation

Step 3: Commissioner issues report or discontinuance

Step 4: Application to Federal Court for hearing (s.14/15)

Step 5: Court hears matter de novo, not judicial review

Step 6: Court may award damages (s. 16(c))


• As compared to a ‘normal’ legal proceeding, under the

PIPEDA (and PHIPA) model:

• No ‘direct’ route to court to obtain damages

• Complainant is initially not in control of process or timing

• No cost to complainant for complaint/investigation stage

• No risk to complainant at complaint/investigation stage

• Court may award damages only against the organization

that is subject to PIPEDA

• Note: No damage cap under PIPEDA. Under PHIPA,

damages for mental anguish are capped at $10,000.


• Causal connection between breach and damage

• Egregious and very serious cases only

• Consider:

• the alleged injury and harm

• the nature of the breach

• the nature of the organization’s business

• whether there was a commercial benefit from breach

• whether there was bad faith

• the pre- and post-complaint conduct of the organization

• whether the complaint contributed to the breach or harm


Case Facts Damages

Randall v.

Nubodys

Fitness

Fitness club disclosed to the

complainant’s employer the

frequency of complainant’s visits

None

Nammo v.

TransUnion

Credit bureau disclosed

inaccurate credit report to bank in

connection with loan application

$5,000

Girao v.

ZTGH LLP

Law firm published on its website

a final report from the OPC in a

PIPEDA complaint

$1,500

Landry v.

Royal Bank

Bank improperly disclosed

information to complainant’s ex-

spouse in divorce proceeding

$4,500


Case Facts Damages

Biron v.

Royal Bank

Bank causes humiliation by

disclosing third-party information

in divorce proceeding, despite

express objections by third-party

$2500


• “The fact that the Respondent has never denied having

committed the errors is commendable.… the Respondent has

apologized to the Applicant on numerous occasions …. It

may be, as alleged by the Applicant, that the Respondent

should have put these measures in place before the error

occurred. Nobody should be held to a standard of

perfection, and the Respondent already had a detailed

protocol before the occurrence of what can only be

considered as a human error.” [emphasis added]

• Townsend v. Sun Life Financial, 2012 FC 550

That was then…

…this is now.

That was then…

…this is now (or more likely, 2014).

Tort claims

• Four provinces with statutory torts of invasion of privacy:

• British Columbia, Privacy Act, R.S.B.C. 1996 c. 373;

• Manitoba, Privacy Act, R.S.M. 1987 c. P125;

• Saskatchewan, Privacy Act, R.S.S. 1978, c. P-24;

• Newfoundland, Privacy Act, R.S.N. 1990, c.P-22.

Tort claims

• Four types of privacy tort claims in the United States:

• Intrusion upon the plaintiff’s seclusion or solitude

• Public disclosure of embarrassing private facts

• Publicity which places the plaintiff in a false light

• Appropriation of the plaintiff’s name or likeness.

Tort claims

• Jones v Tsige 2012 ONCA 32

• Three elements needed to show intrusion upon seclusion:

• the defendant’s conduct must be intentional (which

includes reckless conduct);

• the defendant must have invaded, without lawful

justification, the plaintiff’s private affairs or concerns; and

• a reasonable person would regard the invasion as highly

offensive causing distress, humiliation or anguish.

• “deliberate and significant invasions” only

• competing claims must be reconciled (e.g. freedom of

expression)

Tort claims

• competing claims must be reconciled (e.g. freedom of

expression)

Tort claims

• Meaning of “recklessness”?

• No fixed meaning in tort

• Recklessness contains two elements:

• conduct that creates obvious and serious risk; and

• acting without giving any thought to the possibility of there

being any such risk, or recognizing that there is risk and

nevertheless deciding to take the risk.

• The first element includes an objective analysis of the

risk that is created by the conduct.

• The second element includes a subjective analysis of

whether the risk was considered.

Allegations in Douez class action

Tort claims

• Damages factors:

• the nature, incidence and occasion of the wrongful act;

• the effect of the wrong on the plaintiff’s health, welfare,

social, business or financial position;

• any relationship between the parties;

• any distress, annoyance or embarrassment suffered; and

• the conduct of the parties, both before and after the

wrong, including any apology or offer of amends made by

the defendant.

Tort claims

• Damages “will ordinarily be measured by a modest

conventional sum”:

“…damages for intrusion upon seclusion in cases where

the plaintiff has suffered no pecuniary loss should be

modest but sufficient to mark the wrong that has been

done. I would fix the range at up to $20,000.”

• Punitive and aggravated damages are neither excluded nor

encouraged

Tort claims: post-Jones v. Tsige

• Alberta v Alberta Union of Provincial Employees, 2012 CanLII

47215 (AB GAA)

• 26 government employees were awarded $1,250 each in

respect of an unauthorized credit check of each of them by

an agent of their employer, even though no actual harm

was shown


• Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245

• primarily a defamation case

• blog postings and doctored photos

• based on Jones case, confirms that an award could be

made for invasion of privacy in Nova Scotia’

• no award made because parties had not made arguments

regarding potential limits related to freedom of expression


• Connolly v. Telus Communications Co [2012] O.J. No. 464

• wrong SIN provide when purchasing iPhone and Telus

contract

• post-transaction audit identified discrepancy

• service suspended due to fraud concern

• “Restoration of the service occurred on June 28, 2010 after

John's lawyer intervened and satisfied Telus that there had

been a mistake on the SIN used…”

• no intrusion upon seclusion


• Action Auto Leasing & Gallery Inc. v. Gray [2013] O.J. No.

898

• Dispute regarding breach of vehicle lease

• “I accept his hearsay evidence that his mother received a

single message from an employee of the plaintiff in which

the plaintiff disclosed the fact that this lease was in default

and a dollar amount claimed to be owing was disclosed.”

• Interprets Jones case as approving of all four torts

• Alternatively, recognizes the disclosure tort

• Awards $100 set off against amount owing under the lease

Tort claims: vicarious liability

• Vicarious liability:

• creature of the common law

• evolving principles inferred from cases

• a form of strict liability:

• the law holds one person responsible for the misconduct of

another, although the person held liable is free of personal

blameworthiness or fault


• vicarious liability:

• ancient origin is the doctrine of respondeat superior: “let

the master answer”

• modern approach is policy driven – a policy analysis

directed at ascertaining whether the employer’s conduct

created or enhanced the risk that the tort would occur.

• Bazley v. Curry, [1999] 2 SCR 534

• misconduct must be sufficiently related to the conduct

authorized by the employer


• policy rationales:

• enterprise risk

• loss distribution

• encouraging risk management

• if vicarious liability would serve these ends in any given case,

a court will be more inclined to impose it


• General test for when vicarious liability will be imposed can

be described as follows: employers are vicariously liable for

• Employee acts authorized by the employer

• Unauthorized acts so connected with authorized acts that

they may be regarded as modes (albeit improper modes)

of doing an authorized act.


• Factors to show connection between tort and employment:

• opportunity afforded the employee to abuse power

• extent to which the wrongful act may have furthered the

employer’s aims (and hence be more likely to have been

committed by the employee)

• extent to which the wrongful act was related to friction,

confrontation or intimacy inherent in the enterprise

• extent of employee’s power in relation to the victim

• potential victims’ vulnerability to abuse of employee power


• Did the employer’s enterprise and empowerment of the

employee materially increase the risk of the harm?

• The test must not be applied mechanically, but with a

sensitive view to the policy considerations that justify the

imposition of vicarious liability

• Investigate the employee’s specific duties and determine

whether they gave rise to special opportunities for

wrongdoing

• Bazley v. Curry, [1999] 2 SCR 534


• “Vicarious liability is arguably fair in this sense. The employer

puts in the community an enterprise which carries with it

certain risks. When those risks materialize and cause injury to

a member of the public despite the employer’s reasonable

efforts, it is fair that the persons or organizations that create

the enterprise and hence the risk should bear the loss. This

accords with the notion that it is right and just that the person

who creates a risk bear the loss when the risk ripens into

harm.”

• Blackburn v. Midland Walwyn Capital Inc., 2003 CanLII 41421

(ON SC)


• Steps to limit risk of vicarious liability:

• Risk associated with unauthorized employee activities is

real and bigger than might be assumed

• Very challenging to limit such risks

• Contractual terms may not be effective and may backfire


• Steps to limit risk for vicarious liability (cont’d):

• The best protection is prevention, which is industry and

context specific

• (Subject to privacy rules), be aware, to the greatest extent

possible, of what employees are up to

• Establish systems to spot unusual patterns of activity

• Consider a robust whistleblower policy

• Where, for business or other reasons, preventative steps

are not appropriate, consider insurance

Class actions

• Rowlands v. Durham Region Health :

• allegations of lost USB thumb drive containing personal

health information of over 83,500 patients

• class action certified (largely on consent)

• settlement:

• $500,000 to class counsel

• Mechanism to show economic harm

• Class counsel entitled to 25% of actual harm awards

Class actions

• St. Arnaud v. Facebook, Quebec Superior Court: Court File No. 500-06-000511-101

• Terms of Service: “You will resolve any claim, cause of action or dispute ("claim") you have with us arising out of or relating to this Statement or Facebook exclusively in a state or federal court located in Santa Clara County.”

• Quebec court ruled it had no jurisdiction

• Settlement reached with Facebook after jurisdiction decision

• updated Facebook privacy policy to be maintained it in substantially the same form or manner for at least three years from the date of implementation

• $75,000 to plaintiff’s counsel

• $1,000 to plaintiff

Class actions: Mazzonna decision

Class actions

Allegations in Douez class action

Class actions

• Douez v Facebook, 2012 BCSC 2097

• Jurisdiction motion and certification motion

• Watch for outcome of June 18, 2013 hearing

Ford Motor Company

• “On January 22, 2013, Ford Motor Company of Canada,

Limited (“Ford”) announced that certain confidential personal

information of 10,000 Ford employees was uploaded onto an

unsecured website on the internet.”

• “Individuals whose personal information was uploaded onto

the unsecured website may be entitled to compensation for

the breach of their privacy, damages for identity theft and/or

damages to their credit reputation, damages for the costs

incurred to prevent identity theft, damages for the time spent

changing your personal information such as your Social

Insurance Number, damages for emotional

distress/inconvenience, and/or compensation for out of pocket

expenses.”

• http://www.fordprivacyclassaction.com

http://www.fordprivacyclassaction.com/

Monfort Hospital

• “Sometime after October 2012, an unsecure, unencrypted

USB key containing the personal health information of

approximately 25,000 patients of Hopital Montfort was lost.

The hospital has been unable to locate the USB key on which

the personal health information was stored.” • March 14, 2013 -

http://www.fcbarristers.com/documents/FCPressReleaseMar1413.pdf

Monfort Hospital

• “Last April, Hopital Montfort informed the public that a non-

encrypted USB key that was lost in the fall of 2012 was found

and returned to the hospital by a member of the community.

An independent expert technological assessment,

carried out at Montfort's request, now confirms that there

was no non-authorized access to the files of the 25 693

patients concerned.” [emphasis added]

• May 22, 2013

• https://www.hopitalmontfort.com/press-releases.cfm?newsID=214

Monfort Hospital

• “The additional accounting file contained the names of

approximately 2 200 patients …, an encounter number, the

date on which they received care, a total and outstanding

amount due, the name of the person responsible for payment,

a code representing the type and payment status of the visit

in question, and, in 130 cases, a social insurance number

associated with a guarantor.

• “… All USB keys in use at Montfort are now encrypted by

default and the hospital continues to prioritize staff privacy

and confidentiality training for the protection of patient’s

personel health information.”

• https://www.hopitalmontfort.com/press-releases.cfm?newsID=214

HRSDC pensions and EI

• “In December, 2012, the Minister of Human Resources and

Skills Development announced that an electronic storage

device, known as a USB key, containing the confidential

personal information of 5,000 Canadians who applied for who

had applied for pensions, old age security benefits,

employment insurance or child care tax credits and other

benefits went missing.”

• http://www.lostusbkeyclassaction.com

HRSDC student loans

• January 11, 2013: Please be advised that an electronic

storage device, also known as an external portable hard

drive, containing personal information on 583,000 Canada

Student Loan borrowers who were clients of the Canada

Student Loans Program (CSLP) from 2000-2006 has been

lost from an HRSDC office in Gatineau, Quebec.

• The external portable hard drive included: • personal information on 583,000 Canada Student Loan borrowers who

were clients of the CSLP from 2000-2006. Student loan borrowers from

the province of Quebec, Nunavut and the Northwest Territories during the

same time period are not affected;

• Student names, Social Insurance Numbers, dates of birth, contact

information and loan balance of Canada Student Loan borrowers;

• Personal contact information of 250 HRSDC employees;

• No banking or medical information was included on the portable hard

drive.

HRSDC student loans

• “February 19th, 2013: Please be advised that the electronic

storage device containing personal information of 583,000

Canada Student Loan borrowers who were clients of the

Canada Student Loans Program (CSLP) from 2000-2006 also

contained personal information of affected clients who fall

outside the 2000-2006 period. Of the individuals affected,

2,800 fall outside the 2000-2006 period and of those 2,600

are in 2007. The department has already communicated with

over 1,600 of these affected borrowers. Efforts continue to

locate current contact information for all affected borrowers.”

HRSDC student loans

• April 25, 2013 – statement of claim issued

• Statement of Claim:

http://www.studentloansclassaction.com/sites/default/files/doc

uments/1085367_csc.pdf

Class actions

• Empirical analysis of data breach litigation in the U.S.:

• Litigation is 3.5 times more likely to occur when individuals

suffer financial harm

• Litigation is more than 6 times less likely to occur when

free credit monitoring is offered following the breach

• Defendants settle 30% more often when a class action is

certified or when plaintiffs allege financial loss

• Data breaches exposing medical information are more

strongly correlated with settlement than data breaches

exposing financial information. Source: Romanosky, Sasha, Hoffman, David A. and Acquisti, Alessandro,

Empirical Analysis of Data Breach Litigation (February 19, 2012).

Class actions

• Consider all ‘costs’:

• Adverse publicity

• Reputational harm

• Legal costs

• Organizational response costs

• Litigation costs

• Damages or settlement costs

• Lost opportunity

What we covered

• Damage awards under PIPEDA

• Key issues in tort claims

• Meaning of ‘invasion’

• Impact of ‘recklessness’

• Vicarious liability

• Continued rise of privacy class actions

Alex Cameron

[email protected]

@a_cameron

416-865-4505

mailto:[email protected]

trendspotting: privacy litigation in 2013scenario •contrary to company policies and procedures,...

Documents