trendspotting: privacy litigation in 2013scenario •contrary to company policies and procedures,...
TRANSCRIPT
Trendspotting: Privacy Litigation in 2013
Alex Cameron, Partner
Fasken Martineau DuMoulin LLP
IAPP Canada Privacy Symposium, May 23, 2013
Scenario
• Company privacy statement states:
• “We take privacy seriously…”
• “We are committed to protecting your privacy…”
• “We have implemented strict safeguards…”
• Employee has access to customer personal information as
needed for the employee’s job functions
Scenario
• Contrary to company policies and procedures, employee:
• copies personal information to unencrypted USB key
• takes USB key home to work on the weekend
• texts his friends about what his neighbours purchased
• inadvertently uploads information to a file-sharing network
• posts embarrassing customer information to Facebook
Scenario
• PIPEDA complaint filed with Office of the Privacy
Commissioner of Canada (and accountability guidelines
invoked as a benchmark)
• Class action launched against company and employee for:
• Invasion of privacy
• Breach of contract
• Misrepresentation
• Negligence
• Is the company liable for the employee’s actions?
• What are the damages?
Overview
• Damage awards under PIPEDA
• Key issues in tort claims
• Meaning of ‘invasion’
• Impact of ‘recklessness’
• Vicarious liability
• Continued rise of privacy class actions
Damages under PIPEDA
Step 1: Complaint to Commissioner under PIPEDA
Step 2: Commissioner investigation/mediation
Step 3: Commissioner issues report or discontinuance
Step 4: Application to Federal Court for hearing (s.14/15)
Step 5: Court hears matter de novo, not judicial review
Step 6: Court may award damages (s. 16(c))
Damages under PIPEDA
• As compared to a ‘normal’ legal proceeding, under the
PIPEDA (and PHIPA) model:
• No ‘direct’ route to court to obtain damages
• Complainant is initially not in control of process or timing
• No cost to complainant for complaint/investigation stage
• No risk to complainant at complaint/investigation stage
• Court may award damages only against the organization
that is subject to PIPEDA
• Note: No damage cap under PIPEDA. Under PHIPA,
damages for mental anguish are capped at $10,000.
Damages under PIPEDA
• Causal connection between breach and damage
• Egregious and very serious cases only
• Consider:
• the alleged injury and harm
• the nature of the breach
• the nature of the organization’s business
• whether there was a commercial benefit from breach
• whether there was bad faith
• the pre- and post-complaint conduct of the organization
• whether the complaint contributed to the breach or harm
Damages under PIPEDA
Case Facts Damages
Randall v.
Nubodys
Fitness
Fitness club disclosed to the
complainant’s employer the
frequency of complainant’s visits
None
Nammo v.
TransUnion
Credit bureau disclosed
inaccurate credit report to bank in
connection with loan application
$5,000
Girao v.
ZTGH LLP
Law firm published on its website
a final report from the OPC in a
PIPEDA complaint
$1,500
Landry v.
Royal Bank
Bank improperly disclosed
information to complainant’s ex-
spouse in divorce proceeding
$4,500
Damages under PIPEDA
Case Facts Damages
Biron v.
Royal Bank
Bank causes humiliation by
disclosing third-party information
in divorce proceeding, despite
express objections by third-party
$2500
Damages under PIPEDA
• “The fact that the Respondent has never denied having
committed the errors is commendable.… the Respondent has
apologized to the Applicant on numerous occasions …. It
may be, as alleged by the Applicant, that the Respondent
should have put these measures in place before the error
occurred. Nobody should be held to a standard of
perfection, and the Respondent already had a detailed
protocol before the occurrence of what can only be
considered as a human error.” [emphasis added]
• Townsend v. Sun Life Financial, 2012 FC 550
That was then…
…this is now.
That was then…
…this is now (or more likely, 2014).
Tort claims
• Four provinces with statutory torts of invasion of privacy:
• British Columbia, Privacy Act, R.S.B.C. 1996 c. 373;
• Manitoba, Privacy Act, R.S.M. 1987 c. P125;
• Saskatchewan, Privacy Act, R.S.S. 1978, c. P-24;
• Newfoundland, Privacy Act, R.S.N. 1990, c.P-22.
Tort claims
• Four types of privacy tort claims in the United States:
• Intrusion upon the plaintiff’s seclusion or solitude
• Public disclosure of embarrassing private facts
• Publicity which places the plaintiff in a false light
• Appropriation of the plaintiff’s name or likeness.
Tort claims
• Jones v Tsige 2012 ONCA 32
• Three elements needed to show intrusion upon seclusion:
• the defendant’s conduct must be intentional (which
includes reckless conduct);
• the defendant must have invaded, without lawful
justification, the plaintiff’s private affairs or concerns; and
• a reasonable person would regard the invasion as highly
offensive causing distress, humiliation or anguish.
• “deliberate and significant invasions” only
• competing claims must be reconciled (e.g. freedom of
expression)
Tort claims
• competing claims must be reconciled (e.g. freedom of
expression)
Tort claims
• Meaning of “recklessness”?
• No fixed meaning in tort
• Recklessness contains two elements:
• conduct that creates obvious and serious risk; and
• acting without giving any thought to the possibility of there
being any such risk, or recognizing that there is risk and
nevertheless deciding to take the risk.
• The first element includes an objective analysis of the
risk that is created by the conduct.
• The second element includes a subjective analysis of
whether the risk was considered.
Allegations in Douez class action
Tort claims
• Damages factors:
• the nature, incidence and occasion of the wrongful act;
• the effect of the wrong on the plaintiff’s health, welfare,
social, business or financial position;
• any relationship between the parties;
• any distress, annoyance or embarrassment suffered; and
• the conduct of the parties, both before and after the
wrong, including any apology or offer of amends made by
the defendant.
Tort claims
• Damages “will ordinarily be measured by a modest
conventional sum”:
“…damages for intrusion upon seclusion in cases where
the plaintiff has suffered no pecuniary loss should be
modest but sufficient to mark the wrong that has been
done. I would fix the range at up to $20,000.”
• Punitive and aggravated damages are neither excluded nor
encouraged
Tort claims: post-Jones v. Tsige
• Alberta v Alberta Union of Provincial Employees, 2012 CanLII
47215 (AB GAA)
• 26 government employees were awarded $1,250 each in
respect of an unauthorized credit check of each of them by
an agent of their employer, even though no actual harm
was shown
Tort claims: post-Jones v. Tsige
• Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245
• primarily a defamation case
• blog postings and doctored photos
• based on Jones case, confirms that an award could be
made for invasion of privacy in Nova Scotia’
• no award made because parties had not made arguments
regarding potential limits related to freedom of expression
Tort claims: post-Jones v. Tsige
• Connolly v. Telus Communications Co [2012] O.J. No. 464
• wrong SIN provide when purchasing iPhone and Telus
contract
• post-transaction audit identified discrepancy
• service suspended due to fraud concern
• “Restoration of the service occurred on June 28, 2010 after
John's lawyer intervened and satisfied Telus that there had
been a mistake on the SIN used…”
• no intrusion upon seclusion
Tort claims: post-Jones v. Tsige
• Action Auto Leasing & Gallery Inc. v. Gray [2013] O.J. No.
898
• Dispute regarding breach of vehicle lease
• “I accept his hearsay evidence that his mother received a
single message from an employee of the plaintiff in which
the plaintiff disclosed the fact that this lease was in default
and a dollar amount claimed to be owing was disclosed.”
• Interprets Jones case as approving of all four torts
• Alternatively, recognizes the disclosure tort
• Awards $100 set off against amount owing under the lease
Tort claims: vicarious liability
• Vicarious liability:
• creature of the common law
• evolving principles inferred from cases
• a form of strict liability:
• the law holds one person responsible for the misconduct of
another, although the person held liable is free of personal
blameworthiness or fault
Tort claims: vicarious liability
• vicarious liability:
• ancient origin is the doctrine of respondeat superior: “let
the master answer”
• modern approach is policy driven – a policy analysis
directed at ascertaining whether the employer’s conduct
created or enhanced the risk that the tort would occur.
• Bazley v. Curry, [1999] 2 SCR 534
• misconduct must be sufficiently related to the conduct
authorized by the employer
Tort claims: vicarious liability
• policy rationales:
• enterprise risk
• loss distribution
• encouraging risk management
• if vicarious liability would serve these ends in any given case,
a court will be more inclined to impose it
Tort claims: vicarious liability
• General test for when vicarious liability will be imposed can
be described as follows: employers are vicariously liable for
• Employee acts authorized by the employer
• Unauthorized acts so connected with authorized acts that
they may be regarded as modes (albeit improper modes)
of doing an authorized act.
Tort claims: vicarious liability
• Factors to show connection between tort and employment:
• opportunity afforded the employee to abuse power
• extent to which the wrongful act may have furthered the
employer’s aims (and hence be more likely to have been
committed by the employee)
• extent to which the wrongful act was related to friction,
confrontation or intimacy inherent in the enterprise
• extent of employee’s power in relation to the victim
• potential victims’ vulnerability to abuse of employee power
Tort claims: vicarious liability
• Did the employer’s enterprise and empowerment of the
employee materially increase the risk of the harm?
• The test must not be applied mechanically, but with a
sensitive view to the policy considerations that justify the
imposition of vicarious liability
• Investigate the employee’s specific duties and determine
whether they gave rise to special opportunities for
wrongdoing
• Bazley v. Curry, [1999] 2 SCR 534
Tort claims: vicarious liability
• “Vicarious liability is arguably fair in this sense. The employer
puts in the community an enterprise which carries with it
certain risks. When those risks materialize and cause injury to
a member of the public despite the employer’s reasonable
efforts, it is fair that the persons or organizations that create
the enterprise and hence the risk should bear the loss. This
accords with the notion that it is right and just that the person
who creates a risk bear the loss when the risk ripens into
harm.”
• Blackburn v. Midland Walwyn Capital Inc., 2003 CanLII 41421
(ON SC)
Tort claims: vicarious liability
• Steps to limit risk of vicarious liability:
• Risk associated with unauthorized employee activities is
real and bigger than might be assumed
• Very challenging to limit such risks
• Contractual terms may not be effective and may backfire
Tort claims: vicarious liability
• Steps to limit risk for vicarious liability (cont’d):
• The best protection is prevention, which is industry and
context specific
• (Subject to privacy rules), be aware, to the greatest extent
possible, of what employees are up to
• Establish systems to spot unusual patterns of activity
• Consider a robust whistleblower policy
• Where, for business or other reasons, preventative steps
are not appropriate, consider insurance
Class actions
• Rowlands v. Durham Region Health :
• allegations of lost USB thumb drive containing personal
health information of over 83,500 patients
• class action certified (largely on consent)
• settlement:
• $500,000 to class counsel
• Mechanism to show economic harm
• Class counsel entitled to 25% of actual harm awards
Class actions
• St. Arnaud v. Facebook, Quebec Superior Court: Court File No. 500-06-000511-101
• Terms of Service: “You will resolve any claim, cause of action or dispute ("claim") you have with us arising out of or relating to this Statement or Facebook exclusively in a state or federal court located in Santa Clara County.”
• Quebec court ruled it had no jurisdiction
• Settlement reached with Facebook after jurisdiction decision
• updated Facebook privacy policy to be maintained it in substantially the same form or manner for at least three years from the date of implementation
• $75,000 to plaintiff’s counsel
• $1,000 to plaintiff
Class actions: Mazzonna decision
Class actions: Mazzonna decision
Class actions: Mazzonna decision
Class actions
Allegations in Douez class action
Allegations in Douez class action
Class actions
• Douez v Facebook, 2012 BCSC 2097
• Jurisdiction motion and certification motion
• Watch for outcome of June 18, 2013 hearing
Ford Motor Company
• “On January 22, 2013, Ford Motor Company of Canada,
Limited (“Ford”) announced that certain confidential personal
information of 10,000 Ford employees was uploaded onto an
unsecured website on the internet.”
• “Individuals whose personal information was uploaded onto
the unsecured website may be entitled to compensation for
the breach of their privacy, damages for identity theft and/or
damages to their credit reputation, damages for the costs
incurred to prevent identity theft, damages for the time spent
changing your personal information such as your Social
Insurance Number, damages for emotional
distress/inconvenience, and/or compensation for out of pocket
expenses.”
• http://www.fordprivacyclassaction.com
Monfort Hospital
• “Sometime after October 2012, an unsecure, unencrypted
USB key containing the personal health information of
approximately 25,000 patients of Hopital Montfort was lost.
The hospital has been unable to locate the USB key on which
the personal health information was stored.” • March 14, 2013 -
http://www.fcbarristers.com/documents/FCPressReleaseMar1413.pdf
Monfort Hospital
• “Last April, Hopital Montfort informed the public that a non-
encrypted USB key that was lost in the fall of 2012 was found
and returned to the hospital by a member of the community.
An independent expert technological assessment,
carried out at Montfort's request, now confirms that there
was no non-authorized access to the files of the 25 693
patients concerned.” [emphasis added]
• May 22, 2013
• https://www.hopitalmontfort.com/press-releases.cfm?newsID=214
Monfort Hospital
• “The additional accounting file contained the names of
approximately 2 200 patients …, an encounter number, the
date on which they received care, a total and outstanding
amount due, the name of the person responsible for payment,
a code representing the type and payment status of the visit
in question, and, in 130 cases, a social insurance number
associated with a guarantor.
• “… All USB keys in use at Montfort are now encrypted by
default and the hospital continues to prioritize staff privacy
and confidentiality training for the protection of patient’s
personel health information.”
• https://www.hopitalmontfort.com/press-releases.cfm?newsID=214
HRSDC pensions and EI
• “In December, 2012, the Minister of Human Resources and
Skills Development announced that an electronic storage
device, known as a USB key, containing the confidential
personal information of 5,000 Canadians who applied for who
had applied for pensions, old age security benefits,
employment insurance or child care tax credits and other
benefits went missing.”
• http://www.lostusbkeyclassaction.com
HRSDC student loans
• January 11, 2013: Please be advised that an electronic
storage device, also known as an external portable hard
drive, containing personal information on 583,000 Canada
Student Loan borrowers who were clients of the Canada
Student Loans Program (CSLP) from 2000-2006 has been
lost from an HRSDC office in Gatineau, Quebec.
• The external portable hard drive included: • personal information on 583,000 Canada Student Loan borrowers who
were clients of the CSLP from 2000-2006. Student loan borrowers from
the province of Quebec, Nunavut and the Northwest Territories during the
same time period are not affected;
• Student names, Social Insurance Numbers, dates of birth, contact
information and loan balance of Canada Student Loan borrowers;
• Personal contact information of 250 HRSDC employees;
• No banking or medical information was included on the portable hard
drive.
HRSDC student loans
• “February 19th, 2013: Please be advised that the electronic
storage device containing personal information of 583,000
Canada Student Loan borrowers who were clients of the
Canada Student Loans Program (CSLP) from 2000-2006 also
contained personal information of affected clients who fall
outside the 2000-2006 period. Of the individuals affected,
2,800 fall outside the 2000-2006 period and of those 2,600
are in 2007. The department has already communicated with
over 1,600 of these affected borrowers. Efforts continue to
locate current contact information for all affected borrowers.”
HRSDC student loans
• April 25, 2013 – statement of claim issued
• Statement of Claim:
http://www.studentloansclassaction.com/sites/default/files/doc
uments/1085367_csc.pdf
HRSDC student loans
• April 25, 2013 – statement of claim issued
• Statement of Claim:
http://www.studentloansclassaction.com/sites/default/files/doc
uments/1085367_csc.pdf
Class actions
• Empirical analysis of data breach litigation in the U.S.:
• Litigation is 3.5 times more likely to occur when individuals
suffer financial harm
• Litigation is more than 6 times less likely to occur when
free credit monitoring is offered following the breach
• Defendants settle 30% more often when a class action is
certified or when plaintiffs allege financial loss
• Data breaches exposing medical information are more
strongly correlated with settlement than data breaches
exposing financial information. Source: Romanosky, Sasha, Hoffman, David A. and Acquisti, Alessandro,
Empirical Analysis of Data Breach Litigation (February 19, 2012).
Class actions
• Consider all ‘costs’:
• Adverse publicity
• Reputational harm
• Legal costs
• Organizational response costs
• Litigation costs
• Damages or settlement costs
• Lost opportunity
What we covered
• Damage awards under PIPEDA
• Key issues in tort claims
• Meaning of ‘invasion’
• Impact of ‘recklessness’
• Vicarious liability
• Continued rise of privacy class actions