Canada is no longer a safe haven when it comes to avoiding damages arising out of privacy breaches. Class actions are here. Regulatory and criminal investigations are here and so too are individual actions resulting in damage awards. The losses are mounting and regulators are crying for legislation to impose substantial fines. The times, they are a changing. If you are interested in examples of Canadian breaches where losses have occurred, read on.
It is no secret that there is a startling rise in privacy breaches in Canada these days, with a resulting increase in regulatory investigations and legal actions arising out of those breaches. Where a few years ago it was easy to find examples of breaches but difficult to find examples of losses arising from them, the environment in the US, and increasingly in Canada, has changed. Class action litigation and individual actions relating to privacy breaches in Canada are no longer just hypothetical, they are a new reality. The actions tend to involve disclosure of personal information through insecure disposal of records, theft and loss of unencrypted data on mobile devices, and unauthorized access to records. Set out below is a discussion of some of the recent cases resulting in actual losses.
Privacy Breach Class Actions
The year 2013 began with a shocking disclosure as Human Resources and Skills Development Canada (“HRSDC”) admitted to the loss of a portable hard drive containing unencrypted personal and financial information, including SIN numbers and birth dates, of more than half a million people who took out student loans and 250 employees. Reports allege a two-month delay in notification to the public of the breach. Three class actions have been launched and both the RCMP and the Privacy Commissioner are investigating. Affected persons are being notified by letter and a hot-line set up to handle inquiries has reportedly received over 40,000 calls. This announcement follows the recent disclosure by HRSDC of another breach involving the loss of a USB key from an office in Quebec, containing personal information of more than 5,000 Canadians.[i]
The year 2012 saw a number of high profile breaches in the health industry resulting in losses, including costs to notify affected individuals, defence costs to respond to class actions and regulatory investigations, and several involving the business costs of terminating employees and responding to resulting lawsuits. In May, the Peterborough Regional Health Centre fired 7 employees who inappropriately accessed patient records.[ii] In BC, the provincial government disclosed that in three instances of data breaches in October 2010 and June 2012 more than 5 million persons’ personal-health data had been accessed without permission. This led to the costs of responding to an investigation by the Privacy Commissioner and notification of more than 38,000 individuals by letter. Furthermore, the government is dealing with costs associated with the termination of 7 employees, at least two of whom have launched separate lawsuits in response to their terminations.[iii]
In one of the most high profile privacy breaches in 2011, Sony Corp. is facing at least 25 lawsuits, including class actions in Canada[iv] and the U.S., over theft of personal data of more than 100 million video game users. Sony was criticized for not telling customers quickly enough about the breach. In the wake of this massive breach Canada’s privacy commissioner publically called for the power to impose “attention-getting fines” when major corporations fail to protect personal information.[v]
In 2011 the Ontario Superior Court granted certification of a class action against Durham Region Health[vi] when a nurse employed by the Durham Region Health Department allegedly lost a USB thumb drive containing personal and confidential health information relating to flu vaccinations to patients. The action followed an investigation and Order by the Ontario Information and Privacy Commissioner citing numerous breaches of the privacy health legislation. In the action, the plaintiffs sought $40 million in damages, citing risk of identity theft as a factor. The certification Order, which was largely made with the consent of the defendants, required the defendants to pay for the costs of notification of class members (approximately 83,500 patients) and for the costs of the operation of the program whereby individuals can opt-out of the action if they choose. The action was settled shortly after certification, with the Region agreeing to pay up to $500,000 on account of the plaintiffs’ costs, and individual payments to those affected individuals who can prove financial loss.[vii]
Honda Canada, Inc. is facing a class action launched in 2011[viii] on behalf of 283,000 customers after their personal information, including names, addresses, VINs, and financial account numbers were accessed by hackers. The action seeks $200 million and faults delayed notification of the breach to affected individuals by Honda.
A long-standing class action by staff at a federal prison in Kingston against Corrections Canada[ix] was settled in 2010. The staff sued on the basis of a privacy breach when a list including the names, home addresses, phone numbers, and names of spouses of 366 staff fell into the hands of convicts at the prison in 2003. The settlement provides for payment to each staff on the list of at least $1,000, and higher payments up to $10,000 to staff and their spouses who can establish they suffered serious psychological harm. Corrections Canada also agreed to pay the plaintiff’s legal bills, totaling more than $140,000, and was to review privacy protection at 11 other federal facilities in Ontario, which review was to be submitted to the Privacy Commissioner of Canada.
In March 2010 CIBC agreed to compensate customers whose personal information was inadvertently sent by fax to businesses in the U.S. and Quebec.[x] The settlement of the class action included individual offers to be made to class members, with the court recognizing that damages including general damages and those arising from identity theft would be recoverable, together with a $100,000 payment to a charity.
DaimlerChrysler Financial Services Canada Inc. was the subject of class actions after the loss of a hard drive containing personal financial information of customers by a courier.[xi] The plaintiff’s alleged anxiety and fear due to loss of information and potential for fraud or identity theft, together with costs and inconvenience of need for credit monitoring.
In February 2008 a global settlement was reached in the Canadian part of class proceedings brought in the U.S, Puerto Rico and Canada[xii] following fraudulent computer system intrusions of customers of TJX (often referred to as the “Winners breach”). The settlement of the Canadian component of the action resulted in eligible class members receiving credit monitoring services, vouchers, cash benefits (cheques), identity theft insurance, reimbursements and sales events.
Privacy Breach Individual Actions
Class actions have not been the only forum for litigation of privacy breaches in Canada. Examples of individual suits resulting in damage awards have shown Canadian courts are willing to put a value on the damage caused by invasion of an individual’s privacy, even where there are no actual losses. Although the cases are specific to their individual facts and to the law applicable in the jurisdiction in which the action was brought, they may be useful in predicting the likelihood of an award, and the quantum of such an award, in future breaches. These cases include:
- Recognition by the Ontario Court of Appeal of a new tort for invasion of privacy in the 2012 landmark decision in Jones v Tsige[xiii] where the Court awarded $10,000 in damages to a man whose former wife, a bank employee, inappropriately accessed personal banking information about her ex-husband’s new partner 174 times. The Court imposed a cap of $20,000 where there has been no pecuniary loss, and although the possibility exists for punitive or aggravated damages on top of this amount, they would only arise in exceptional cases. It is important to note that this is a common law cause of action, separate and apart from any remedy under Personal Information Protection and Electronic Documents Act (“PIPEDA”) or other similar privacy legislation. It remains to be seen whether entities subject to PIPEDA or similar legislation will be subject to duties and remedies under both this new common law action and the relevant statute. Furthermore, this new tort will be available to plaintiffs in class actions alleging privacy breaches.
- An award of $100,000 for punitive damages by the Quebec Court of Appeal in a 2010 decision[xiv] against Standard Life. The plaintiff had been receiving disability benefits and as a result of surveillance by Standard Life the investigators accidently recorded the plaintiff’s brother engaging in very active tasks which led to the termination of the plaintiff’s benefits.
- A Federal Court decision in 2011[xv] ordering a Canadian bank to pay damages based on a breach of the federal privacy legislation by one of its employees. Contrary to the bank’s policies, in response to a subpoena, the employee had provided private bank information to a customer’s ex-spouse who was involved in a contested divorce. Despite arguments challenging the cause of the complainant’s alleged “humiliation” being related to the privacy breach, the court found the breach warranted damages in the amount of $4,500, plus interest and costs.
- An action in B.C.[xvi] by a business woman against her ex-husband, a doctor who accessed private information about her on an old home computer and published the information online and in emails. The B.C. Supreme Court awarded the plaintiff $20,000 for breach of privacy and defamation.
- An action in the Federal Court of Canada in which a businessman was awarded $5,000 plus costs for humiliation arising from the provision of inaccurate credit information by a credit reporting agency.[xvii]
- A fine of $750 under B.C.’s privacy law following a 2-week trial against a city councilor for giving CBC an internal privileged and confidential workplace harassment report by the local RCMP detachment.[xviii]
Privacy Business Practices
In another case, a proposed class action was initiated in Quebec against Bell Canada[xx] on behalf of internet subscribers who alleged Bell’s business model deliberately favoured business users, and breached privacy rights by allowing Bell to access and collect the content of subscribers’ messages, without their consent.
In a health sector case, in May 2011 the B.C. Supreme Court issued an Order to proceed in a class action against the Provincial Health Services Authority over the collection and storage of B.C. and Yukon newborns’ blood.[xxi] The issue relates to the use of the stored information for medical research, and for indefinite storage, without permission.
Privacy litigation is still in its early stages in Canada. Many of the cases noted above are still at the preliminary stages, or have settled with little, if any, judicial pronouncement. The emergence in Canada of mandatory notification to individuals, and/or the Privacy Commissioner when a privacy breach has occurred,[xxii] although not yet fully enacted in Canada, will without doubt fuel litigation. The simple fact of being alerted to the potential of harm is enough to persuade some people to sue. Many companies are already aware of the potential first party costs associated with such notification, and the associated costs to mitigate and assess damages, such as crisis monitoring, public relations, IT security and forensics.
In this changing environment companies are taking more care to learn about, and put in place effective solutions to these risks, including specialized Privacy and Network Liability Insurance. These products are not a one size fits all solution. Expert advice in assessing risks and ensuring the proper insurance coverage is in place is essential.
[ii] thepeterboroughexaminer.com “Seven PRHC jobs lost over privacy breaches”, May 5, 2012
[iii] CanadianPress “BC Health Privacy Breach Affects Millions” January 14, 2013
[iv] The Toronto Star, “PlayStation users plan class action suit for hacking”, May 3, 2011
[v] The Globe and Mail, “Canada’s privacy commissioner wants hefty fines for data breaches”, May 4, 2011
[vi] Rowlands v Durham Region Health et al 2011 ONSC 719(CanLII)
[vii] Carswellprivacylaw.wordpress.com/2012/06/14/the-cost-of- losing- stuff-the-durham-health-class-action-settlement
[viii] The Toronto Star, “Honda, RIM in law firms’ sites”, May 27, 2011
[ix] Jackson v Canada,O.J. No. 2691 ( Ont. S.C.)
[x] Speevak v Canadian Imperial Bank of Commerce,  O.J. No. 770
[xi] Waters v DaimlerChrysler Financial Services Canada Inc. S.J.No.382; Mazzona c. DaimlerChrysler Financial Services Canada Inc., 2008 QCCS 5084 (CanLII)
[xii] Wong v TJX Companies, Inc. , 2008 CanLII 3421 (ON SC)
[xiii] Jones v Tsige, 2012 ONCA 32
[xiv] Compagnie d’assurances Standard Life c.Tremblay, 2010 QCCA 933
[xv] Landry v Royal Bank of Canada, 2011 FC 687(CanLII)
[xvi] Nesbitt v Neufeld, 2010 BCSC 1605
[xvii] Nammo v Transunion of Canada Inc.
[xviii] R.v. Skakun, 2011 BCPC 98 ( CanLII)
[xix] Patrice St. Arnaud v Facebook Inc. , Quebec Superior Court File No. 500-06-00511-101
[xx] Union de Consommateurs v Bell Canada, J.Q. No 16640
[xxi] L.D.(Guardian ad litem of) v. Provincial Health Services Authority, 2011 BCSC 628(CanLII)
[xxii] Amendments to PIPEDA proposed in Bill C-29 expected to soon be enacted; amendments to Alberta PIPA enacted in Bill 54 in May 2010