Publication

6 (Liability) Reasons to Mitigate Your Privacy & Data Breach Risks

Published:

December 16, 2021

Author(s):

• David Fraser
• Sarah Anderson Dykema, CIPP/C, CIPM, AIGP

Share

Print

Updated October 7, 2024.

The name of the game is to have a plan to mitigate the risk that a data breach will happen – but be ready when it does. According to the August 2024 Canadian Internet Registration Authority (CIRA) Cybersecurity Survey, of the organizations surveyed about the prior 12 months: 44% experienced an attempted or successful cyber attack in the prior 12 months; 28% experienced a successful ransomware attack and of those, 73% indicated data was exfiltrated; and 38% experienced a breach of customer and/or employee data. And while the cyber security risks inherent in remote and hybrid work arrangements still exist, concerns about the cyber security risks generative AI poses seems to have surpassed those about remote workers. According to CIRA’s 2024 Survey, 70% of organizations worried about potential cyber threats from generative AI. When a data breach does happen, your organization will face exposure on several fronts – including legal claims by those whose privacy rights were affected by the breach. Here’s a look at who sues after a data breach, the privacy breach class action trend, and a rundown of the key legal claims for privacy breaches that can be made in Canada.

Civil Lawsuit Exposure

When a data breach occurs, there are several sources of exposure your organization will be staring down: statutory penalties, against both the organization and potentially its directors personally, for breach of relevant privacy laws like the Digital Privacy Act (and in the future, much higher penalties under the proposed Consumer Privacy Protection Act, the anticipated replacement of Canada’s general privacy statute, PIPEDA); a (typically public) privacy commissioner investigation, and the related organizational and legal time and costs; negative publicity and reputational damage; the costs of being unable to carry on business, and potentially closing; and, of course, the inevitable privacy breach civil lawsuits that now seem to follow every significant data breach:

• Consumers suing the organization for exposing their personal (often sensitive financial) information.
• Banks suing the organization for the cost of compensating consumers for financial losses or replacement of financial information (for example, credit card replacements).
• Shareholders and investors suing the organization and its directors personally (derivative actions) for decreased share values.

The Data Breach Class Action Trend

Privacy breach lawsuits are already common in the U.S. and are increasingly common in Canada. The latest trend: data breach class action lawsuits, of which there are over 80 pending in Canada. And most lawsuits don’t just allege a single legal wrong; they allege multiple wrongs for the same privacy breach, many of which can overlap and interlock, primarily because the legal requirements for each is different. This approach is particularly so in privacy or data breach class actions, when actually continuing to a full trial is rare and the allegedly injured parties seek to certify as many bases for their claim to increase their leverage to negotiate a settlement. And settlement is often the outcome. So far, only one Canadian class action lawsuit has been decided on its merits by a court: in March 2021, the Quebec Superior Court dismissed a privacy breach class action in Lamoureux v. Investment Industry Regulatory Organization of Canada (IIROC). This decision is based on the Quebec Civil Code, so only applies in the province of Quebec, but the court’s positive assessment of the defendant’s conduct in response to the breach is instructive to all organizations, regardless of location.

Courts must approve class action lawsuit settlements, and these approvals are usually published. Therefore, we know that generally, the per capita general damages awarded are often “miniscule”, to use the words of the Ontario Superior Court of Justice from the 2021 decision approving the settlement of the data breach class action lawsuit in Karasik v. Yahoo!. But the total settlement generally isn’t: for instance, it cost the defendant in the Yahoo! case approximately $20.3M – plus the organizational and legal time and costs, the negative publicity and reputational damage, and business disruption the defendant experienced as a result of the breach and the class action lawsuit. And since none have yet proceeded to a full trial, the damages a court would award remain to be seen. We also know that plaintiffs face some big obstacles in proving they suffered compensable damage in a privacy breach claim (class action or not). These obstacles could increasingly be a barrier to even getting a class action certified in Canada, as, for example, in the Alberta Court of Appeal’s 2023 decision in Setoguchi v. Uber B.V. dismissing a certification application for a privacy breach class action. But plaintiffs and their counsel continue to test the privacy breach class action waters, with decisions beginning to emerge delineating the scope of liability for privacy breaches.

6 Key Legal Privacy Breach Claims

The law around civil claims for privacy and data breaches has been incrementally developing over time. But the COVID-19 pandemic is increasing data breach attempts and successes, which will likely accelerate the development of the law in this space. Here’s a rundown of six key legal claims that, to date, we’re seeing made against a party for breaching another’s privacy rights in Canada.

1. Intrusion Upon Seclusion

In 2012, the Ontario Court of Appeal officially recognized a new civil claim for invasion of privacy in Canada: “intrusion upon seclusion”. In the case that kicked off the privacy lawsuit explosion in Canada, Jones v. Tsige, the employee consistently and repeatedly snooped into a single co-worker’s records. The decision confirmed that to establish that the defendant is liable for intrusion upon seclusion, the plaintiff must prove the defendant:

• Intruded on their seclusion or private affairs, physically or otherwise.
• Did so intentionally or recklessly.
• Did so without lawful justification.
• That intrusion would be highly offensive to a reasonable person, causing distress, humiliation or anguish.

The plaintiff doesn’t have to prove they suffered a financial loss, but courts have said that any award in a case without a direct financial loss should be modest, though still enough to recognize the wrong done. In the Jones case, the Court decided a range up to $20,000.00 (about $23,000 in 2021) is appropriate for intrusion upon seclusion that didn’t entail financial loss, and summarized the factors relevant to determining where in that range of damages a particular case would fall: 

• The nature, incidence and occasion of the defendant’s intrusion.
• The effect of the intrusion on the plaintiff’s health, welfare, social, business or financial position.
• Any relationship, domestic or otherwise, between the parties.
• Any distress, annoyance or embarrassment the plaintiff suffered as a result of the intrusion.
• The parties’ conduct before and after the intrusion, including any apology or offer of amends the defendant made.

In Jones, the Court decided the defendant employee did commit intrusion upon seclusion by repeatedly viewing her co-worker’s bank record, and ordered she pay the plaintiff employee $10,000.00 (about $11,500 in 2021).

Until recently, an outstanding question was whether the “reckless” requirement means an organization that didn’t properly handle or safeguard information it held could be liable for intrusion upon seclusion where a third party hacked into that information. But in a trilogy of November 2022 cases (Owsianik v. Equifax Canada Co., Winder v. Marriott International Inc. and Obodo v. Trans Union of Canada), the Ontario Court of Appeal answered this question with a “no”: only the party that actually does the intruding can be liable for intrusion upon seclusion. However, the organization that was hacked is still exposed to liability on some other basis, like negligence or breach of contract – but those claims require the plaintiff to prove they suffered a pecuniary loss, which in many such cases, will be a hurdle the plaintiff can’t overcome (though the breach of confidence claim, which courts are still scrutinizing, doesn’t require proof of damages). And while these decisions are only binding in Ontario, they will be persuasive in other Canadian jurisdictions.

2. Publicity to Private Life (aka Public Disclosure of Private Facts)

In January 2016, the Ontario Superior Court of Justice dramatically expanded the liability exposure for breach of privacy when it recognized a legal claim for “publicity to private life”, also known as “public disclosure of private facts”. The case, Doe 464533 v. D., wasn’t a business case; it involved “revenge porn”. But the claim could equally apply to data breaches by businesses that are the custodians of sensitive personal information, particularly if they hold it “in confidence” – which implicitly includes any information the business holds under the Personal Information and Electronic Documents Act (PIPEDA) (or it’s possible successor, the Consumer Privacy Protection Act). To succeed in a claim for public disclosure of private facts, the plaintiff must prove:

• There’s a public disclosure of facts.
• The publicly disclosed facts are private facts.
• The facts disclosed would be offensive and objectionable to a reasonable person.

Some U.S. courts, where this claim has been in existence longer, also require that the plaintiff prove the absence of any waiver or privilege. However, it’s not yet clear whether this is a requirement in Canada.

Since Canadian courts have only recently recognized this type of privacy breach claim, its full parameters haven’t yet been fully developed in Canadian law. However, the thrust of the decisions so far seems to be that it’s the actual wrong-doer (for example, the hacker) that would be liable (if at all) for the public disclosure of private facts, not the organization that was the original custodian of the information (that is, the hacked organization). For example, in Kaplan v. Casino Rama, a 2019 cyber-extortion case, the claimants sued the subject of the cyber-extortion for intrusion upon seclusion, publicity to private life, negligence, breach of confidence and breach of contract. The Ontario Superior Court of Justice (noting there wasn’t yet any appeal court decision confirming publicity to private life is, indeed, a valid claim in Ontario) excluded the claim of publicity to private life because the business that was the subject of cyber-extortion wasn’t the entity that might have actually made the information public. In another 2016 case, Canada v. John Doe, the Federal Court of Appeal struck the claim for publicity to private life from a privacy class action on the basis the facts set out in the claim didn’t meet the wide publicity criteria. In comparison, in the Doe 464533 case, the defendant posted an intimate video of the plaintiff on a publicly accessible website.

3. Negligence

Parties have relied on negligence to address privacy claims, particularly where alleged carelessness or lax security has resulted in unauthorized disclosures of personal information. For example, the Federal Court of Appeal certified a class action against the government of Canada based on (among other claims) negligence for the disclosure of personal health information in its 2015 decision in Condon v. Canada. Similarly, the Federal Court certified a class action against the government of Canda based on (among other things) “systemic” negligence for two data breaches in its 2022 decision in Sweet v. Canada. To succeed in a negligence claim, the plaintiff must prove:

• They suffered some damage.
• They weren’t contributorily negligent or didn’t voluntarily assume the risk.
• The defendant’s conduct caused the damage the plaintiff suffered.
• The defendant owed the plaintiff a duty, which the law recognizes, to avoid this damage.
• The defendant’s conduct was negligent, that is, it breached the legal standard of care.
• The defendant’s conduct was a proximate or legal cause of the damage; the damage isn’t too remote a result of the defendant’s conduct.

The existence of the regulatory statutes can serve to establish both the duty of care and the standard of care for protecting personal information from misuse. The advantage to a plaintiff to sue for negligence in a privacy breach lawsuit is that courts are familiar with it: they understand it and accept it. A disadvantage to plaintiffs compared to the other privacy breach claims is that the plaintiff must prove it suffered damages, which could be too onerous in many situations. For example, in many large data security or privacy breaches, the plaintiff claims they suffered an increased risk of harm related to identity theft or fraud, or fear of it happening and, in part, the cost of measures taken to mitigate harm (for example, credit monitoring, changing payment cards, and so on). Courts have, however, generally shrugged this off as just part of ordinary life and the claim fails for lack of compensable harm. But if the plaintiff can show real, tangible harm, then negligence is a viable foundation for a privacy claim.

4. Breach of Confidence

Breach of confidence is the “one to watch” when it comes to lawsuits for privacy breaches. One advantage for a plaintiff – and detriment to a defendant – of a breach of confidence claim is that it’s an “equitable” claim: courts have great latitude to fashion appropriate remedies, including non-monetary damages like ordering a defendant to do (or not to do) certain things, removing from a defendant the profit it gained from lax security practices that led to the breach of confidence, or ordering aggregate damages to a class of plaintiffs. In some countries, such as Australia, breach of confidence is one of the main types of privacy breach claims. But in Canada, while breach of confidence is a common claim in trade secret litigation and privacy breach class action lawsuits often include it, there aren’t yet any Canadian court decisions on its merits in a privacy context. However, it seems the plaintiff must prove:

• Information is communicated in confidence.
• The party that received the information “misuses” it.

One unresolved question is whether the plaintiff must also prove the misuse was detrimental to them. A second unresolved question is whether “misuse” is possible without the wrong-doer’s intention. On this, courts have gone both ways. in each of the 2015 Condon v. Canada and the 2016 John Doe v. Canada cases, the Federal Court of Appeal certified a class action against the government of Canada based on a claim for breach of confidence for the disclosure of personal information. In contrast, its 2019 decision in Kaplan v. Casino Rama, the Ontario Superior Court of Justice refused to permit the breach of confidence claim to go forward in a cyber-extortion case, deciding the defendant’s failure to prevent the cyber-attack wasn’t “misuse” of disclosed information. Similarly, in its 2020 decision in Tucci v. Peoples Trust Company, the British Columbia Court of Appeal refused to certify a class action claim for breach of confidence because the “misuse” of the information must be intentional, not “inadvertent”. In its 2022 decision in Sweet v. Canada, the Federal Court acknowledged the divided case law on this issue of “misuse” but chose to follow the Federal Court of Appeal and certified a class action claim for breach of confidence.

5. Breach of Contract

If the party claiming another has breached its privacy, and there’s a contract between the parties, the privacy breach might support a claim for a breach of contract, especially if the contract includes any commitment to secure personal information. The plaintiff must prove:

• There’s a binding contract between the plaintiff and defendant.
• The defendant breached an express or implied term of the contract.
• The breach caused the plaintiff to suffer a loss.

The advantage of a breach of contract claim for plaintiffs is that, like negligence, courts are familiar with them. An example in which a breach of contract claim was included in a privacy lawsuit certified as a class action is the 2019 Ontario Superior Court decision in Agnew-Americano v. Equifax Canada. But not every privacy violation involves a contract between parties – and not every contract includes privacy-related provisions that can be the subject of a breach claim. That said, however, a breach of contract claim can be based on a privacy policy if a court decides that policy amounts to a standalone contract or is incorporated into a company’s more general service-related agreement.

6. Statutory Lawsuit for Breach of Privacy

Five Canadian provinces have created a statutory lawsuit for invasion of privacy: British Columbia, Manitoba, Saskatchewan, Newfoundland and Labrador, and Quebec. In each, the language is relatively broad, and they parallel each other. The British Columbia statute allows a person to make a claim, without requiring proof of loss, against a person who willfully and without right violates their privacy. Other provinces have similar language, but also provide examples of what could be a privacy violation. The Newfoundland and Labrador and Quebec statutes, for instance, call out the use of personal documents without consent.

British Columbia courts, such as the B.C. Supreme Court in Tucci v. People’s Trust Company, have consistently decided the existence of the B.C. Privacy Act effectively ousts the common law claims of breach of privacy and intrusion upon seclusion. While the British Columbia Court of Appeal, in the same case, commented that given the critical role of data in people’s lives, the Court may want to reconsider this position, the plaintiffs didn’t appeal the decision on this issue so the Appeal Court didn’t address it.

The Consumer Privacy Protection Act (CPPA), which is currently under Committee review in Parliament, is expected to create a new privacy breach legal claim. Under the CPPA, an individual would be able to sue an organization (within two years) for a data breach where the federal Privacy Commissioner decides that organization violated an individual’s privacy under the Act, if the Personal Information and Data Protection Tribunal upholds that finding. An individual can bring their claim in both the federal and provincial courts, leading to a multiplicity of duplicate proceedings across the country. And this is on top of the significant new fines for breaching the CPPA.

Please contact your McInnes Cooper lawyer or any member of our Privacy, Data Protection & Cyber Security Team @ McInnes Cooper to discuss how we can help you deal with the legal risks of data breaches.

Share

Print