2. Statutory happenings
• PIPEDA breach notification a game changer
• "Breach of security safeguards" – loss, unauthorized
access, disclosure
• When there is a "real risk of significant harm"
• Notification and reporting to individual, to the
Commissioner and to organizations in a position to
mitigate
• All "as soon as feasible"
2
3. Statutory happenings
• PHIPA amendment introduced
• Breach definition narrowed slightly – stolen, lost,
used or disclosed without authority (unauthorized
access gone, thankfully)
• Will continue to be no harm threshold
• Will require advice of right to complain
• Will require notification to IPC (threshold TBD)
• Fines increased from $250,000 to $500,000
3
4. Direct-to-court claims are alive
• Hopkins v Kay
• A person may chose sue or complain to IPC
• Suggests that "actual harm" + $10,000 cap for
mental anguish is not an "adequate remedy"
• Leave to appeal to SCC pending
4
5. Class actions are getting certified
• It’s not clear how amenable breach claims are to
the class action process
• Common framing is negligence, not intentional intrusion
• Negligence requires proof of damage
= “serious and prolonged psychological injury”
≠ moral damages, damages for annoyance
• Contractual liability can be expressly limited
• Doctrine restricts contractual liability for non-$ loss
5
6. Class actions are getting certified
• Evans - background
• Unique, negative facts
• Intentional theft of information
• Admitted exposure to identity theft
• Admitted flaws in “monitoring”
• Privacy code promises information “will be kept
secure” and only used for proper purposes
6
7. Class actions are getting certified
• Evans - certified
• Bases
• Intentional intrusion + vicarious liability
• Negligence
• Breach of contract
• Waiver of tort
• Openness to compensate for $ loss not a barrier
• Notification/risk group class is appropriate
7
8. Class actions are getting certified
• Condon – background
• Common, benign facts but large population
• Lost hard drive never found
• No basis in fact for pecuniary loss claim
• Simple claim for “inconvenience, frustration and
anxiety”
8
9. Class actions are getting certified
• Condon – certified
• Bases
• Breach of contract – nominal damages
• Intentional intrusion (!!!)
• Appeal
• add Negligence
• add Breach of Confidence
9
-This is the legal update
-Up to the moment snapshot of the relevant Canadian law relating to data security incidents and liability
-We now have commercial sector breach notification legislation
-PIPEDA governs the handling and flow of personal information in the commercial sector (excluding BC, Alberta and Quebec)
-It has been amended to incorporate a breach notification provision
-Awaiting regulations before it comes into force
-notification to individual , commissioner and organizations in a position to mitigate
-breach definition is always significant – first question
-this one is broad – it includes unauthorized access
-reporting standard is significant – question two
-reasonable to believe – objective standard
-this one is the same as in Alberta
-risk component
-harm component
-look to Alberta guidance
-fairly low – TransAlta (?) e-mail breach – spear phishing risk
-PHIPA was our first breach notification statute
-Governs (essentially) information generated in the course of provision of health care in Ontario
-CURRENT
-broad breach definition, no harms-based notification standard
-notification to affected individual alone
-arguably caused a notification crises and a perceived data security problem
-AMENDMENT (Bill 119)
-unauthorized access is gone
-in that first stage analysis you are now looking for improper "use"
-more than access – "to handle or deal with"
-plus…
-advice of right to complain to IPC
-notification to commissioner based on prescribed requirements
-February 2015 decision of the Court of Appeal for Ontario
-essential finding
-an Ontario court can and should receive a lawsuit even if the lawsuit deals with subject matter that is governed by PHIPA
-conversely, need not complain to the IPC, obtain a determination, then apply to court of a PHIPA remedy
-does two things
-no expert screening mechanism – health information custodians are fully exposed to class action claims
-adds uncertainty in the governing rules (OHA argument)
-leave to appeal to SCC will be decided any day now
We are in an exploratory time. Courts have demonstrated an interest having a say
-Hopkins is an example… class action case law is an example
…
Without "some basis in fact" for compensable harm, do you have a cause of action that can get off the ground?
….
If you lose something
Mess up
It's a negligence claim (not an intentional intrusion a la Jones v Tsige)
But negligence claims are classically flawed
Run into serious problems in the USA
….
Leaves you with contract, but contracts can be shaped
…..
How do we get a class action claim certified when the only consequence low grade anxiety plus moral loss? – loss that flows from the breach of an intangible right
-Bank
-Employee theft
-Used by bad actors for identity theft
-Gave notice to 643 customers
-Admitted lack of monitoring – "complete lack of oversight"
-Yet the privacy code makes a promise of certainty
Certified despite argument that the claim did not disclose a cause of action (plain and obvious test)
-June 2014, leave to appeal to ONA denied in December 2014
-Intentional intrusion plus vicarious liability – not plain and obvious claim won't succeed
-comments on intimacy of a bank-client relationship
-final arbitration decision (for what it is worth) that finds no vicarious liability for snooping
-Negligence
-not surprising
-some basis in fact for asserting compensable damage
-Breach of contract
-admitted implied term
-Waiver of tort
-waive torts and recover disgorgement of "wrongful gain" derived from lax data security
-negligent supervision validly pleaded
-can infer that bank earned additional profits from failing to adequately supervise
-Class includes all those notified and not just 138 who have already identified as being exposed to identity theft
-More benign facts = much more disturbing legal outcome
-student loan applicants
-lost, unencrypted external hard drive
-583,000 individuals
-name, dob, address, student loan balances and sin numbers
-no basis in fact to believe there is any harm
-the type of claim one could argue should not be heard
-simple negligence claim
-no basis in fact for any compensable damage
-relates to the common breach response strategy
-manage as a reputational issue
-we care about you
-we have nothing to hide
-we'll deal with compensable harm
-March 2014 certification decision, affirmed on appeal in July 2015
-indeed the negligence claim fails but….
….
-breach of contract succeeds
-rests on various unqualified statements in application terms
-judge arguably confused terms about routine purposes and security
-dismisses argument that inappropriate to certify based on a mominal damages claim
-intentional intrusion
-loose analysis
-fails to adequately deal with intent requirement IMHO
…
-appeal added in two claims struck because no pleading of compensable damages
-costs incurred in preventing identity theft
-out of pocket expenses
-what about remoteness?
-This is the legal update
-Up to the moment snapshot of the relevant Canadian law relating to data security incidents and liability