Cyber legal update oct 7 2015
•Als PPTX, PDF herunterladen•
1 gefällt mir•2,553 views
Short legal update on law governing privacy incident response in Canada.
Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Ähnlich wie Cyber legal update oct 7 2015
Ähnlich wie Cyber legal update oct 7 2015 (20)
Mehr von Dan Michaluk
Mehr von Dan Michaluk (17)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Cyber legal update oct 7 2015
- 1. Privacy risks, incidents and liability - A legal update Dan Michaluk October 7, 2015
- 2. Statutory happenings • PIPEDA breach notification a game changer • "Breach of security safeguards" – loss, unauthorized access, disclosure • When there is a "real risk of significant harm" • Notification and reporting to individual, to the Commissioner and to organizations in a position to mitigate • All "as soon as feasible" 2
- 3. Statutory happenings • PHIPA amendment introduced • Breach definition narrowed slightly – stolen, lost, used or disclosed without authority (unauthorized access gone, thankfully) • Will continue to be no harm threshold • Will require advice of right to complain • Will require notification to IPC (threshold TBD) • Fines increased from $250,000 to $500,000 3
- 4. Direct-to-court claims are alive • Hopkins v Kay • A person may chose sue or complain to IPC • Suggests that "actual harm" + $10,000 cap for mental anguish is not an "adequate remedy" • Leave to appeal to SCC pending 4
- 5. Class actions are getting certified • It’s not clear how amenable breach claims are to the class action process • Common framing is negligence, not intentional intrusion • Negligence requires proof of damage = “serious and prolonged psychological injury” ≠ moral damages, damages for annoyance • Contractual liability can be expressly limited • Doctrine restricts contractual liability for non-$ loss 5
- 6. Class actions are getting certified • Evans - background • Unique, negative facts • Intentional theft of information • Admitted exposure to identity theft • Admitted flaws in “monitoring” • Privacy code promises information “will be kept secure” and only used for proper purposes 6
- 7. Class actions are getting certified • Evans - certified • Bases • Intentional intrusion + vicarious liability • Negligence • Breach of contract • Waiver of tort • Openness to compensate for $ loss not a barrier • Notification/risk group class is appropriate 7
- 8. Class actions are getting certified • Condon – background • Common, benign facts but large population • Lost hard drive never found • No basis in fact for pecuniary loss claim • Simple claim for “inconvenience, frustration and anxiety” 8
- 9. Class actions are getting certified • Condon – certified • Bases • Breach of contract – nominal damages • Intentional intrusion (!!!) • Appeal • add Negligence • add Breach of Confidence 9
- 10. Privacy risks, incidents and liability - A legal update Dan Michaluk October 7, 2015
Hinweis der Redaktion
- -This is the legal update -Up to the moment snapshot of the relevant Canadian law relating to data security incidents and liability
- -We now have commercial sector breach notification legislation -PIPEDA governs the handling and flow of personal information in the commercial sector (excluding BC, Alberta and Quebec) -It has been amended to incorporate a breach notification provision -Awaiting regulations before it comes into force -notification to individual , commissioner and organizations in a position to mitigate -breach definition is always significant – first question -this one is broad – it includes unauthorized access -reporting standard is significant – question two -reasonable to believe – objective standard -this one is the same as in Alberta -risk component -harm component -look to Alberta guidance -fairly low – TransAlta (?) e-mail breach – spear phishing risk
- -PHIPA was our first breach notification statute -Governs (essentially) information generated in the course of provision of health care in Ontario -CURRENT -broad breach definition, no harms-based notification standard -notification to affected individual alone -arguably caused a notification crises and a perceived data security problem -AMENDMENT (Bill 119) -unauthorized access is gone -in that first stage analysis you are now looking for improper "use" -more than access – "to handle or deal with" -plus… -advice of right to complain to IPC -notification to commissioner based on prescribed requirements
- -February 2015 decision of the Court of Appeal for Ontario -essential finding -an Ontario court can and should receive a lawsuit even if the lawsuit deals with subject matter that is governed by PHIPA -conversely, need not complain to the IPC, obtain a determination, then apply to court of a PHIPA remedy -does two things -no expert screening mechanism – health information custodians are fully exposed to class action claims -adds uncertainty in the governing rules (OHA argument) -leave to appeal to SCC will be decided any day now
- We are in an exploratory time. Courts have demonstrated an interest having a say -Hopkins is an example… class action case law is an example … Without "some basis in fact" for compensable harm, do you have a cause of action that can get off the ground? …. If you lose something Mess up It's a negligence claim (not an intentional intrusion a la Jones v Tsige) But negligence claims are classically flawed Run into serious problems in the USA …. Leaves you with contract, but contracts can be shaped ….. How do we get a class action claim certified when the only consequence low grade anxiety plus moral loss? – loss that flows from the breach of an intangible right
- -Bank -Employee theft -Used by bad actors for identity theft -Gave notice to 643 customers -Admitted lack of monitoring – "complete lack of oversight" -Yet the privacy code makes a promise of certainty
- Certified despite argument that the claim did not disclose a cause of action (plain and obvious test) -June 2014, leave to appeal to ONA denied in December 2014 -Intentional intrusion plus vicarious liability – not plain and obvious claim won't succeed -comments on intimacy of a bank-client relationship -final arbitration decision (for what it is worth) that finds no vicarious liability for snooping -Negligence -not surprising -some basis in fact for asserting compensable damage -Breach of contract -admitted implied term -Waiver of tort -waive torts and recover disgorgement of "wrongful gain" derived from lax data security -negligent supervision validly pleaded -can infer that bank earned additional profits from failing to adequately supervise -Class includes all those notified and not just 138 who have already identified as being exposed to identity theft
- -More benign facts = much more disturbing legal outcome -student loan applicants -lost, unencrypted external hard drive -583,000 individuals -name, dob, address, student loan balances and sin numbers -no basis in fact to believe there is any harm -the type of claim one could argue should not be heard -simple negligence claim -no basis in fact for any compensable damage -relates to the common breach response strategy -manage as a reputational issue -we care about you -we have nothing to hide -we'll deal with compensable harm
- -March 2014 certification decision, affirmed on appeal in July 2015 -indeed the negligence claim fails but…. …. -breach of contract succeeds -rests on various unqualified statements in application terms -judge arguably confused terms about routine purposes and security -dismisses argument that inappropriate to certify based on a mominal damages claim -intentional intrusion -loose analysis -fails to adequately deal with intent requirement IMHO … -appeal added in two claims struck because no pleading of compensable damages -costs incurred in preventing identity theft -out of pocket expenses -what about remoteness?
- -This is the legal update -Up to the moment snapshot of the relevant Canadian law relating to data security incidents and liability