BC class action alleging vicarious liability for employee’s snooping to proceed

19 Nov

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).

Cybersecurity and data loss (short presentation)

8 Nov

Here’s a 10 minute presentation I gave to the firm yesterday that puts some trends in context and addresses recent breach notification amendments.

CORRECTION. I made a point in this presentation that the Bill 119 amendments to PHIPA remove a requirement to notify of unauthorized “access” – a positive add given the statute does not include a harms-related threshold for notification. Section 1(2) of the Bill, I have now noticed, amends the definition of  “use” as follows: “The definition of ‘use’ in section 2 of the Act is amended by striking out ‘means to handle or deal with the information” and substituting ‘means to view, handle or otherwise deal with the information.’ The removal of “access” from the breach notification provision will therefore not invite a change.

Duty to document in the news again

3 Nov

I finally got around to reading Access Denied – the British Columbia OIPC’s October 22nd bombshell of an investigation report on the processing of freedom of information requests.

You’ve likely heard about the OIPC’s finding that a Ministerial Assistant in the Ministry of Transportation and Infrastructure commandeered an executive assistant’s workstation to wilfully “triple delete” e-mails responsive to an FOI request. While shocking, you may be just as interested in the OIPC’s less headline-catching recommendation that government re-configure its e-mail system so e-mails cannot be deleted by users before they are captured in monthly backups “for investigative and legal purposes.” The OIPC doesn’t back this recommendation with many details, but it seems to treat backups as a data source with an all-too-routine reason to access.

You may also be interested in the OIPC’s recommendation to create a legislative duty to document. I’ve wrote about the duty to document in some detail in this June 2013 post.

In Ontario, amendments to FIPPA and MFIPPA relating to the preservation of records come into force on January 1st. Read more here.

Party defending against claim based on prior settlement does not waive settlement privilege

30 Oct

On September 30th, the Divisional Court held that a party defending against claim based on prior settlement does not waive settlement privilege. The Court reasoned as follows:

Consistent with such notions of fairness, we are satisfied that the LCBO has not waived settlement privilege in this case. The LCBO claims that Magnotta’s current actions advance the same claims as the prior settled proceedings, and we express no view on that assertion. However, the LCBO should, as a matter of fairness, be able to raise the settlement in its defence and in support of its proposed motion, without automatically losing the benefit of settlement privilege. In particular, the LCBO should be able to rely on the Minutes of Settlement for this purpose.

The defendant obtained a sealing order based on the public interest in encouraging parties to settle their disputes.

Magnotta Winery Corp v Ontario (Alcohol and Gaming Commission), 2015 ONSC 6234 (CanLII).

Privacy incidents, risks and liability – a legal update

7 Oct

Today I did short update-style presentation at a session jointly-sponsored by the Canadian Insurance Adjusters Association, the Canadian Defence Lawyers and the Canadian Insurance Claims Managers Association. It includes content on breach notification statutory changes and notable case law. Slides below.

How to manage a data security incident – Ten tips from a breach practitioner

25 Sep

Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.

I aimed for something practical on the art of breach response by speaking to these ten tips:

  1. Initiate response ASAP
  2. Don’t rest on assumptions
  3. Keep the ball moving
  4. Don’t rush
  5. Obtain objective input
  6. Obtain technical input
  7. Take a broad view of notification
  8. Put yourself in their shoes
  9. Demonstrate commitment to doing better
  10. Apologize


Arbitrator says privacy concern did not justify altering records, wiping phone

22 Sep

On July 2nd, Arbitrator Peltz affirmed the discharge of a university support staff employee who altered billing records for his employer-owned cell phone and later wiped the phone after being directed to retrieve it so it could be examined.

The grievor worked in the university’s technology transfer office in a position of trust. After the university confronted him about excessive personal use of his phone the grievor deleted parts of phone records that showed his calling history. These records were stored on a university shared drive and were therefore to accessible to other employees in the grievor’s department. The grievor said he did this because he was concerned about the disclosure of his call history.

The university discovered the alterations. It called the grievor to an investigation meeting in which it heard the grievor’s position and advised the grievor that he would be placed on paid leave pending an examination of his cell phone and computer records. The grievor went to his office to retrieve his phone. When he did not return his supervisor investigated and found the grievor wiping his phone. The grievor continued over over his supervisor’s direction to stop, responding “I’m just deleting my personal information.”

Arbitrator Peltz found the grievor’s alteration of records to be culpable. He commented:

It is one thing to say that digital privacy is now highly valued in Canadian society. It is something else to claim a unilateral self help remedy without even consulting the employer whose records are being altered.

Arbitrator Peltz also held that the grievor was insubordinate because he intentionally frustrated the university’s plan to conduct a reasonable search. He said that the university had a reasonable concern about “all the greivor’s communications” and that due diligence required a “complete review, excepting personal matters.” Some effort to minimize the impact of the search may have been required according to Arbitrator Peltz, but the grievor should have stated his privacy concern rather than take matters into his own hands by wiping his phone.

University of Manitoba v Association of Employees Supporting Educational Services, 2015 CanLII 49535 (MB LA).


Get every new post delivered to your Inbox.

Join 1,604 other followers