Ontario CA addresses claims arising out of IT security exploit

On January 11th, the Court of Appeal for Ontario dismissed an appeal of a decision that struck various pleadings of a former senior IT employee of Ontario and his family members, who the province alleges stole over $10 million by making fraudulent COVID benefit claims.

The Support for Families Program (SFFP) was launched quickly in April 2020 to help families with the cost of at-home learning. The IT employee helped develop the applications for the program, including its online application portal.

The province sued the employee and his family for allegedly stealing funds by making fraudulent applications and diverting them to bank accounts opened in the employee’s and his family members’ names – presumably by exploiting vulnerabilities known to the employee because of his duties. The province also alleges that the employee participated in and profited from a kick back scheme tied to the SFFP.

The employee has defended, and denies the allegations. In his defence, he pleaded contributory negligence – i.e., that the province was negligent in protecting itself against his alleged fraud. The family members – represented by the same counsel – say that the employee told them he used their personal information to open bank accounts in which to deposit the proceeds of fraud. Although they did not crossclaim against the employee, they counterclaimed against he province in intrusion upon seclusion and negligence.

The Court of Appeal affirmed the striking of these claims.

It held that a defendant to a fraud or unjust enrichment claim cannot raise contributory negligence as a defence. The Court explained that allowing for the defence would suggest that crime pays and unfairly punish organizations who do not take adequate steps to protect themselves.

It held that the intrusion upon seclusion claim is untenable because it is based on the employee’s alleged misuse of information entrusted to him by his family, not the employer’s enterprise or a risk created or excaberated by that enterprise.

It held that a negligence pleading properly framed to address the Crown’s immunity from tort liability would fail for a lack duty/proximity given the family members claimed to have no interaction with the province other than in respect of the province’s money that the employee transferred into their accounts.

Sometimes the best defence is a good offence. That was likely the motivation for these novel claims – perhaps an attempt to capitalize upon the province’s sensitivity to mismanagement claims. They were rightly struck, and organizations in Ontario who are defrauded by insiders can continue to breathe easy.

Ontario v. Madan, 2023 ONCA 18 (CanLII).

Intrusion upon seclusion is an intentional tort – Ont CA

The Court of Appeal for Ontario has addressed an important point about the intentionality element in the intrusion upon seclusion tort.

The Court dismissed an appeal by a nurse who claimed her employer’s liability insurer had a duty to defend her from claims that arose out of her unauthorized access to patient information. The issue was whether policy language limiting coverage for “expected” or “intended” injury applied, which required the Court to analyze whether an allegation that one has committed the intrusion tort is an allegation of intentional conduct.

The Court said “yes,” and made clear that recklessness is a form of intentional conduct:

Although the Jones decision does not contain a definition of “reckless,” it places reckless conduct side-by-side with intentional or deliberate conduct. Jones adopted the Restatement’s formulation of the tort as involving an intentional intrusion. As well, the decision limited claims for intrusion upon seclusion only to “deliberate and significant intrusions of personal privacy”: Jones, at para. 72. One cannot tease from the discussion in Jones any support for the proposition advanced by Ms. Demme that Jones’ inclusion of a reckless act within the tort of intrusion upon seclusion could involve unintentional conduct.

The Court also articulated the precise state of mind that meets the intentionality element:

For that tort, the relevant intention is the defendant’s intention to access private patient records. If that is demonstrated, the nature of the tort is such that the intention to access the records amounts to an intention to cause injury.

The appellant had argued that she lacked the intent to cause injury and therefore ought to have been covered.

Demme v. Healthcare Insurance Reciprocal of Canada, 2022 ONCA 503 (CanLII).

Privacy claim against documentary makers dismissed

On April 23rd, the Ontario Superior Court of Justice dismissed two privacy claims brought against the makers of a documentary – one based on the misappropriation of personality tort and the other based on the intrusion upon seclusion tort.

Wiseau (and others) brought the claims against the makers of a movie called Room Full of Spoons – a documentary about Wiseau and his own infamous movie, The Room. The Room has become notorious as one of the worst movies ever made. Room Full of Spoons disclosed Wiseau’s birthdate, birth name and place of birth, facts available to the public but not widely known, in part because Wiseau’s cultivation of mystery about his background.

Wiseau aggressively objected to the release of Room Full of Spoons, according to the Court, in part because he held a financial interest in a competing film. He obtained an injunction in 2017 that was held to have been improperly obtained, leaving Wiseau on the hook for $750,000 in damages.

In addition to making this damages order, Justice Schabas wrote a lengthy judgement that adresses fair dealing and related copyright issues, a passing off claim and various pre-trial and trial procedure issues. I’ll just address his disposition of the two privacy claims.

Justice Schabas dismissed the misappropriation of personality claim because Wiseau was a public figure who cultivated interest (and mystery) in his personality. The defendants’ use of Wiseau’s image to promote Room Full of Spoons (which was limited) was therefore not actionable. Justice Schabas followed Gould Estate, and held that use of Wiseau’s image served the purpose of contributing accurate information “to the public debate of political or social issues or of providing the free expression of creative talent” and was not primarily a means of “commercial exploitation.”

Justice Schabas dismissed the intrusion upon seclusion claim for reasons unrelated to the defendants’ right of expression, finding no “highly offensive” intrusion at all:

Wiseau has failed to make out the elements of the tort in this case. No personal details of the kind referred to in Jones v. Tsige were disclosed by the defendants. Rather, what was disclosed was Wiseau’s birthplace, his birthdate, and the name he was given at birth and had as a child in Poland. This information was available from public sources, which is how the defendants obtained and confirmed it. Wiseau may be sensitive about this information because he has cultivated an aura of mystery around it, but disclosure of these facts is not, objectively speaking, something which can be described as “highly offensive.”

The idea that Wiseau’s privacy claim could not be sustained because his information was publicly available is significant, though consistent with traditional notions of privacy and confidentiality.

Wiseau Studio, LLC et al. v. Harper et al., 2020 ONSC 2504 (CanLII).

Broutzas narrowed, privacy action certified, uncertainty abounds

On January 6th, Justice Morgan certified a class proceeding that was based on a nurse’s unauthorized access to very basic personal health information – patient status and allergy information – so she could obtain prescription drugs.

Although there were no damages to support a negligence claim, Justice Morgan held that the cause of action criterion for certification of a privacy breach claim was met because, “an infringement of privacy can be ‘highly offensive’ without being otherwise harmful in the sense of leading to substantial damages.” (IMHO, this is correct.)

In otherwise assessing the quality the nurse’s infringement, Justice Morgan distinguished Broutzas, in which Justice Perell declined to certify an action, in part, because the theft of address information from patients who had given birth at a hospital was not “highly offensive.” Justice Morgan said:

Counsel for the Plaintiff takes issue with this analysis. In the first place, he points out that the factual context of the Rouge Valley case is distinguishable from the case at bar in one important way: the patients/claimants in [Broutzas] were all in the hospital for the birth of a baby, which is perhaps the least confidential of reasons. Indeed, Perell J. recited the factual background of each patient making a claim in that case, and observed that one had announced their child’s birth and circulated photos of the new baby on social media, while another had done a Facebook posting in celebration of the birth of their new baby at the defendant hospital: Ibid, paras. 97, 106. As Plaintiff’s counsel here points out, the expectation of privacy in such circumstances is negligible.

Fair enough, but it’s nonetheless quite clear that not all judges value privacy the same way. The uncertainty in judge-made privacy law is palpable.

Stewart v. Demme, 2020 ONSC 83 (CanLII).

ONSC affirms damages award for “friend’s” leak of work schedule

On April 8th, the Ontario Superior Court of Justice affirmed a $1,500 damages award for a privacy breach that entailed the disclosure of information that the defendant received because she was the plaintiff’s social media friend.

The plaintiff and defendant were pilots who worked for the same airline. The plaintiff shared his work schedule with the defendant though an application that allowed him to share his information with “friends” for the purpose of mitigating the demands of travel. The airline also maintained a website that made similar information available to employees. The defendant obtained the schedule information through one or both of these sites and shared it with the plaintiff’s estranged wife.

There are a number of good issues embedded in this scenario. Is a work schedule, in this context, personal information? Does one have an expectation of privacy in information shared in this context? Does the intrusion upon seclusion tort proscribe a disclosure of personal information?

The appeal judgement is rather bottom line. In finding the plaintiff had a protectable privacy interest, the Court drew significance from the airline’s employee privacy policy. It said:

The policy of Air Canada, that must be followed by all employees, emphasises the privacy rights of the employees. This policy specifically prohibits any employee from disseminating personal information of another employee to third parties without express permission of the other employee. The sharing of personal information between employees is clearly restricted for work related purposes only. Permission to review and obtain this information is not given unless it is for work related purposes. If the information is reviewed and used for any other purpose, this results in conduct that constitutes an intentional invasion of the private affairs or concerns. In addition, I find that a reasonable person would regard this type of invasion of privacy as highly offensive and causing distress, humiliation and anguish to the person.

The defendant did not appeal the $1,500 damages award.

John Stevens v Glennis Walsh, 2016 ONSC 2418 (CanLII).

Ontario decision suggests corporation can sue for breach of privacy

On February 19th, the Ontario Superior Court of Justice declined to strike a pleading that alleged a company unlawfully interfered with a competitor’s economic relations by receiving confidential information about a client (BC Cancer) that was sought after by both organizations. The Court held that the pleading was sustainable because BC Cancer had an arguable claim against the recipient organization based on the “intrusion upon seclusion” tort, suggesting that the tort is available to natural persons and corporations. As stressed by the Court, on a motion to strike a court errs on the side of permitting a novel but arguable claim to proceed to trial.

Fundraising Initiatives v Globalfaces Direct, 2015 ONSC 1334 (CanLII).