Here’s a deck from a Monday panel presentation that I participated in with some colleagues from the sector. It features a cyber incident scenario and some questions. See if you can answer them, and if you’d like to have a discussion, please comment or get in touch.
Here’s a slide deck (including speaking notes) for a presentation I did today at LegalTech Toronto.
I aimed for something practical on the art of breach response by speaking to these ten tips:
- Initiate response ASAP
- Don’t rest on assumptions
- Keep the ball moving
- Don’t rush
- Obtain objective input
- Obtain technical input
- Take a broad view of notification
- Put yourself in their shoes
- Demonstrate commitment to doing better
On February 24th the Grievance Settlement Board (Ontario) held that an employer should provide a grievor with three days’ paid vacation as a remedy for the consequences of an (admitted) security breach. The breach apparently allowed other employees to read incident reports involving the grievor, who alleged this caused him psychological distress. The GSB made its finding after conducting an informal med-arb process.
On March 15th, the Grievance Settlement Board (Ontario) dismissed a grievance against the government for one employee’s intentional “snooping” into another employee’s employment insurance file.
Intentional unauthorized access to personal information by a trusted agent is a somewhat common scenario that has not yet been addressed by labour arbitrators. While arbitrators have taken jurisdiction over privacy grievances on a number of bases, privacy grievances have typically addressed intentional employer action – e.g. the administration of a drug test or the installation of a surveillance camera. This case raises an issue about an employer’s obligation to secure employee personal information and its liability for intentional access by another person. Can a reasonable safeguards duty arise inferentially out of the terms of a collective agreement? Is there some other source of jurisdiction for such claims? It is not clear.
The GSB ultimately finds jurisdiction in the Municipal Freedom of Information and Protection of Privacy Act, which it finds is an “employment-related statute” that can be the basis of arbitral jurisdiction. This is unfortunate because MFIPPA, in general, excludes employment-related records (and hence employees). There are now a handful of arbitral decisions that neglect to consider and apply the (very important) exclusion.
Having found jurisdiction rooted in MFIPPA, oddly, the GSB does not consider whether the government (or the Ministry’s head) failed to meet the MFIPPA “reasonable measures to prevent unauthorized access” security standard. Instead, it applied a vicarious liability analysis and dismissed the grievance. I’ll quote the GSB analysis in full:
41 Being guided by the principles set out in Re Bazley, I am of the view that the Employer is not vicariously liable for actions of Ms. X. Simply put, the “wrongful act” was not sufficiently related to conduct authorized by the Employer. Indeed, the accessing of the grievor’s EI file had nothing to do with the work assigned to employees. Employees were able to and indeed did access EI files but only in those instances where it was necessary to assist their clients.42 The evidence established that the Employer had clear and sufficient policies regarding the protection of private information. Privacy matters were discussed with employees at the point that they were hired and although those policies could have and perhaps should have been formally reviewed more frequently by management, employees were reminded of their obligations frequently by way of a “pop up” upon entering their computers.43 Further, Ms. Smith, a co-worker of the grievor, who testified for the Union was very forthright in her cross-examination that she knew that she was not to access the private information of anyone for her own interest. Moreover, this intrusion was the first time that she knew of anyone in the workplace doing such a thing. It might well be argued that this reinforces the view that the policy was known and followed in the workplace. Certainly there was no evidence of any other breach.44 This intrusion was not an abuse of power. It was not an instance where someone with power over the grievor utilized their authority to carry out the wrong. It was a coworker — indeed I am of the view that it was the action of a rogue employee who, for her own purposes accessed the grievor’s EI file. It was not an action that could be seen to “further the Employer’s aims.” Indeed this activity was done without the sanction or knowledge of the Employer. I accept the Employer’s evidence that it knew nothing of the intrusion until being told by a coworker of the grievor and upon learning took immediate action to investigate and manage the issue and the Ms. X who received a significant suspension.45 Finally, it must be recalled that this Board dismissed the grievor’s allegations that the Employer and her coworkers were bullying and harassing her in a separate decision. Accordingly it seems to me that it cannot be said that the intrusion into her EI records by Ms. X was “related to friction, confrontation or intimacy inherent in the employer’s enterprise.”
On November 14th the Supreme Court of Newfoundland and Labrador Trial Division held that the pleadings in a privacy breach class action disclose a reasonable cause of action.
Even for an application of the Hunt v Carey standard, the Court did not probe at the pleadings with any significant force. It:
- held that an alleged failure to establish safeguards was enough to found a “willful violation” claim;
- held that a question about whether Newfoundland’s statutory privacy tort could operate together with the common law vicarious liability doctrine should be determined at trial;
- held that the availability of the common law intrusion upon seclusion tort in Newfoundland should be determined at trial;
- allowed a negligence claim for distress and humiliation to proceed even though no specific psychiatric illness or prolonged psychological injury was pleaded because “the threshold of compensable harm will depend on the evidence at trial”; and
- held that the availability of contract claim for non-economic loss should be determined at trial.
The Court struck claims for breach of statute, breach of the Charter and breach of fiduciary duty. The Court remains seized of the certification application.
Here’s a one hour private presentation my partner Jeff Goodman and I gave to a group of risk management professionals yesterday. I’d be happy to come to your organization and conduct a similar presentation if you’re interested. Please get in touch.
On November 23rd of last year the Alberta Court of Queen’s Bench issued an Anton Piller order based significantly on a concern for the privacy interest of customers whose information the plaintiff alleged had been stolen.
The plaintiff is a BMW dealership that was confronted with a regrettable breach of its sales and customer relationship management system when it failed to remove system privileges from a terminated manager. It alleged the manager gained unauthorized access to the system and downloaded the names, e-mail addresses and “other personal details” of about 5000 customers.
I won’t detail the record, but the Court noted that it contained gaps. It seemed to be swayed by the customer privacy interest at stake and stated that a public interest supported making the order:
I am satisfied that even if Beck is innocent of some or all of the allegations being made against him on an ex parte basis, Bavaria has a public interest and duty under the appropriate Privacy Act legislation, to do everything it can to preserve the integrity of information that appears to have gone missing or unaccounted from almost 5,000 of its customers that it had care and custody of, and that this Order is also in the public interest.
This statement does not make clear why the Court felt the preservation of evidence afforded by an Anton Piller would be privacy-protective. In some circumstances retrieving evidence of misuse might help non-parties mitigate, but perhaps this is really about allowing a plaintiff (and custodian) some assurance that lost personal information has been brought under control (without copies being stashed away). For another case in which an employer attempted to use non-party privacy in enjoining competitive conduct by a departed employee see here.