Cyber class action claims at an inflection point

Yesterday, I happily gave a good news presentation on cyber claims legal developments to an audience of insurance defence lawyers and professionals at the Canadian Insurance Claims Managers Association – Canadian Independent Adjusters’ Association – Canadian Defence Lawyers joint session.

It was good news because we’ve had some recent case law developments create legal constraints on pursuing various common claims scenarios, namely:

The lost computer, bag or other physical receptacle scenario – always most benign, with notification alone unlikely to give rise to compensable harm, a trial judgement looking positively at a one year credit monitoring offer and proof of causation of actual fraud a long shot at best
The malicious outsider scenario – for the time being looking like it will not give rise to moral damages that flow from an intentional wrong (though this will be the subject of an Court of Appeal for Ontario hearing soon in Owsianik)
The malicious insider scenario – partly addressed by a rather assertive Justice Perell finding in Thompson

We’re far from done yet, but as I say in the slides below, we’re at the early stages of an inflection point. I also give my cynical and protective practical advice – given the provable harms in the above scenarios flow mainly from the act of notification itself, notify based on a very strong analysis of the facts and evidence; never notify because there’s a speculative risk of unauthorized access or theft. Never a bad point to stress.

Broutzas narrowed, privacy action certified, uncertainty abounds

On January 6th, Justice Morgan certified a class proceeding that was based on a nurse’s unauthorized access to very basic personal health information – patient status and allergy information – so she could obtain prescription drugs.

Although there were no damages to support a negligence claim, Justice Morgan held that the cause of action criterion for certification of a privacy breach claim was met because, “an infringement of privacy can be ‘highly offensive’ without being otherwise harmful in the sense of leading to substantial damages.” (IMHO, this is correct.)

In otherwise assessing the quality the nurse’s infringement, Justice Morgan distinguished Broutzas, in which Justice Perell declined to certify an action, in part, because the theft of address information from patients who had given birth at a hospital was not “highly offensive.” Justice Morgan said:

Counsel for the Plaintiff takes issue with this analysis. In the first place, he points out that the factual context of the Rouge Valley case is distinguishable from the case at bar in one important way: the patients/claimants in [Broutzas] were all in the hospital for the birth of a baby, which is perhaps the least confidential of reasons. Indeed, Perell J. recited the factual background of each patient making a claim in that case, and observed that one had announced their child’s birth and circulated photos of the new baby on social media, while another had done a Facebook posting in celebration of the birth of their new baby at the defendant hospital: Ibid, paras. 97, 106. As Plaintiff’s counsel here points out, the expectation of privacy in such circumstances is negligible.

Fair enough, but it’s nonetheless quite clear that not all judges value privacy the same way. The uncertainty in judge-made privacy law is palpable.

Stewart v. Demme, 2020 ONSC 83 (CanLII).

Federal Court of Appeal reverses certification of privacy class action

On June 24th, the Federal Court of Appeal overturned the certification of a number of causes of action in a class action that claims damages for the sending of a letter that identified the sender as the “Marihuana Medical Access Program.”

The intended recipients were, in fact, individuals authorized to possess medical marihuana. They claim the letter disclosed this fact and exposed them to various harms. The Federal Court certified the action last July based on a finding that the claim set out a number of valid causes of action.

The Federal Court of Appeal allowed the action to proceed based on claim alleging that the government’s negligence (and breach of confidence) caused the following damage: costs incurred to prevent home invasion, costs incurred for other personal security, damage to reputation, loss of employment, reduced capacity for employment, and out of pocket expenses. The Court of Appeal affirmed that a claim for such damages is actionable and “not entirely speculative.”

The Federal Court of Appeal overturned certification of three other causes of action:

It held that the pleading did not establish a valid claim of contractual breach because it set out no exchange of promises backed by valuable consideration. The existence of an enforceable contractual contract was also not apparent in the circumstances given the arrangement between government and the representative plaintiff was invited and structured by statute.
It held that the pleading did not establish a valid claim for public disclosure of private facts because the pleadings did not support a finding that the government “published” private facts: “…the concept of ‘publicity’ means that ‘the matter is made public, by communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.'”
It held that the pleading did not establish a valid claim for intrusion upon seclusion because it did not support a finding of the required state of mind (i.e., intent or recklessness): “At best, the material facts pleaded support the notion that an isolated administrative error was made.”

The Court’s limitation of the claim to one based on negligence is significant because it precludes access to “moral damages.” While the Court said the pleaded special damages were not so speculative to disallow the claim, it’s questionable whether the actual damages suffered by members of the class amount to much at all.

Canada v John Doe, 2016 FCA 191.

BC class action alleging vicarious liability for employee’s snooping to proceed

Yesterday the Court of Appeal for British Columbia held that a class action alleging vicarious liability for breach of the British Columbia Privacy Act should not be struck.

The claim is based on an allegation that an ICBC employee improperly accessed the personal information of about 65 ICBC customers. The Court dismissed ICBC’s argument that the Privacy Act only contemplates direct liability because its statutory tort rests on wilful misconduct. The Court reasoned that a requirement of deliberate wrongdoing is not incompatible with vicarious liability.

ICBC also raised a seemingly dangerous policy question for a data breach defendant: “Should liability lie against a public body for the wrongful conduct of its employee, in these circumstances?” The Court said this question should be answered based on a full evidentiary record.

While allowing the vicarious liability claim to proceed, the Court held that the plaintiff could not found a claim on an alleged breach of the safeguarding provision in British Columbia’s public sector privacy act. It did consider whether to recognize a common law duty to abide by the safeguarding provision, but held that it should not do so based on policy grounds, including the need to defer to the comprehensive administrative remedial regime provided for by the legislature.

Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 (CanLII).