Legal Risks and Damages: State of the Law

Download Report

Transcript Legal Risks and Damages: State of the Law

Privacy and Data Breach

Legal Risks and Damages: State of the Law

Ted Charney Principal, Charney Lawyers Prepared for Osgoode Professional Development Conference Data Breaches: Avoidance Preparedness and Response, March 2, 2015

Factors that make a data/privacy breach suitable for class proceedings

• Data breaches where personal/financial information has been compromised through theft/hacking.

• Data breaches where unencrypted personal/financial information is electronically stored on a portable device which is lost.

• Some basis in fact that individuals affected by the breach are either victims of identity theft/fraud or have incurred expenses and inconvenience in taking steps to protect their credit reputation.

Current Trends in Privacy Breach Class Action Litigation

• Poor information management practices • Employee theft • Hacking • Malware

Poor Information Management Practices: Condon v. Canada

In or around November 2012, an unencrypted portable storage device went missing, containing the personal information of 580,000 Canadians who received student loans. • The device included the names, addresses, phone numbers, social insurance numbers and outstanding debt obligations of the students.

• The device has never been recovered. The plaintiffs’ position is that the device was stolen. • A national class action was certified by the Federal Court on March 17,2014.

Poor Information Management Practices: Condon v. Canada

The Report of the Privacy Commissioner on the Investigation into the loss of the hard drive at Employment and Social Development Canada read: “ESDC’s failure to implement the appropriate safeguards to protect the personal information in question has created a significant risk for unauthorized access, use or disclosure – the very threats that the Government of Canada is entrusted to protect it from. Of great concern is the volume and sensitivity of the personal information contained on the external hard drive – information that could, in the wrong hands, lead to identity theft or fraud.”

Poor Information Management Practices:

Belley c. TD Auto Finance Services Inc.

• On March 12, 2008, an external hard drive containing the unencrypted personal information of 240,000 customers was lost in transit . The empty envelope which contained the hard drive was found in the delivery truck. • Initially, a Quebec class action for this data breach called

Mazzonna c. DaimlerChrysler Financial Services Canada

Inc., 2012 QCCS 958 was dismissed in 2013.

• The class action was then reformulated with a different plaintiff called Belley and certified on January 19, 2015.

Poor Information Management Practices:

John Mark Jacques et al. v. Canada

• In or around November 2012, an external hard drive containing the personal information of 5,000 Canadians who applied for pensions, disability benefits, old age security benefits, employment insurance or child care tax credits went missing. • The hard drive has not been recovered. • The certification motion is pending for this class action.

Poor Information Management Practices:

Christopher Grant et al. v. Hopital Montfort

• On November 26, 2012, a USB key containing the personal information of 25,000 Montfort hospital patients was reported lost. • The USB Key contained the names, dates and codes representing the medical services received and codes representing the referring and receiving health care providers of the patients. • A class action was commenced against Hopital Montfort. The class action will be discontinued because the USB key has since been recovered by a good Samaritan.

Poor Information Management Practices: John Doe v. Canada

In or around November 2013, the Federal Government mailed letters to 40,000 individuals across Canada where the return address on the envelopes was the Marijuana Medical Access Program.

Employee Theft: Rouge Valley

Class actions have been commenced on behalf of 14,450 new mothers who gave birth at one of the two Rouge Valley hospitals between July 9, 2009 and April 15, 2014 whose personal information was illegally accessed and stolen by clerical staff at Rouge Valley Health System, who sold the personal information to RESP companies.

Employee Theft: Hopkins v. Kay

Between 2011 and 2012, approximately 280 patient records at Peterborough Regional Health Centre were improperly accessed and disseminated to third parties by employees of the defendant, without the consent of the patients.

Employee Theft: Evans v. Wilson

• A mortgage administration officer of the Bank of Nova Scotia provided the financial information of 643 customers to his girlfriend, who disseminated the private information to third parties for fraudulent and improper purposes. 138 of these customers reported that they were victims of identity fraud or theft. • On June 6, 2014, the Ontario Superior Court of Justice certified the class action.

Hacking: Tucci v. Peoples Trust

Company

On October 25, 2013, Peoples Trust notified 12,000 – 13,000 clients that an online application database containing their personal information was compromised by unauthorized internet access originated in the People’s Republic of China.

• Peoples Trust discovered the breach when its customers complained of “phishing” attempts.

Hacking: Zuckerman v. Target

• In November 2013, the Target chain of stores experienced a cyber-attack on the computer network that processes retail transactions. The compromised information included names, phone numbers, home addresses, credit and debit card numbers, PIN numbers, expiration dates, magnetic strip information and passwords for 700,000 Canadians.

• A motion to authorize the bringing of a class action in negligence was filed with the Quebec Superior Court on November 14, 2014.

Malware: Harris v. ComScore Inc.

• A class action in the United States was brought on behalf of over 10 million class members, alleging that comScore’s software failed to disclose to users the extent to which their personal information would be collected and sold. • The class action was certified in April 2013. On appeal, the Seventh Circuit of Appeals in Chicago refused to question the ruling. • In June 2014, the class action settled for $14 million.

Malware: Canada Anti-Spam Law

Installation of computer program 8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless (a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5) ; or (b) the person is acting in accordance with a court order.

9. It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8 .

Malware: Canada Anti-Spam Law

Application 47. (1) A person who alleges that they are affected by an act or omission that constitutes a contravention of any of sections 6 to 9 of this Act ……may apply to a court of competent jurisdiction for an order under section 51 against one or more persons who they allege have committed the act or omission…..

Order 51. (1) If, after hearing the application, the court is satisfied that one or more persons have contravened any of the provisions referred to in the application , the court may order the person or persons, as the case may be, to pay the applicant (a) compensation in an amount equal to the actual loss or damage suffered or expenses incurred by the applicant; and (b) a maximum of (ii) in the case of a contravention of occurred, section 7 or 8 , $1,000,000 for each day on which a contravention (v) in the case of a contravention of section 9 resulting from aiding, inducing or procuring, or causing to be procured, the doing of an act contrary to section 7 or 8 , and if a contravention of either of those sections has resulted, $1,000,000 for each day on which a contravention of section 7 or 8 , as the case may be, occurred.

Types of Damages that are Recoverable in Privacy Class Actions: Breach of Contract

Claims for breach of contract do not require proof of actual damages. In contract claims, a breach of contract always attracts nominal damages even when actual damages cannot be demonstrated. • “Nominal Damages” is defined as “a trivial sum of money to a litigant who has established a cause of action but has not established that he is entitled to compensatory damages. The award is made to recognize or vindicate a violation of the plaintiff’s rights.

Types of Damages that are Recoverable in Privacy Class Actions: Intrusion Upon Seclusion • Claims for intrusion upon seclusion do not require proof of damages. So long as the elements of the tort are made out, the court will presume that the class members sustained damages. • The size of the damage award will depend on the severity of the intrusion, but relatively minor intrusions into privacy still attract an individual damage award for each class member.

Types of Damages that are Recoverable in Privacy Class Actions: Negligence and Breach of Confidence • Damages for out-of-pocket expenses, including credit monitoring services, and identity theft/fraud are recoverable.

• There is conflicting jurisprudence on whether general damages, also called non-pecuniary damages, are recoverable for minor inconvenience, lost time, mental distress, loss of credit reputation and increased risk of future identity theft/fraud.