Lawyer warns of privacy breach damages to victims who are a ‘little bit annoyed’

The rise of class action lawsuits alleging privacy breaches is raising the question of whether a corporation can be held vicariously liable when employees cause privacy violations to plaintiffs who do not actually prove they were harmed, a lawyer warned insurance professionals Wednesday.

Patrick Hawkins, a lawyer with Borden Ladner Gervais LLP, was the keynote speaker at the Property Casualty Underwriters Club November luncheon.

He noted there is a “growth industry” in class action lawsuits alleging privacy breaches.

“We think there are roughly 33 data privacy breach class actions that have been commenced in Canada,” Hawkins told attendees at the event in Toronto.

He referred to several lawsuits, including the Court of Appeal for Ontario ruling released in 2012 in Jones v. Tsige.

Sandra Jones and Winnie Tsige were employees of the Bank of Montreal. Jones was also a BMO customer. Court records indicate that Tsige – who was in a relationship with Jones’ former husband – accessed and reviewed Jones’ bank records on 174 occasions in 2006 through 2009.

The Ontario Superior Court of Justice dismissed Jones’ lawsuit in 2011 but that decision was overturned on appeal. The Bank of Montreal was not a party to the case.

“The Court of Appeal created this new tort and said, ‘Okay this is a circumstance where information being so readily available electronically, that never used to be available before, we need a way to vindicate rights of people and to prevent people from doing this,'” Hawkins said at the PCUC luncheon Nov. 23. “So they created this new tort called intrusion upon seclusion, which is a new claim.”

The Court of Appeal for Ontario, in Jones v. Tsige, “said some things about damages that really gives rise to and spawns class actions,” Hawkins added. “Unlike traditional tort law or traditional civil law and civil damages, proof of harm to a recognized economic interest is not required. So you are not required to prove that somebody has actually suffered damage. Just because you are a little bit annoyed and somebody has looked at your private records, that can be a circumstance where we award damages.”

In class-action lawsuits where an employer is named as a defendant, there is a question of whether or not damages can be awarded against the firm if no harm is proven, Hawkins suggested.

“I think that is a really important thing that is going to have to be sorted out a in class action context in privacy breach,” where the corporation has compensated people who were actually harmed, he suggested.

“Do the rest of the people who are just a little bit ticked off, or a little bit annoyed or a little bit worried, do they actually recover from the corporation?” he asked. “And then, what’s it worth? Plaintiff’s lawyers are really pushing that it’s a no-harm tort and then a little bit of annoyance is worth something. From the defence side, we are pushing that a little bit of annoyance is worth nothing.”