OIAA speaker explains how Ontario civil law on privacy affects cyber liability exposure

Three years after the Court of Appeal for Ontario ruled that individuals and organizations can be sued in the province for “intrusion upon seclusion,” a lawyer suggested to claims adjusters yesterday that awards in excess of $10 million are being sought in some class action lawsuits arising from alleged privacy breaches.

“Right now, most of our cyber risk policies that are being sold are add-ons in Canada, to a primary policy,” said Catherine Korte, a partner specializing in insurance defence ligitation with McCague Borlack LLP. “The question that’s going to develop is, ‘Well, wait a moment, is the correct premium being charged for the risk of exposure?'”

Korte described such risks Wednesday during a seminar on cyber liability at the Ontario Insurance Adjusters Association (OIAA) professional development and claims conference, held at the Metro Toronto Convention Centre.

She described several completed and ongoing court cases, including a Court of Appeal for Ontario ruling released in January 2012. That decision was in the case of Sandra Jones versus Winnie Tsige, both of whom worked for the Bank of Montreal. Jones, who sued Tsige, was also a BMO customer.

Court records indicate that Tsige – who was involved in a relationship with Jones’ former husband – accessed and reviewed Jones’ bank records on 174 occasions in 2006 through 2009. Tsige, who was disciplined by the bank, had explained that she wanted to confirm whether Jones was being paid child support by her former husband.

In March, 2011, the Ontario Superior Court of Justice dismissed Jones’ lawsuit, ruling there was no tort of invasion of privacy in the province. But that ruling was overturned the following year, when the appeal court found that a right to sue “for intrusion upon seclusion should be recognized in Ontario.”

“Not only do you have the Privacy Act and (the Personal Information Protection and Electronic Documents Act ) but you have the courts saying, ‘Wait a moment, I find there is a tort’ and if you breach certain rights of privacy, you are into a tort with consequential damages,” Korte said at the OIAA conference Wednesday.

She gave several examples of ongoing legal actions, including a proposed $40 million class action against Hôpital Montfort, an Ottawa hospital at which an employee had lost a USB memory stick containing unencrypted records of 25,692 patients.

For the tort of “inclusion upon seclusion,” Korte noted, the Court of Appeal for Ontario established three criteria:

•The conduct must be intentional, though this could include recklessness;

•The invasion of privacy must have no lawful justification; and

•A “reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.”

The “explosion of information technology” has increased the exposure of organizations to class action lawsuits alleging privacy breaches, she suggested, adding that organizations need to ensure that confidential information is kept secure and that only authorized individuals have access to it.

The “most notorious case on privacy in Canada” was one involving a film shoot in Toronto, Korte said Wednesday.

She was referring to an incident in October, 2005, when Ontario’s privacy commissioner ruled that a medical X-ray and ultrasound clinic and a paper disposal company violated the province’s Personal Health Information Protection Act (PHIPA). According to the privacy commissioner’s press release at the time, personal health records sent by the clinic to the paper disposal company were “mistakenly believed to be intended for recycling.” Those unshredded papers were later sold, by a different firm, to a film company which used them as props.

Korte recounted Wednesday that the film was about the Sept. 11, 2001 attacks on the World Trade Center in New York City.

“So what happened was they had medical information blowing down the streets of Toronto, being the medical records of identifiable individuals,” Korte recounted. “So you had the police force out, they had hundreds of people rounding up documents to get the medical records of people off the streets of Toronto. That was the first most notorious Canadian case on privacy.”

PHOTO: Claims adjusters explore the exhibit floor at the Ontario Insurance Adjusters Association (OIAA) professional development and claims conference