June 17, 2013 by Murn Meyrick
Canada is no longer a safe haven when it comes to avoiding damages arising out of privacy breaches. Class actions are here. Regulatory and criminal investigations are here and so too are individual actions resulting in damage awards. The losses are mounting and regulators are crying for legislation to impose substantial fines.
Where a few years ago it was easy to find examples of breaches but difficult to find examples of losses arising from them, the environment in the US, and increasingly in Canada, has changed. The new reality of individual and class actions tend to involve disclosure of personal information through insecure disposal of records, theft and loss of unencrypted data on mobile devices, and unauthorized access to records.
The year 2013 began with a shocking disclosure as Human Resources and Skills Development Canada (HRSDC) admitted to the loss of a portable hard drive containing unencrypted personal and financial information, including SIN numbers and birth dates, of more than half a million people who took out student loans and 250 employees. Reports allege a two-month delay in notification to the public of the breach. Three class actions have been launched and both the RCMP and the Privacy Commissioner are investigating. Affected persons are being notified by letter and a hotline set up to handle inquiries has reportedly received over 40,000 calls. This announcement follows the recent disclosure by HRSDC of another breach involving the loss of a USB key from an office in Quebec, containing personal information of more than 5,000 Canadians.
The year 2012 saw a number of high profile breaches in the health industry resulting in losses. In May, the Peterborough Regional Health Centre fired seven employees who inappropriately accessed patient records. In BC, the provincial government disclosed that in three instances of data breaches in October 2010 and June 2012 more than five million persons’ personal-health data had been accessed without permission. This led to the costs of responding to an investigation by the Privacy Commissioner and notification of more than 38,000 individuals by letter. Furthermore, the government is dealing with costs associated with the termination of seven employees, at least two of whom have launched separate lawsuits in response to their terminations.
In 2011 the Ontario Superior Court granted certification of a class action against Durham Region Health when a nurse employed by the Durham Region Health Department allegedly lost a USB thumb drive containing personal and confidential health information relating to flu vaccinations to patients. The action followed an investigation and Order by the Ontario Information and Privacy Commissioner citing numerous breaches of the privacy health legislation. In the action, the plaintiffs sought $40 million in damages, citing risk of identity theft as a factor. The action was settled shortly after certification, with the Region agreeing to pay up to $500,000 on account of the plaintiffs’ costs, and individual payments to those affected individuals who can prove financial loss.
In a major private sector case, Honda Canada, Inc. is facing a class action launched in 2011 on behalf of 283,000 customers after their personal information, including names, addresses, VINs, and financial account numbers were accessed by hackers. The action seeks $200 million and faults delayed notification of the breach to affected individuals by Honda.
Class actions have not been the only forum for litigation of privacy breaches in Canada. Examples of individual suits resulting in damage awards have shown Canadian courts are willing to put a value on the damage caused by invasion of an individual’s privacy, even where there are no actual losses. Although the cases are specific to their individual facts and to the law applicable in the jurisdiction in which the action was brought, they may be useful in predicting the likelihood of an award, and the quantum of such an award, in future breaches. These cases include:
In a health sector case, in May 2011 the B.C. Supreme Court issued an Order to proceed in a class action against the Provincial Health Services Authority over the collection and storage of BC and Yukon newborns’ blood. The issue relates to the use of the stored information for medical research, and for indefinite storage, without permission.
Privacy litigation is still in its early stages in Canada. Many of the cases noted above are still at the preliminary stages, or have settled with little, if any, judicial pronouncement. The emergence in Canada of mandatory notification to individuals, and/or the Privacy Commissioner when a privacy breach has occurred, although not yet fully enacted in Canada, will without doubt fuel litigation. The simple fact of being alerted to the potential of harm is enough to persuade some people to sue.
In this changing environment companies are taking more care to learn about, and put in place effective solutions to these risks, including specialized Privacy and Network Liability Insurance. These products are not a one size fits all solution. Expert advice in assessing risks and ensuring the proper insurance coverage is in place is essential.
Murn Meyrick is the founding partner of Grey Swan Advisory Inc. She can be reached at firstname.lastname@example.org.
Copyright 2013 Rogers Publishing Ltd. This article first appeared in the May 2013 edition of Canadian Insurance Top Broker magazine.
This story was originally published by Canadian Insurance Top Broker.