January 2, 2017 by Greg Meckbach, Associate Editor
Federal regulations requiring organizations to notify individuals of data breaches that could potentially expose them to harm will probably be in place this year and could cause an increase in class-action lawsuits, lawyers familiar with privacy laws suggest.
The Digital Privacy Act (DPA) was passed into law June 18, 2015. Tabled in 2014 as Bill S-4 by Senator Yonah Martin, DPA makes changes to the Personal Information and Protection of Electronic Documents Act (PIPEDA).
When there is a “real risk of significant harm,” an organization affected by a data security breach would have to report that to the federal Office of the Privacy Commissioner (OPC) and any individual at risk, notes Innovation, Science and Economic Development Canada on its website.
“Significant harm is defined really broadly,” Patrick Hawkins, a partner with Borden Ladner Gervais LLP recently said. “It includes the potential for damage to reputation. It includes the potential for financial loss, identity theft, negative effects on credit records.”
Hawkins, who has represented healthcare organizations, made his remarks during the November luncheon of the Property Casualty Underwriters Club (PCUC).
The mandatory breach notification provision will not be in force until new regulations are passed and, as of press time, the federal government had yet to say when that will be.
“We don’t have a timeline on when they are going to be in force,” Hawkins said. “I will say best guess is some time in 2017.”
Another lawyer, Imran Ahmad, said in an interview that he heard “through the grapevine” that “there is probably going to be an announcement come February or beginning of March that the regulations are coming into force either by the end of Q3 or by Q4 2017.”
Ahmad, Toronto-based partner at Miller Thomson LLP, specializes in data breach incident preparedness and response. “We suspect it is going to be very similar to what you have in Alberta” where there is mandatory breach notification, Ahmad says of the new regulations.
Alberta’s Personal Information Protection Act requires private sector organizations to notify individuals of “loss or unauthorized access to or disclosure of personal information” when there is “a real risk of significant harm,” the provincial government states on its website.
Many of the health privacy laws across this country have breach notification requirements, but currently with respect to ordinary businesses Alberta, is the only province that has mandatory notification,” David Fraser, then branch section chair of the national privacy and access law section of the Canadian Bar Association, told the Senate Standing Committee on Transport and Communications in 2014.
“We have found that because of that, with large organizations that operate across Canada, they comply with Alberta’s requirements and do notification across the country,” Fraser said at the time during hearings on Bill S-4.
“I anticipate a significant increase in litigation once mandatory data breach notification kicks in,” Ahmad told Canadian Underwriter last December. “You see what happens in the U.S. Anyone can go on the Attorney General’s website of any state. They will see the breach that’s occurred, and class action lawyers, media folks, other people see that notice and it just leads to litigation right away. I expect you are going to see more of that in Canada starting whenever the notification comes in.”
Echoing Ahmad’s concerns, Hawkins warned at the PCUC luncheon of a “growth industry” in class action lawsuits alleging privacy breaches, due, in part, to the Court of Appeal for Ontario ruling in 2012 in Jones v. Tsige.
Sandra Jones had sued Winnie Tsige, one of her co-workers at the Bank of Montreal (BMO). Tsige was involved in a relationship with Jones’s former husband. Jones was also a BMO customer. Court records indicate that Tsige accessed and reviewed Jones’s bank records on 174 occasions in 2006 through 2009 and that Tsige wanted to confirm whether or not Jones was receiving child support payments.
Initially, Jones’s lawsuit against Tsige was dismissed, in 2011, by Ontario’s Superior Court of Justice, which found that Ontario does not have a tort of invasion of privacy.
But in overturning that ruling the following year, the Court of Appeal for Ontario recognized the common law tort of “intrusion upon seclusion.” The court ruled that changes in technology pose “a novel threat to a right of privacy that has been protected for hundreds of years by the common law” and by the Canadian Charter of Rights and Freedoms.
In ruling in favour of Jones, the Court of Appeal cited the 2006 decision from Ontario’s Superior Court of Justice in Somwar v. McDonald’s Restaurants of Canada Ltd.
“With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly) and disseminated more easily than ever before,” Justice David Stinson wrote in Somwar. “The traditional torts such as nuisance, trespass and harassment may not provide adequate protection against infringement of an individual’s privacy interests.”
So in Jones v. Tsige, the Court of Appeal for Ontario really created a new tort, Hawkins notes.
“On the healthcare side, there has been mandatory notification of individuals since 2004,” Hawkins told luncheon attendees. “We have seen the notice often creates the complaint and leads to a class action.”
Lawyers at Miller Thomson are starting to field questions about the Digital Privacy Act, Ahmad suggests.
“What we anticipate is there is going to be an intense period of education for clients in terms of what they need to do,” he predicts. “The challenge is the regulations haven’t been finalized or released yet.”
Without the new regulations, “businesses are not obligated to notify Canadians of security breaches involving data under their control,” James Moore, then Canada’s industry minister, told the House of Commons Standing Committee on Industry, Science and Technology in February 2015, during hearings on Bill S-4.
“In other words, if a company’s data is compromised and a hacker gets a hold of your credit card number, the company is not under any obligation to notify you,” Moore said at the time.
The Digital Privacy Act also requires “organizations to keep records of data breaches of any kind,” privacy commissioner Daniel Therrien said during the same committee hearing.
“Let’s say a misprinted address label goes out in the mail that includes in the address window the party’s age,” said David Elder. special digital privacy counsel for the Canadian Marketing Association, before the Commons industry committee in early 2015.
“That’s a breach, a piece of personal information tied to an identifiable individual. Let’s say you’re in a store and the clerk leaves somebody’s order printed out on the counter while he turns to get the phone and it’s visible to other consumers and all that may have been disclosed was somebody’s shoe size. That’s a breach. A record would have to be kept for each of them under this law and retained indefinitely until the OPC requested it.”
Companies who reviewed breaches and “found that there is no risk of harm” are still “required to maintain a record on those,” Chris Padfield then director general of Industry Canada’s digital policy branch, said during the committee hearing. The OPC “could ask the individual company to report all of those records to them at any time,” Padfield added.
“Requiring organizations to keep and maintain a record of every breach and provide our office with a copy of such record on request are important accountability mechanisms that will allow our office to evaluate compliance with the notification provisions and assess how organizations are making the determination whether to notify,” Patricia Kosseim, OPC’s senior general counsel, told the Senate transport and communications committee in 2014.
The following year, Padfield was asked by then-New Democrat MP Charmaine Borg whether or not small and mid-sized businesses would be “given tools to guide them as they try to figure out whether a breach poses significant harm.”
Padfield told the Commons industry committee that “there are lots of things that have to be established through regulation.”
With DPA, PIPEDA will give the federal government “the authority to list the types of information that must be included” in a breach notification report “and to specify a particular form and manner for such reports,” ISED states on its website.
But it is not clear yet how those records should look, Ahmad says.
“If I lose, let’s say, a USB key in my office that had my client information on it, for example, what does that log look like?” asks Ahmad. “Is it just an incident description? How long do I have to keep it? What level of granularity has to be provided? Do I have to explain what remedial action was taken and whether it was found later on? That is where the details are missing and that is where the regulations will be particularly helpful.”
The federal government is “looking for the most simplistic ways we can have in terms of reporting, in giving out clear guidance,” Padfield told the Commons industry commitee in 2015.
“We’ll work with the privacy commissioner’s office once the provisions are in place to come up with really clear, straightforward guidance for small companies,” he said. “We are conscious of the fact that this does apply all the way from the mom-and-pop shop up to the major multinational corporations that are better prepared for these kinds of things,” he added.
Organizations that “deliberately cover up privacy breaches and destroy records will face fines of up to $100,000 for every person or client that they intentionally fail to notify,” Moore told the committee in 2015.
Penalties under DPA “are pretty clear,” Imran said in an interview in December 2016. “It is going to be up to $100,000. We don’t have to wait for the regulations to come out for us to know what the amounts are going to be like.”
One data breach resulted in a class action lawsuit against Home Depot of Canada Inc. and its corporate parent.
“Between April 11, 2014 and September 13, 2014, there was a data breach at Home Depot,” Justice Paul Perell of Ontario’s Superior Court of Justice wrote in a ruling released this past August. “Its payment card system was hacked by criminal intruders using custom-built malware to clandestinely breach Home Depot’s computer system.”
In that ruling, Justice Perell approved a settlement agreement signed in early 2016.
As part of the settlement agreement – valued at $400,000 – Home Depot agreed to create a non-reversionary fund of $250,000 “for the documented claims of Canadians whose payment card information and/or email address was compromised as a result of the data breach during the data breach period.”
There was no evidence that any plaintiff in the class-action lawsuit absorbed a fraudulent charge, Home Depot customers who inserted chip cards and entered a PIN were not affected and the “only affected purchasers were those that used their payment card by swiping its magnetic chip through the card reader at self-checkout terminals… that had been infected by the malware,” Justice Perell noted in his ruling.
Home Depot offered Canadian customers Equifax credit monitoring at no charge, Justice Perell wrote. The retailer also offered “Equifax identity theft insurance through an AIG policy” and credit repair services from AllClear ID, Inc,” he noted.
AllClear ID’s services “provided access to investigators who would determine if the customers had suffered fraud or identity theft and would assist them in recovering financial losses and restoring their identities to proper conditions,” he added.
In general, organizations responding to data breaches will offer credit monitoring and “are trying to negotiate that into their insurance policies for that to be covered,” reports Ahmad, adding that cyber insurance “will typically cover the cost of regulation.”