B.C.’s public auto insurer has been held vicariously liable for a privacy breach, in which one of its claims adjusters sold client information to a third party that ultimately led to arson and shooting attacks.
“Between April 2011 and January 2012, houses and vehicles belonging to 13 individuals were targeted in arson and shooting attacks,” the Aug. 24 decision of the Supreme Court of B.C. read. “The only thing the victims of those attacks had in common was that their vehicles had at some point been parked in the parking lot of the Justice Institute of British Columbia.
“Subsequent investigation revealed that they were among a larger group of ICBC customers whose personal information had been accessed and sold to a third party by an ICBC claims adjuster.”
B.C.’s Supreme Court ruled last Wednesday on the class action lawsuit launched by the people whose personal information was improperly accessed by the adjuster, including the victims of the attacks.
According to the court decision, police approached ICBC in August 2011 as part of the investigation of the attacks. ICBC found the victims were among 79 customers whose information its adjuster, Candy Elaine Rheaume, had accessed without an apparent business purpose. Rheaume was fired on Sept. 1, 2011, and ICBC subsequently notified 78 customers (one customer had died by then) that their information had been wrongly accessed.
In its response to the civil claim, ICBC admitted Rheaume sold some of the information, including the victims’ addresses, to Aldorino Moretti for $25 or more per licence plate number. Some of the information was subsequently used by Vincent Eric Gia-Hwa Cheung, Thurman Ronley Taffe and others to carry out the attacks.
Cheung subsequently pleaded guilty to numerous arson and firearm offences. On July 27, 2016, he was sentenced to 12 years in prison.
“According to the evidence before the sentencing judge, Mr. Cheung had a drug-induced paranoid belief that he was being targeted and controlled by the Justice Institute, acquired licence plate numbers in the parking lot, and told an associate that he was paying someone to ‘run’ the plates from ICBC,” the B.C. court found in its decision.
Rheaume ultimately pleaded guilty to fraudulently obtaining a computer service and received a suspended sentence with nine months probation.
B.C.’s Supreme Court found Rheaume had breached the claimants’ privacy because the claimants had a reasonable expectation that ICBC would protect the information they collected. ICBC contended the residential addresses were publicly available contact information and hence, not ‘private.’
But the court found all drivers in the province are required to provide the information to ICBC to get licenses and insurance for their vehicles. Because supplying the information is not voluntary, the claimants had reason to expect ICBC would protect their information.
ICBC’s own privacy protocols undermined the notion the information was not private, the court added.
“ICBC’s contention that there is no privacy interest in contact information is inconsistent with its own evidence and pleadings,” the court ruled. “It has put into evidence its internal code of ethics, which includes the following statement:
As a result of our role in driver licensing and our monopoly over basic insurance, every driver in British Columbia is required to entrust us with their personal information.
ICBC is dedicated to protecting all of the personal information in its custody or control. This includes customers, service providers, and employees.
ICBC employees may access personal information only when and to the extent it is required by their job. We must take all reasonable steps available to us to protect the privacy of anyone whose personal information is held by ICBC.
As for holding ICBC vicariously liable for Rheaume’s behaviour, the court found ICBC would have a valid defence if the public insurer could not have foreseen the information sold by the adjuster might be used to inflict harm on others. But the potentially harmful consequences of an adjuster selling ICBC information to third parties was indeed foreseeable, the court ruled.
“The risk of such conduct by an employee was not only foreseeable, it was actually foreseen,” the court ruled. “Employees were told of the need to protect the privacy of customers’ personal information and warned of adverse consequences if they accessed that information for reasons unrelated to ICBC’s business.”
Not only that, but the harm to plaintiffs was a direct result of the adjuster’s privacy breach, the court found.
“In this case, there was a direct connection between the information supplied by Ms. Rheaume and the attacks carried out by Mr. Cheung,” the court decision read. “He could not have carried out the attacks without it. Making that information available to third parties was at the heart of her wrongful conduct.
“Although Ms. Rheaume did not supply that information directly to Mr. Cheung, she provided it to Mr. Moretti, who she knew or should have known was then in a position to use the information for any purpose he chose, including sharing it with others.”
Feature photo courtesy of iStock.com/LuckyBusiness