Mandatory breach notification in Canada has ‘potential to effectively cause’ class-action lawsuits: PCUC speaker

Impending changes to Canada’s Personal Information Protection and Electronic Documents (PIPEDA) could “effectively cause more class-action” lawsuits down the road because companies will be required to report information security breaches that pose “a real risk of significant harm,” a lawyer recently warned insurance professionals.

“Any time there is a privacy breach, within any organization, that has the potential to create a real risk of significant harm to the individual, the organization will be required to disclose that to the individuals involved,” and to the federal Office of the Privacy Commissioner, said Patrick Hawkins, who spoke at the November luncheon of the Property Casualty Underwriters Club.

Hawkins is a partner with Borden Ladner Gervais LLP who has represented, among others, healthcare organizations. At the PCUC luncheon, held Nov. 23 at the DoubleTree Hotel in downtown, Hawkins referred to the Digital Privacy Act, Bill S-4, which was passed into law in 2015.

Tabled April 8, 2014 by British Columbia Conservative Senator Yonah Martin, Bill S-4 makes several changes to PIPEDA. It would require firms to notify people if their personal information has been lost “and there is a potential to expose us to harm,” Joan Crockatt – at the time the Conservative MP for Calgary Centre – said in the House of Commons in October, 2014.

The breach notification requirement “will be brought into force only after related regulations outlining specific requirements are developed and in place,” a spokesperson for the Office of the Privacy Commissioner of Canada told Canadian Underwriter this past January.

“We don’t have a timeline on when they are going to be in force,” Hawkins said Nov. 23, 2016. “I will say my best guess is some time in 2017.”

The “overall objective” of the data breach notification regulations “is to ensure that individuals are informed when their personal information has been compromised and that they have been put at risk of harm as a result so that they can take steps to protect themselves and mitigate the harm,” the federal department of innovation, science and economic development states on its website.

When there is a “real risk of significant harm,” the organization affected by a data security breach would have to report that to the Office of the Privacy Commissioner. When there is a breach “that poses a real risk of significant harm,” to an individual, that individual would have to be notified. Also – under the yet-to-be-passed regulations – organizations would have to maintain records of such breaches.

“These particular changes are coming,” Hawkins said. “These are the ones that have the potential to effectively cause more class actions down the road.”

Hawkins told attendees there is a “growth industry” in class action lawsuits alleging privacy breaches, due in part to the Court of Appeal for Ontario ruling in 2012 in Jones v. Tsige. That ruling – which recognized a common law tort of “intrusion upon seclusion”  – arose when the court overturned an Ontario Superior Court of Justice decision dismissing Sandra Jones’s lawsuit against Winnie Tsige. Jones and Tsige were co-workers at the Bank of Montreal. Jones was also a customer. Tsige accessed Jones’ bank records. In 2011, the Ontario Superior Court of Justice noted that Jones had recourse under PIPEDA. It also  cited Euteneier v. Lee, a Court of Appeal for Ontario ruling released in 2005 arising from a prisoner whose clothing was removed by Halton Regional Police after she tried to hang herself in jail. In Euteneier, the court noted that the plaintiff “conceded in oral argument …. that there is no ‘free standing’ right to dignity or privacy.”

But in 2012, in overturning the Superior Court of Justice’s dismissal of Jones’ lawsuit against Tsige, the Court of Appeal for Ontario found that changes in technology pose “a novel threat to a right of privacy that has been protected for hundreds of years by the common law” and by the Canadian Charter of Rights and Freedoms.

In the Digital Privacy Act, “significant harm is defined really broadly,” Hawkins said at the PCUC luncheon. “It includes the potential for damage to reputation. It includes the potential for financial loss, identity theft, negative effects on credit records.”

Before Bill S-4 was tabled, a private member’s bill proposing mandatory breach notification was defeated. The private member’s bill – Bill C-475 – would have changed PIPEDA to require organizations having personal information under their control to notify the federal privacy commissioner “of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.”

Bill C-475 was tabled by Charmaine Borg, an NDP MP from 2011 to 2015. In 2013, Ed Holder – former president of Stevenson & Hunt Insurance Brokers Ltd. and then Conservative MP for London West – warned fellow MPs that  Bill C-475 would “require organizations to report to the Privacy Commissioner every data breach posing a possible risk of harm.” He suggested at the time this could result in “notification fatigue” among consumers.

“On the health care side there has been mandatory notification of individuals since 2004,” Hawkins said Nov. 23. “We have seen the notice often creates the complaint and leads to a class action.”

More coverage of the Property Casualty Underwriters Club November luncheon

Privacy class-action lawsuit in Ontario ‘settled on incredibly favourable terms’ to Home Depot: PCUC luncheon speaker

Lawyer warns of privacy breach damages to victims who are a ‘little bit annoyed’