The people component of privacy breaches is critically important, demanding greater focus going forward in light of an environment where both related individual and class actions are on the rise, Patrick Hawkins, a partner with Borden Ladner Gervais LLP suggested during an industry event in downtown Toronto Tuesday.
“Cyber security is technology’s processes and practices,” said Hawkins, speaking as part of a panel at Insurance Bureau of Canada’s 16th Annual Regulatory Affairs Symposium.
“We think of it as a technology issue, but fortunately – or unfortunately – within all organizations, the processes and how our people use the processes, use the technologies and practices we have in place, largely it’s a people issue,” he argued.
Citing as an example the hack against Canada Revenue Agency (CRA) two years ago, Hawkins told attendees the CRA shut down its systems, fixed the systems, had staff go through training and then ran a phish.
“Somewhere around 30%, 35% of their employees got the phish and clicked on. If it had been an actual problem, it would have added a virus to their systems,” he said.
“It’s a huge people issue. Notwithstanding the technology you put in place, you’ve really got to work on your people and the technologies that they use,” he added.
Dealing with the people component is important given what Hawkins sees as increases in class actions related to privacy breaches. “It’s a growing phenomenon and more and more we’re going to have to deal with this,” he told attendees.
Pointing out that even five years ago, privacy breach class actions were not a frequent topic of conversation, now “it’s an area that we’ve just sort of seen, as lawyers, exponential growth in terms of claims and activity,” Hawkins reported.
It has grown “both on an individual scale and a class action scale,” he pointed out.
“Generally speaking, individual actions from a privacy perspective are something that are fairly easy to deal with,” with regard to damages, he suggested.
“But class actions, the big issue is the target is the corporation,” Hawkins said. And, unfortunately, “we really don’t have a good handle yet in Canada on what is the level of damages a company affected may claim in these situations,” he reported.
“The growth in Canada has come from a 2012 Court of Appeal decision in Ontario,” Jones v. Tsigue, Hawkins noted, an individual action in which a bank employee accessed the banking records of the new partner of her ex-spouse 174 times.
The court created a new tort, intrusion upon seclusion. “That’s what’s really spawned all of the class action litigation that we’ve seen in the last two years,” he reported.
“There’s some good and some not so good” about the ruling, Hawkins suggested. From a defence perspective, adding recklessness and intention are positive, while the guidance on damages – courts can award damages of as much as $20,000 for intangible loss or intangible interest – “is where the tort gets a little problematic.”
Since Jones v. Tsigue, there have been “all kinds of different decisions coming out of provincial courts,” a lot of which have been contradictory.
“We have not had the Supreme Court of Canada weigh in on this area yet; I think that’s coming,” Hawkins said. “Until then, we’re kind of stuck with some of these decisions.”
The lack of detail around potential damages – coupled with the people component and the fact that cyber is a relatively new loss (one that goes well beyond direct financial loss) – makes clear that the current landscape is challenging.
It demands that organizations, companies and corporations put in place measures to mitigate risk, Hawkins said.
These may include, among other things, making the issue a board-level concern, having a cyber security plan, having a breach plan, dealing with breaches promptly, having policies and updating them in line with technology changes, auditing plans, understanding vulnerabilities and risks, and knowing where those risks come from.
Remember that “your level of risk is intimately connected to those of your service providers,” he emphasized.
“It’s a people thing,” Hawkins told attendees. “The vulnerabilities are still human,” he said, adding “you’ve really got to look at your people.”
Hawkins suggested that, overall, it is a growing problem. “Corporations and their insurance need a comprehensive plan to deal with it and I think, unfortunately, we’re going to see more class actions in the coming years,” he added.
More coverage of IBC’s 16th Annual Regulatory Affairs Symposium