Canada: Stolen Customer Data Results In Ontario's First Certified Privacy Class Action

Businesses that collect personal information have an added incentive to monitor employees handling customer data – Ontario's first class action arising from the new tort of "intrusion upon seclusion" was certified last week.¹

In Evans v Bank of Nova Scotia, the plaintiffs sought to certify a class action against the bank and one of its employees, Richard Wilson, who provided private and confidential information about the bank's customers to third parties in an identity theft scam foiled by Calgary Police.

The Breach

Wilson was employed by the bank as a Mortgage Administration Officer and in that role had access to highly confidential customer information. The bank was alerted to a potential privacy breach involving Wilson by Calgary Police, who had recovered several personal profiles of the bank's customers in the execution of a search warrant. The profiles identified Wilson as the individual who had accessed and printed the customer profiles and Wilson later confessed to improperly accessing and disseminating that information.

The bank ultimately identified 643 customers whose files were accessed by Wilson during the relevant period (the Notice Group). To date, 138 members of the Notice Group have advised the bank that they have been victims of identity theft and/or fraud. The bank provided individual compensation to every customer who identified losses arising from the data breach (fraudulently obtained credit cards, unauthorized purchases, account takeovers etc.) and offered a complimentary subscription to a credit monitoring and identity theft protection service to all members of the Notice Group.

The Action

The plaintiffs claim damages from the bank and Wilson for among other things, breach of contract, negligence, waiver of tort and the tort of intrusion upon seclusion. The plaintiffs claim that the bank is vicariously liable for the actions of its employee, Wilson.

The court's certification of the intrusion upon seclusion claim is the first of its kind, but likely a harbinger of things to come as the courts are confronted with the fallout from large scale breaches of privacy and data theft.

The tort itself was recently established in the 2012 decision of the Ontario Court of Appeal in Jones v Tsige² and its elements were described in that case as follows:

The key features of this cause of action are, first, that the defendant's conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action.

Notwithstanding that the judge did not consider the tort to yet form part of the settled law of Ontario, the claim was certified on the basis that it was not "plain and obvious" that such a claim could not succeed against the bank under a theory of vicarious liability.³

The Importance of Employee Oversight

Although the bank was quick to offer preventative measures for all members of the Notice Group and compensation to the members directly affected, the bank also acknowledged a complete lack of oversight of its employees, including Wilson, with regard to the improper access to personal and financial customer information. Though the bank was not directly involved in the improper access of customer information, the theory of vicarious liability "is strict, and does not require any misconduct on the part of the person who is subject to it."⁴

Certification does not involve a consideration of the merits of the case and we await the trial outcome (should there be one) to further understand the scope of the tort. As well, it is unclear what damages will be assessed if there is a finding of liability at the merits stage of the proceeding. Nevertheless, the decision provides an added incentive for employers to monitor the activities of their employees in the use of employer technology. As set out in earlier client updates, proactive monitoring can not only diminish the employee's reasonable expectation of privacy over "on the clock" personal use, but can also reduce the likelihood of privacy breaches involving customer information that may now result in class action exposure. Employers should continue to monitor the evolving developments in this area.

For assistance in reviewing or developing policies and procedures to ensure your company is able to effectively review and monitor employee activity on your electronic systems, please contact members of our employment services practice.

Footnotes

1 Evans v Bank of Nova Scotia, 2014 ONSC 2135 [Evans].

2 Jones v Tsige, 2012 ONCA 32

3 Supra, Evans at para 30.

4 Supra, Evans at para 23.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.