Businesses that collect personal information have an added
incentive to monitor employees handling customer data –
Ontario's first class action arising from the new tort of
"intrusion upon seclusion" was certified last
In Evans v Bank of Nova Scotia, the
plaintiffs sought to certify a class action against the bank and
one of its employees, Richard Wilson, who provided private and
confidential information about the bank's customers to third
parties in an identity theft scam foiled by Calgary Police.
Wilson was employed by the bank as a Mortgage Administration
Officer and in that role had access to highly confidential customer
information. The bank was alerted to a potential privacy breach
involving Wilson by Calgary Police, who had recovered several
personal profiles of the bank's customers in the execution of a
search warrant. The profiles identified Wilson as the individual
who had accessed and printed the customer profiles and Wilson later
confessed to improperly accessing and disseminating that
The bank ultimately identified 643 customers whose files were
accessed by Wilson during the relevant period (the Notice Group).
To date, 138 members of the Notice Group have advised the bank that
they have been victims of identity theft and/or fraud. The bank
provided individual compensation to every customer who identified
losses arising from the data breach (fraudulently obtained credit
cards, unauthorized purchases, account takeovers etc.) and offered
a complimentary subscription to a credit monitoring and identity
theft protection service to all members of the Notice Group.
The plaintiffs claim damages from the bank and Wilson for among
other things, breach of contract, negligence, waiver of tort and
the tort of intrusion upon seclusion. The plaintiffs claim that the
bank is vicariously liable for the actions of its employee,
The court's certification of the intrusion upon seclusion
claim is the first of its kind, but likely a harbinger of things to
come as the courts are confronted with the fallout from large scale
breaches of privacy and data theft.
The tort itself was recently established in the 2012 decision of
the Ontario Court of Appeal in Jones v Tsige2 and
its elements were described in that case as follows:
The key features of this cause of action are, first, that the
defendant's conduct must be intentional, within which I would
include reckless; second that the defendant must have invaded,
without lawful justification, the plaintiff's private affairs
or concerns; and third, that a reasonable person would regard the
invasion as highly offensive causing distress, humiliation or
anguish. However, proof of harm to a recognized economic interest
is not an element of the cause of action.
Notwithstanding that the judge did not consider the tort to yet
form part of the settled law of Ontario, the claim was certified on
the basis that it was not "plain and obvious" that such a
claim could not succeed against the bank under a theory of
The Importance of Employee Oversight
Although the bank was quick to offer preventative measures for
all members of the Notice Group and compensation to the members
directly affected, the bank also acknowledged a complete lack of
oversight of its employees, including Wilson, with regard to the
improper access to personal and financial customer information.
Though the bank was not directly involved in the improper access of
customer information, the theory of vicarious liability "is
strict, and does not require any misconduct on the part of the
person who is subject to it."4
Certification does not involve a consideration of the merits of
the case and we await the trial outcome (should there be one) to
further understand the scope of the tort. As well, it is unclear
what damages will be assessed if there is a finding of liability at
the merits stage of the proceeding. Nevertheless, the decision
provides an added incentive for employers to monitor the activities
of their employees in the use of employer technology.
As set out in earlier client updates, proactive monitoring can
not only diminish the employee's reasonable expectation of
privacy over "on the clock" personal use, but can also
reduce the likelihood of privacy breaches involving customer
information that may now result in class action exposure. Employers
should continue to monitor the evolving developments in this
For assistance in reviewing or developing policies and
procedures to ensure your company is able to effectively review and
monitor employee activity on your electronic systems, please
contact members of our employment services practice.
1 Evans v Bank of Nova Scotia, 2014 ONSC 2135
2 Jones v Tsige, 2012 ONCA 32
3 Supra, Evans at para 30.
4 Supra, Evans at para 23.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).