Cyber risk is an increasingly complex subject for the insurance industry. Emerging issues include coaching and threat response, and a developing body of case law deals with liability for cyber breaches, in addition to drafting and interpretation of cyber risk policies and exclusions.
Recent class action certification decisions out of Ontario provide some insight into the possible difficulties facing businesses, governments and regulatory bodies in the area of cyber risk, as well as the associated challenges and opportunities for the insurance industry.
In Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 (leave to appeal refused in Evans v. The Bank of Nova Scotia, 2014 ONSC 7249) the court dealt with the question of whether the Bank could be vicariously liable for privacy breaches committed by one of its employees, where the employee acted without knowledge or authorization of the Bank in providing his girlfriend with his customer’s confidential information. The girlfriend then used the information to commit identity theft and fraud. The court found that even though the Bank was not involved in the improper conduct, it was arguable that the Bank created the opportunity for the employee to steal the customer information by allowing him unsupervised access to the client files. The claim based on the new tort of “intrusion upon seclusion” was allowed to proceed.
Similarly, in March 2014, the Federal Court certified a class action in Condon v. Canada, 2014 FC 250 partly on the basis of intrusion upon seclusion. (In Condon v. Canada, 2015 FCA 159, the Federal Court of Appeal later allowed an appeal and referred the matter back to the Federal Court to include claims for negligence and breach of confidence.) The case involved the loss of confidential student information on an external hard drive collected for the Canada Student Loans Program by the Government of Canada. As in Evans, the Court determined that the claim was not bound to fail, and allowed the class action to proceed.
The “intrusion upon seclusion tort” is a developing area of law. While courts in some provinces have not yet recognized the tort, the Evans v. The Bank of Nova Scotia decision confirmed that the door is open for evolving claims in this area, and by association, increased risk for employers who are found not to have sufficient employee monitoring systems in place.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
