The massive data breach involving Desjardins Group and around 2.7 million people announced on June 20 is an illustration of how vulnerable organizations can be to the acts of rogue employees with access to information systems.

Security breaches happen and could be costly to an organization and its reputation. Could it be worse? 

Organizations are required to implement reasonable security and access controls, which will depend on the nature of the personal information involved. A best practice and emphasis in guidance from regulators regarding breach responses is to make appropriate policy and security changes designed to prevent future breaches.  

The British Columbia Court of Appeal recently determined that a history of privacy breaches by employees could form the basis of a punitive damages claim. Ari v. Insurance Corporation of British Columbia, 2019 BCCA 183 ("Ari") is the latest decision in a long class action saga that began back in 2012 following a privacy breach at the Insurance Corporation of British Columbia ("ICBC"). The privacy breach in question involved a former ICBC employee improperly accessing the personal information of 78 ICBC customers and then providing that information to a criminal organization. The criminal organization subsequently used that personal information to target several of those customers and/or their property with vandalism, arson and shootings.  

In the class proceedings, the Courts have allowed claims to proceed against ICBC for vicarious liability for the employee's breaches under the B.C Privacy Act. In addressing a claim against ICBC for punitive damages, the BC Supreme Court focused on ICBC's proactive conduct following the breach. In the wake of the breach, ICBC took numerous steps that included assisting the police with its investigation, performing internal investigations, terminating the rogue employee's employment, compensating customers for property damage, and implementing various other security measures.

The BC Court of Appeal commented that punitive damages may be awarded when misconduct "represents a marked departure from ordinary standards of decent behaviour". The Court noted steps taken by ICBC following the breach were laudable, however, in evaluating the punitive damages issue the lower court should have also considered the past history of privacy breaches by ICBC employees. This history included the termination of at least seven employees for privacy breaches in the three year period preceding the breach at issue in this case. This history provided a factual basis for the punitive damages claim and forms part of the certified proceeding. 

What should you do?

Organizations are obliged to implement reasonable safeguards for personal information. This includes implementing controls to prevent the unauthorized access and/or disclosure of personal information, including by employees. Where employees can access sensitive information, organizations have to manage that risk. If not, our Courts will allow vicarious liability claims against employers, even in respect of the criminal acts of a rogue. 

Ari also demonstrates that learning and improving is a crucial aspect of breach response and the failure to do so may expose the organization to punitive damages.

Organizations should have incident response plans which may include the implementation of changes and lessons learned, as well as a review, audit and monitoring of security and prevention measures examining administrative procedures, physical and technical security, review of service providers, and employee training and oversight.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.