In the latest class action decision involving the Insurance Corporation of British Columbia (“ICBC”), the British Columbia Supreme Court (“BCSC”) found ICBC vicariously liable for a rogue employee's privacy breaches.1 This surprising decision has important implications for employers, and in particular, how employers should be managing employees who have access to personal information as part of their job duties.
This legal saga began in 2012, following a privacy breach involving a former ICBC employee, Candy Rheaume, who improperly accessed the personal information of ICBC customers and then provided that personal information to a criminal organization. The criminal organization subsequently used that personal information to target several of those ICBC customers and/or their property with vandalism, arson and shootings. Mr. Ari, the representative plaintiff, alleged that ICBC was vicariously liable for the damages caused by Ms. Rheaume's breaches of the Privacy Act, RSBC 1996, c. 373 (the “Privacy Act”).2
We last blogged about this case in June 2019 ( here), after the British Columbia Court of Appeal determined that a history of privacy breaches by employees could form the basis of a punitive damages claim. In an August 2022 summary trial judgment, the BCSC found that ICBC's conduct in the circumstances did not justify an award of punitive damages. However, the BCSC found that ICBC is variously liable for the general damages and pecuniary damages caused by Ms. Rheaume's breaches of the Privacy Act. Mr. Ari did not seek quantification of damages on this application for summary judgment, and so the assessment of class-wide damages is to be determined at a future date, unless ICBC successfully appeals this decision.
Privacy Act Liability
The Privacy Act creates a statutory tort of privacy. It is an intentional tort that does not require proof of damage. It is a tort if a person violates the privacy of another person “wilfully and without a claim of right.”3
ICBC maintains databases that include detailed personal information of all British Columbians who hold a driver's licence or who are a registered owner of a motor vehicle. The databases include personal information such as names, addresses, vehicle descriptions, licence plate numbers and claims histories. An employee who has access to these databases can use a licence plate number to find the name and address of the vehicle's owner. As a claims adjuster, Ms. Rheaume needed to have access to ICBC's databases in order to do her job.
When Ms. Rheaume started work at ICBC in 1996, she signed a copy of the code of ethics, which included a statement that ICBC employees could only access personal information when and to the extent required by their job. In 2003, Ms. Rheaume signed a document confirming that she had reviewed and answered questions about ICBC's information and security policies. In 2010, she did an online information and privacy tutorial.
The BCSC found that Ms. Rheaume intentionally accessed ICBC customers' personal information for reasons unconnected to her job. She knew or ought to have known that this was a violation of ICBC's privacy policies and the conditions of her employment. As a result, her improper access to this information was a clear breach of the Privacy Act, whether or not she passed on that information to a third party.
For an employer to be vicariously liable, there must be a connection between the employee's wrongful conduct and their relationship to the employer.
On this point, the BCSC said that ICBC “clearly created the risk of wrongdoing by an employee in Ms. Rheaume's position and that her wrongdoing was directly connected to her employment.”4 Justice Smith remarked that while Ms. Rheaume was only expected to access the databases for job-related purposes, she “clearly had the opportunity to access them for improper purposes if she wished to do so.”5 The court found that this risk was “not only foreseeable, it was actually foreseen,” with reference to the fact that ICBC employees were told of the need to protect customers' personal information and warned of adverse consequences if they accessed such information for non-business related reasons.6
The BCSC acknowledged that ICBC had policies in place that recognized its privacy obligations and that forbade improper use of its databases, and that these policies were communicated to employees, who were also warned that a violation of the policies could result in discipline up to and including termination. These factors were important in the court deciding that ICBC was not liable for punitive damages.
However, these rules and policies were not defences to the vicarious liability claim because “the possibility of an individual employee choosing to ignore them was clearly foreseeable and there is no evidence of any system or method that would have prevented or detected that conduct at the time it happened” [emphasis added].7 As a result, ICBC was found vicariously liable for Ms. Rheaume's conduct and for any damages that may be awarded.
Implications for Employers
As part of a privacy management program, it is common practice for employers to get employees to sign off on privacy policies and codes of ethics. As with ICBC's policies, such policies usually warn employees that if they improperly access or use personal information their employment might be terminated. Ari suggests that these policies and warnings are not sufficient to defend against a vicarious liability claim.
Should your Organization be Conducting a Security Review?
In most cases, it will be difficult to completely prevent the risk of wrongdoing by employees who handle personal information as part of their job duties. However, in light of Ari, employers should consider reviewing the technical security safeguards they have in place (or should have in place) to monitor and detect improper access by employees to personal information. These may include various threat monitoring technologies such as security information and event management (SIEM) solutions. This is a significant onus and potentially a costly one, depending on the nature of the business in question and the types of personal information its employees handle. It is important that the threat protection solution balances the privacy rights of employees. This may be challenging, however, failure to implement a reasonable security measure might put an employer at risk of vicarious liability for privacy breaches by a rogue employee.
Implications for B.C. Public Bodies
Lastly, we note that the proposed class action initially included a cause of action based on a claim that ICBC breached the provision in the Freedom of Information and Protection of Privacy Act (“FOIPPA”) that requires a public body to protect personal information in its custody. This claim was dismissed by the British Columbia Court of Appeal in 2015, which found that FOIPPA is a comprehensive statutory framework for dealing with such allegations. Until now, many public bodies have had some comfort that FOIPPA is a complete defence to civil claims based on statutory privacy obligations. This latest Ari decision is significant because it suggests that a public body might still face tort claims arising from privacy breaches. Further, it may signal that public bodies may have to meet a higher security standard to comply with their FOIPPA obligations to reasonably protect personal information.
1 Ari v. Insurance Corporation of British Columbia, 2022 BCSC 1475 (“Ari”).
3 Privacy Act, RSBC 1996, c. 373, section 1(1).
4 Ari at para. 73.
5 Ari at para. 74.
6 Ari at para. 74.
7 Ari at paras. 75-76.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.