trendspotting: privacy litigation in 2013scenario •contrary to company policies and procedures,...
TRANSCRIPT
![Page 1: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/1.jpg)
Trendspotting: Privacy Litigation in 2013
Alex Cameron, Partner
Fasken Martineau DuMoulin LLP
IAPP Canada Privacy Symposium, May 23, 2013
![Page 2: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/2.jpg)
![Page 3: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/3.jpg)
![Page 4: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/4.jpg)
![Page 5: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/5.jpg)
![Page 6: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/6.jpg)
Scenario
• Company privacy statement states:
• “We take privacy seriously…”
• “We are committed to protecting your privacy…”
• “We have implemented strict safeguards…”
• Employee has access to customer personal information as
needed for the employee’s job functions
![Page 7: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/7.jpg)
![Page 8: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/8.jpg)
Scenario
• Contrary to company policies and procedures, employee:
• copies personal information to unencrypted USB key
• takes USB key home to work on the weekend
• texts his friends about what his neighbours purchased
• inadvertently uploads information to a file-sharing network
• posts embarrassing customer information to Facebook
![Page 9: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/9.jpg)
![Page 10: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/10.jpg)
![Page 11: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/11.jpg)
Scenario
• PIPEDA complaint filed with Office of the Privacy
Commissioner of Canada (and accountability guidelines
invoked as a benchmark)
• Class action launched against company and employee for:
• Invasion of privacy
• Breach of contract
• Misrepresentation
• Negligence
• Is the company liable for the employee’s actions?
• What are the damages?
![Page 12: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/12.jpg)
Overview
• Damage awards under PIPEDA
• Key issues in tort claims
• Meaning of ‘invasion’
• Impact of ‘recklessness’
• Vicarious liability
• Continued rise of privacy class actions
![Page 13: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/13.jpg)
Damages under PIPEDA
Step 1: Complaint to Commissioner under PIPEDA
Step 2: Commissioner investigation/mediation
Step 3: Commissioner issues report or discontinuance
Step 4: Application to Federal Court for hearing (s.14/15)
Step 5: Court hears matter de novo, not judicial review
Step 6: Court may award damages (s. 16(c))
![Page 14: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/14.jpg)
Damages under PIPEDA
• As compared to a ‘normal’ legal proceeding, under the
PIPEDA (and PHIPA) model:
• No ‘direct’ route to court to obtain damages
• Complainant is initially not in control of process or timing
• No cost to complainant for complaint/investigation stage
• No risk to complainant at complaint/investigation stage
• Court may award damages only against the organization
that is subject to PIPEDA
• Note: No damage cap under PIPEDA. Under PHIPA,
damages for mental anguish are capped at $10,000.
![Page 15: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/15.jpg)
Damages under PIPEDA
• Causal connection between breach and damage
• Egregious and very serious cases only
• Consider:
• the alleged injury and harm
• the nature of the breach
• the nature of the organization’s business
• whether there was a commercial benefit from breach
• whether there was bad faith
• the pre- and post-complaint conduct of the organization
• whether the complaint contributed to the breach or harm
![Page 16: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/16.jpg)
Damages under PIPEDA
Case Facts Damages
Randall v.
Nubodys
Fitness
Fitness club disclosed to the
complainant’s employer the
frequency of complainant’s visits
None
Nammo v.
TransUnion
Credit bureau disclosed
inaccurate credit report to bank in
connection with loan application
$5,000
Girao v.
ZTGH LLP
Law firm published on its website
a final report from the OPC in a
PIPEDA complaint
$1,500
Landry v.
Royal Bank
Bank improperly disclosed
information to complainant’s ex-
spouse in divorce proceeding
$4,500
![Page 17: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/17.jpg)
Damages under PIPEDA
Case Facts Damages
Biron v.
Royal Bank
Bank causes humiliation by
disclosing third-party information
in divorce proceeding, despite
express objections by third-party
$2500
![Page 18: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/18.jpg)
Damages under PIPEDA
• “The fact that the Respondent has never denied having
committed the errors is commendable.… the Respondent has
apologized to the Applicant on numerous occasions …. It
may be, as alleged by the Applicant, that the Respondent
should have put these measures in place before the error
occurred. Nobody should be held to a standard of
perfection, and the Respondent already had a detailed
protocol before the occurrence of what can only be
considered as a human error.” [emphasis added]
• Townsend v. Sun Life Financial, 2012 FC 550
![Page 19: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/19.jpg)
That was then…
![Page 20: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/20.jpg)
…this is now.
![Page 21: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/21.jpg)
That was then…
![Page 22: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/22.jpg)
…this is now (or more likely, 2014).
![Page 23: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/23.jpg)
Tort claims
• Four provinces with statutory torts of invasion of privacy:
• British Columbia, Privacy Act, R.S.B.C. 1996 c. 373;
• Manitoba, Privacy Act, R.S.M. 1987 c. P125;
• Saskatchewan, Privacy Act, R.S.S. 1978, c. P-24;
• Newfoundland, Privacy Act, R.S.N. 1990, c.P-22.
![Page 24: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/24.jpg)
Tort claims
• Four types of privacy tort claims in the United States:
• Intrusion upon the plaintiff’s seclusion or solitude
• Public disclosure of embarrassing private facts
• Publicity which places the plaintiff in a false light
• Appropriation of the plaintiff’s name or likeness.
![Page 25: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/25.jpg)
Tort claims
• Jones v Tsige 2012 ONCA 32
• Three elements needed to show intrusion upon seclusion:
• the defendant’s conduct must be intentional (which
includes reckless conduct);
• the defendant must have invaded, without lawful
justification, the plaintiff’s private affairs or concerns; and
• a reasonable person would regard the invasion as highly
offensive causing distress, humiliation or anguish.
• “deliberate and significant invasions” only
• competing claims must be reconciled (e.g. freedom of
expression)
![Page 26: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/26.jpg)
Tort claims
• competing claims must be reconciled (e.g. freedom of
expression)
![Page 27: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/27.jpg)
Tort claims
• Meaning of “recklessness”?
• No fixed meaning in tort
• Recklessness contains two elements:
• conduct that creates obvious and serious risk; and
• acting without giving any thought to the possibility of there
being any such risk, or recognizing that there is risk and
nevertheless deciding to take the risk.
• The first element includes an objective analysis of the
risk that is created by the conduct.
• The second element includes a subjective analysis of
whether the risk was considered.
![Page 28: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/28.jpg)
Allegations in Douez class action
![Page 29: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/29.jpg)
Tort claims
• Damages factors:
• the nature, incidence and occasion of the wrongful act;
• the effect of the wrong on the plaintiff’s health, welfare,
social, business or financial position;
• any relationship between the parties;
• any distress, annoyance or embarrassment suffered; and
• the conduct of the parties, both before and after the
wrong, including any apology or offer of amends made by
the defendant.
![Page 30: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/30.jpg)
Tort claims
• Damages “will ordinarily be measured by a modest
conventional sum”:
“…damages for intrusion upon seclusion in cases where
the plaintiff has suffered no pecuniary loss should be
modest but sufficient to mark the wrong that has been
done. I would fix the range at up to $20,000.”
• Punitive and aggravated damages are neither excluded nor
encouraged
![Page 31: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/31.jpg)
Tort claims: post-Jones v. Tsige
• Alberta v Alberta Union of Provincial Employees, 2012 CanLII
47215 (AB GAA)
• 26 government employees were awarded $1,250 each in
respect of an unauthorized credit check of each of them by
an agent of their employer, even though no actual harm
was shown
![Page 32: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/32.jpg)
Tort claims: post-Jones v. Tsige
• Trout Point Lodge Ltd. v. Handshoe, 2012 NSSC 245
• primarily a defamation case
• blog postings and doctored photos
• based on Jones case, confirms that an award could be
made for invasion of privacy in Nova Scotia’
• no award made because parties had not made arguments
regarding potential limits related to freedom of expression
![Page 33: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/33.jpg)
Tort claims: post-Jones v. Tsige
• Connolly v. Telus Communications Co [2012] O.J. No. 464
• wrong SIN provide when purchasing iPhone and Telus
contract
• post-transaction audit identified discrepancy
• service suspended due to fraud concern
• “Restoration of the service occurred on June 28, 2010 after
John's lawyer intervened and satisfied Telus that there had
been a mistake on the SIN used…”
• no intrusion upon seclusion
![Page 34: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/34.jpg)
Tort claims: post-Jones v. Tsige
• Action Auto Leasing & Gallery Inc. v. Gray [2013] O.J. No.
898
• Dispute regarding breach of vehicle lease
• “I accept his hearsay evidence that his mother received a
single message from an employee of the plaintiff in which
the plaintiff disclosed the fact that this lease was in default
and a dollar amount claimed to be owing was disclosed.”
• Interprets Jones case as approving of all four torts
• Alternatively, recognizes the disclosure tort
• Awards $100 set off against amount owing under the lease
![Page 35: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/35.jpg)
Tort claims: vicarious liability
• Vicarious liability:
• creature of the common law
• evolving principles inferred from cases
• a form of strict liability:
• the law holds one person responsible for the misconduct of
another, although the person held liable is free of personal
blameworthiness or fault
![Page 36: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/36.jpg)
Tort claims: vicarious liability
• vicarious liability:
• ancient origin is the doctrine of respondeat superior: “let
the master answer”
• modern approach is policy driven – a policy analysis
directed at ascertaining whether the employer’s conduct
created or enhanced the risk that the tort would occur.
• Bazley v. Curry, [1999] 2 SCR 534
• misconduct must be sufficiently related to the conduct
authorized by the employer
![Page 37: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/37.jpg)
Tort claims: vicarious liability
• policy rationales:
• enterprise risk
• loss distribution
• encouraging risk management
• if vicarious liability would serve these ends in any given case,
a court will be more inclined to impose it
![Page 38: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/38.jpg)
Tort claims: vicarious liability
• General test for when vicarious liability will be imposed can
be described as follows: employers are vicariously liable for
• Employee acts authorized by the employer
• Unauthorized acts so connected with authorized acts that
they may be regarded as modes (albeit improper modes)
of doing an authorized act.
![Page 39: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/39.jpg)
Tort claims: vicarious liability
• Factors to show connection between tort and employment:
• opportunity afforded the employee to abuse power
• extent to which the wrongful act may have furthered the
employer’s aims (and hence be more likely to have been
committed by the employee)
• extent to which the wrongful act was related to friction,
confrontation or intimacy inherent in the enterprise
• extent of employee’s power in relation to the victim
• potential victims’ vulnerability to abuse of employee power
![Page 40: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/40.jpg)
Tort claims: vicarious liability
• Did the employer’s enterprise and empowerment of the
employee materially increase the risk of the harm?
• The test must not be applied mechanically, but with a
sensitive view to the policy considerations that justify the
imposition of vicarious liability
• Investigate the employee’s specific duties and determine
whether they gave rise to special opportunities for
wrongdoing
• Bazley v. Curry, [1999] 2 SCR 534
![Page 41: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/41.jpg)
Tort claims: vicarious liability
• “Vicarious liability is arguably fair in this sense. The employer
puts in the community an enterprise which carries with it
certain risks. When those risks materialize and cause injury to
a member of the public despite the employer’s reasonable
efforts, it is fair that the persons or organizations that create
the enterprise and hence the risk should bear the loss. This
accords with the notion that it is right and just that the person
who creates a risk bear the loss when the risk ripens into
harm.”
• Blackburn v. Midland Walwyn Capital Inc., 2003 CanLII 41421
(ON SC)
![Page 42: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/42.jpg)
Tort claims: vicarious liability
• Steps to limit risk of vicarious liability:
• Risk associated with unauthorized employee activities is
real and bigger than might be assumed
• Very challenging to limit such risks
• Contractual terms may not be effective and may backfire
![Page 43: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/43.jpg)
Tort claims: vicarious liability
• Steps to limit risk for vicarious liability (cont’d):
• The best protection is prevention, which is industry and
context specific
• (Subject to privacy rules), be aware, to the greatest extent
possible, of what employees are up to
• Establish systems to spot unusual patterns of activity
• Consider a robust whistleblower policy
• Where, for business or other reasons, preventative steps
are not appropriate, consider insurance
![Page 44: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/44.jpg)
Class actions
• Rowlands v. Durham Region Health :
• allegations of lost USB thumb drive containing personal
health information of over 83,500 patients
• class action certified (largely on consent)
• settlement:
• $500,000 to class counsel
• Mechanism to show economic harm
• Class counsel entitled to 25% of actual harm awards
![Page 45: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/45.jpg)
Class actions
• St. Arnaud v. Facebook, Quebec Superior Court: Court File No. 500-06-000511-101
• Terms of Service: “You will resolve any claim, cause of action or dispute ("claim") you have with us arising out of or relating to this Statement or Facebook exclusively in a state or federal court located in Santa Clara County.”
• Quebec court ruled it had no jurisdiction
• Settlement reached with Facebook after jurisdiction decision
• updated Facebook privacy policy to be maintained it in substantially the same form or manner for at least three years from the date of implementation
• $75,000 to plaintiff’s counsel
• $1,000 to plaintiff
![Page 46: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/46.jpg)
Class actions: Mazzonna decision
![Page 47: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/47.jpg)
Class actions: Mazzonna decision
![Page 48: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/48.jpg)
Class actions: Mazzonna decision
![Page 49: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/49.jpg)
Class actions
![Page 50: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/50.jpg)
Allegations in Douez class action
![Page 51: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/51.jpg)
Allegations in Douez class action
![Page 52: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/52.jpg)
Class actions
• Douez v Facebook, 2012 BCSC 2097
• Jurisdiction motion and certification motion
• Watch for outcome of June 18, 2013 hearing
![Page 53: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/53.jpg)
Ford Motor Company
• “On January 22, 2013, Ford Motor Company of Canada,
Limited (“Ford”) announced that certain confidential personal
information of 10,000 Ford employees was uploaded onto an
unsecured website on the internet.”
• “Individuals whose personal information was uploaded onto
the unsecured website may be entitled to compensation for
the breach of their privacy, damages for identity theft and/or
damages to their credit reputation, damages for the costs
incurred to prevent identity theft, damages for the time spent
changing your personal information such as your Social
Insurance Number, damages for emotional
distress/inconvenience, and/or compensation for out of pocket
expenses.”
• http://www.fordprivacyclassaction.com
![Page 54: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/54.jpg)
Monfort Hospital
• “Sometime after October 2012, an unsecure, unencrypted
USB key containing the personal health information of
approximately 25,000 patients of Hopital Montfort was lost.
The hospital has been unable to locate the USB key on which
the personal health information was stored.” • March 14, 2013 -
http://www.fcbarristers.com/documents/FCPressReleaseMar1413.pdf
![Page 55: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/55.jpg)
Monfort Hospital
• “Last April, Hopital Montfort informed the public that a non-
encrypted USB key that was lost in the fall of 2012 was found
and returned to the hospital by a member of the community.
An independent expert technological assessment,
carried out at Montfort's request, now confirms that there
was no non-authorized access to the files of the 25 693
patients concerned.” [emphasis added]
• May 22, 2013
• https://www.hopitalmontfort.com/press-releases.cfm?newsID=214
![Page 56: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/56.jpg)
Monfort Hospital
• “The additional accounting file contained the names of
approximately 2 200 patients …, an encounter number, the
date on which they received care, a total and outstanding
amount due, the name of the person responsible for payment,
a code representing the type and payment status of the visit
in question, and, in 130 cases, a social insurance number
associated with a guarantor.
• “… All USB keys in use at Montfort are now encrypted by
default and the hospital continues to prioritize staff privacy
and confidentiality training for the protection of patient’s
personel health information.”
• https://www.hopitalmontfort.com/press-releases.cfm?newsID=214
![Page 57: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/57.jpg)
HRSDC pensions and EI
• “In December, 2012, the Minister of Human Resources and
Skills Development announced that an electronic storage
device, known as a USB key, containing the confidential
personal information of 5,000 Canadians who applied for who
had applied for pensions, old age security benefits,
employment insurance or child care tax credits and other
benefits went missing.”
• http://www.lostusbkeyclassaction.com
![Page 58: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/58.jpg)
HRSDC student loans
• January 11, 2013: Please be advised that an electronic
storage device, also known as an external portable hard
drive, containing personal information on 583,000 Canada
Student Loan borrowers who were clients of the Canada
Student Loans Program (CSLP) from 2000-2006 has been
lost from an HRSDC office in Gatineau, Quebec.
• The external portable hard drive included: • personal information on 583,000 Canada Student Loan borrowers who
were clients of the CSLP from 2000-2006. Student loan borrowers from
the province of Quebec, Nunavut and the Northwest Territories during the
same time period are not affected;
• Student names, Social Insurance Numbers, dates of birth, contact
information and loan balance of Canada Student Loan borrowers;
• Personal contact information of 250 HRSDC employees;
• No banking or medical information was included on the portable hard
drive.
![Page 59: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/59.jpg)
HRSDC student loans
• “February 19th, 2013: Please be advised that the electronic
storage device containing personal information of 583,000
Canada Student Loan borrowers who were clients of the
Canada Student Loans Program (CSLP) from 2000-2006 also
contained personal information of affected clients who fall
outside the 2000-2006 period. Of the individuals affected,
2,800 fall outside the 2000-2006 period and of those 2,600
are in 2007. The department has already communicated with
over 1,600 of these affected borrowers. Efforts continue to
locate current contact information for all affected borrowers.”
![Page 60: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/60.jpg)
HRSDC student loans
• April 25, 2013 – statement of claim issued
• Statement of Claim:
http://www.studentloansclassaction.com/sites/default/files/doc
uments/1085367_csc.pdf
![Page 61: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/61.jpg)
HRSDC student loans
• April 25, 2013 – statement of claim issued
• Statement of Claim:
http://www.studentloansclassaction.com/sites/default/files/doc
uments/1085367_csc.pdf
![Page 62: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/62.jpg)
Class actions
• Empirical analysis of data breach litigation in the U.S.:
• Litigation is 3.5 times more likely to occur when individuals
suffer financial harm
• Litigation is more than 6 times less likely to occur when
free credit monitoring is offered following the breach
• Defendants settle 30% more often when a class action is
certified or when plaintiffs allege financial loss
• Data breaches exposing medical information are more
strongly correlated with settlement than data breaches
exposing financial information. Source: Romanosky, Sasha, Hoffman, David A. and Acquisti, Alessandro,
Empirical Analysis of Data Breach Litigation (February 19, 2012).
![Page 63: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/63.jpg)
Class actions
• Consider all ‘costs’:
• Adverse publicity
• Reputational harm
• Legal costs
• Organizational response costs
• Litigation costs
• Damages or settlement costs
• Lost opportunity
![Page 64: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/64.jpg)
What we covered
• Damage awards under PIPEDA
• Key issues in tort claims
• Meaning of ‘invasion’
• Impact of ‘recklessness’
• Vicarious liability
• Continued rise of privacy class actions
![Page 65: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/65.jpg)
![Page 66: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/66.jpg)
![Page 68: Trendspotting: Privacy Litigation in 2013Scenario •Contrary to company policies and procedures, employee: •copies personal information to unencrypted USB key •takes USB key home](https://reader034.vdocument.in/reader034/viewer/2022042217/5ec2b7bde96f6968ce6610dc/html5/thumbnails/68.jpg)