PRIVACY, ATI & CASL FORUM

Canadian privacy breach classactions

November 24 , 2014

Barry L. Glaspelltel: 416-367-6104email: bglaspell@blg.com

@glaspell

8

Overview

A. How privacy breaches may be “tailor-made” forclass action

B. “Causes of action” being pleaded

C. Kinds of privacy breach class actions we arefacing

D. Tips to mitigate risks of these class actions

9

A.1 Class action (“CA”) background

CA is a statutory procedure

Permits assembly of many small claims

All provinces have CA statutes as well as theFederal Court

1 representative plaintiff seeks to advance claim forclass, through class counsel

First step is usually the “class certification” hearing,where plaintiff & class counsel are appointed torepresent the class

Notice to class -- opt out or be bound

A.2 CA funding

Most CAs brought on contingency fee basis

Class counsel typically seek 1/3 of class recovery

Class counsel often agree to indemnifyrepresentative plaintiffs from adverse costs awards

Class Proceedings Fund may pay disbursements,provide some protection against adverse costs

May be third party funding

A.3 CA case management

• In Ontario, all CAs case-managed

• Judge assigned after claim served

• Plaintiff bears onus of demonstrating 5 certificationrequirements

• If met, certification is mandatory

• Certification is not a test of merits, but meant to bea “meaningful screening device”

A.4 Five CA certification requirements

1. Must disclose cause of action (e.g., Tsige)

2. Identifiable class of two or more persons

3. Common issue, resolution will advance litigation

4. CA must be preferable procedure for resolutionof common issue

5. Representative plaintiff

A.5 Post-class certification steps

• After certification, next step is usually notice toclass & opt outs

• Will be documentary and oral discovery recommon issues

• Common issues trial

• Trials of individual issues (if necessary)

14

A.6 Class counsel, prospecting for CAs,usually look for …

Claims with minimum $10M settlement value …

Leading to $3M class counsel fees, roughly costto take through to trial in Ontario

Pure privacy claims may be worth $100, $1K,maximum $10K each

Need 1K to 10K compensable claims to reachthreshold to make worthwhile

Cases where few hundred persons may be“affected”, class counsel should have noeconomic interest

15

A.7 PBs can be tailor-made for CAs

Public notice of the PB is what triggers the CA --not the PB itself, or someone actually harmed

Notice recipients become the “class”

Notice will raise questions which usually becomeframed as common issues

There is an argument, likely weak, as to whetherIPC statutory procedure is the preferable procedure

16

A.8 Summary

Typical PB CA involves potential or actualunauthorized disclosure, loss or use of PI

Single event (notice); usually trivial damages; formof “crowdsourcing” many small claims

Class counsel see these claims as novel andreputation building

CDN common law/statutes nascent on “right” toprivacy damages

Do privacy statutes preclude class actions or dothey underpin the claim?

17

B.1 Overview re Causes of Action

Merits PB CA determination has not happenedyet -- litigation cost very high compared to valueof cases

On damages, typical PB CA pleads risk of identitytheft; seeks credit monitoring or fraud insurance;and out-of-pocket costs.

Issue re whether fear alone of (as opposed toactual) abuse of PI grounds cause of action

18

B.2 Range of potential causes

Statutory

Special: ON PHIPA• 2 layers of potential recovery:

Actual harm damages suffered

Wilful/reckless conduct – up to $10K mental distress damages(PHIPA s. 65(3))

General: BC, SASK, MN, NL have Privacy Actcauses of action

Many statutes have no causes of action: PIPEDA

Are the statutes “complete codes”, precludingcommon law claims?

19

B.3 Range of potential causes

Common Law (judge-made)

Contract (e.g., lost info not properly protected)

Negligence (e.g., not encrypted)

Breach of fiduciary duty or confidence

Intentional tort (Tsige -- snooping; or harvestingdata for illicit sale) Is there vicarious liability?

B.4 Jones v. Tsige

• J and T each worked at BMO; T in common lawrelationship with J’s former husband

• T accessed J’s banking records 174 times

• Did not disseminate information

• T apologized, suspended 1 week

• PIPEDA applies to BMO not T

• 1st Canadian appellate court decision finding newPB intentional tort, “intrusion upon seclusion”

B.5 Elements of Jones v. Tsige liability

• Unauthorized intrusion highly offensive toreasonable person, causes anguish/suffering

• Very vague

• Damages range up to $20K

• Is there vicarious liability?

• Does it apply to lost PI, where no financial harm?

• Is Jones v Tsige good law?

• NS says yes; SCC may say no

22

B.6 Jurisdiction issue: class action v.regulatory action

What is prospect regulatory action by PrivacyCommissioner precludes a class action?

Or is “preferable procedure” to class action?

PB notice mandated by legislation, causes classaction -- not someone actually harmed

Cost of personal/newspaper notice of breach;class certification; class settlement; usually farexceeds value of actual harm to those affected

B.7 Hopkins v Peterborough,2014 ONSC 321

• Hospital employee snooping PHI; terminated;patients notified as required by IPC

• Hospital motion to strike; says PHIPA complete code

• Common law tort and statutory right do not co-exist

• Seek to distinguish Jones v Tsige

• Court of Appeal to hear December 15, 2014

• IPC and OHA granted intervener status

• Rouge RESP case on hold pending outcome

24

B.8 Is PHIPA claim exclusive?

If Commissioner makes PHIPA order then

“person affected” by breach may

sue for damages for “actual harm”

“suffered as a result of the contravention”

Language borrowed from provincial securitieslegislation; will it be broadly or narrowly construed, willit preclude tort claims?

Effect: Commissioner’s order res judicata, onlyremaining question is quantifying statutory damages

Complete code?

If await Commissioner order,will claim be statute-barred?

25

Sorts of PB class actions …

26

Sorts of PB CAs …

Cases may be divided into four categories:

1. misadventure -- accident/bad judgment

2. intentional misuse -- snooping

3. crime

4. business policy -- open access

27

C.1 Misadventure

Dumped computers (Cole v Prairie Centre Credit)

Tapes/discs sent by courier go missing (Mazzonnav. DaimlerChrysler Financial, Sofio v. IIROC)

USB stick lost (Rowlands v Durham Public Health)

and found (Montfort)

Ford: Personal info of10K employees uploaded tounsecured website

Low to nil settlement value

C.1 Misadventure:Condon v. Canada, 2014 FC 250

1st Federal Court intrusion upon seclusion classaction certified

Federal Government lost hard drive lost, 583Kstudent loan recipients, loan balances, SINs,birthdates and addresses

No encryption

Can failure to protect PI by leaving hard drive inan unlocked cabinet satisfy Jones test?

Can frustration and anxiety be forms ofcompensable distress?

C.1 Misadventure: Sofio v IIROC (QC 2014)

Mislaid portable, not encrypted

50K customers of brokerage firms

Pleads required to take credit monitoring steps

No identity theft or other fraud reported

Stress/anger part and parcel of everyday life, notcompensable

No serious appearance of right, absentcompensable damages

Not certified; under appeal

30

C.1 Durham Region v. Rowlands

83K patients’ data on lost USB, not found

Received H1N1 flu shot clinics in 2009

Lost data = name, address, phone number, DOB,health card number, name of patient's family doctor

Settlement: Recovery required proof of direct financialharm -- no class member claimed

Effect: Class counsel received $500K to stop whatappears to be a hopeless action (cf Mazzona)

Covered by insurance -- passed on to taxpayers

Is it a good spend of taxpayer money?

31

C.1 Montfort Hospital

USB reported lost; employee took work home

Contained patient name; service summary; date

Not contain OHIP numbers; diagnosis/test result;home address; payment information

Letters in mail to 25K patients: PHIPA s. 12

$25M law suit

Then lost stick recovered

Forensic audit showed not accessedother than by “Good Samaritan”

32

C.2 Snooping cases

Intentional, Jones v Tsige

About 15 CAs, many involving nurses andhospitals, across Canada

Hopkins an example

33

C.3 Crime -- employee

Employee steals PI, harvests it for profit

Employer may be victim

BNS v Evans (clients defrauded)

Rouge v. Broutzas (PHI harvested & allegedlysold to RESP cos)

Limited value-add to contesting certification

Vicarious liability of innocent employer forintentional conduct, or punitive damages?

C.3 Evans v. Bank of Nova Scotia,2014 ONSC 2135

Bank employee provided customer PI to girlfriend

Girlfriend gave to third parties

Customers are victims of identity theft & fraud

BNS offered credit monitoring and admittedresponsibility for pecuniary losses

Said should not be vicariously liable for tort ofintrusion upon seclusion or symbolic damagescaused by intentional misconduct

Class action certified, not plain and obviousvicarious liability claim with fail

Under appeal

35

C.3 Crime -- third party

Hacking (Home Depot)

Usually public notice of security or privacy breach

Often few people really damaged

Cases often settle at low dollars, often withcoupon settlements or cy-pres

Huge exposure to reputation

36

C.4 Business practice

“We intended to do it”

NSA harvesting, under terror pretext

Privacy settings (St. Arnaud c Facebook)

Profit orientation

Usually governing law and jurisdiction clause

Often get into jurisdiction issues

Higher settlement value for class counsel?

Reputation risk

CAs against FB, Apple, LinkedIn

37

Spectrum of PI DB claims/damages

• Jones v Tsige cases

• PI snooping

• Often PHI

• Sometimes targeted

• Intentional

• Role of statutes v common law

• Peterborough RHC

No harm Jones v Tsige cases Crime or Profit

Lost PI PI snooping Fraud/Hacking/Harvesting

PI not accessed Often PHI Stolen ID/GeoLocation

Credit monitoring? Sometimes targeted Always targeted

Not intended Intentional Vicarious liability?

Why class action? Role of statutes vcommon law

Big exposureProvable losses

Durham v. Rowlands Peterborough RHC BNS v Evans / Apple / FB

38

D.1 Avoidance -- USB sticks

Throw them away, without regard to whetherencrypted

If have to use, need encryption and well-communicated policy re risks

39

D.2 Avoidance -- hackers

Is your institution ready for this? -- persons mayseek to harvest information for profit

May be internal, not “hacker”

We have these cases in commercial/bankingcontext -- serious problem

40

D.3 Avoidance -- vendor contracts

Restrict vendors’ use of third party service providers

Allocate risks of class action exposure; indemnities

Consider notification duties, if information lost oraccessed

41

D.4 Avoidance -- business practice

Harvesting and sale or distribution of informationneeds careful legal review by experts

Security analysts

Sensitivity training of employees

42

D.5 Avoidance -- assessment of risks

Assessment of & prioritize risks -- loss of allor part of records more significant thanpreventing every single snooper

Encryption -- all mobile devices

Anti-snooping software -- issues re standardof care and “zoning” access to records

Audits review security/privacy issues, but iffind something, may need disclose

Tired and overworked employee issue

43

D.6 Avoidance -- complaints and claims

Focused response to complaints

Proactive ID and resolution of small claims

Don’t take hard line positions re “the law”

Consideration of proactive steps to resolveor litigate class actions – need to decideearly whether you are going to settle orlitigate and stick to position

Class counsel testing class action credibility-- response affects likelihood of class actionrecurrence

44

D.7 Class action avoidance -- behaviour

Exemplary behaviour key to avoiding classcertification

affects court’s preferable procedure analysis;prepare, publish, effect code of conduct;timeliness and clarity of external communications

Poor post-incident behaviour may become themain cause of action

one purpose of class actions is to dissuade futurebad behaviour; any perception of cover-up, evenif it does not exist, increases likelihood of classcertification and punitive damages,even absent compensatory damages

45

D.8 Avoidance, statutes and legal advice

Call lawyer & insurer first to protect privilege,defence & indemnity obligations

Consult privacy law expert; not area for dabblers

Every security breach not a privacy breach; takecare not to jump to factual or legal conclusions

Some information losses may not be PHIPA s.12“lost”; accidental access may not be PHIPA s. 12unauthorized access

Novel issues, and law in transition

PHIPA may be soon ready forreview/amendments

46

E.1 Conclusions

Huge growth area, only tip of iceberg seen so far

Claims have moved from losses to snoopers,crimes and improper business motives

Stress damages may be effectively recoverableunder Jones v Tsige

Vicarious liability concern

Statutes may not be complete code

47

E.2 Conclusions

Class action often certifiable

Settlement value: Not big, but large cost to defend

1. Worry One: PI custodians hit with hackerharvesting for profit; economic loss cases serious

2. Worry Two: Court not agree re complete code.Potential for conflict between regulatory regimeand common law class action. Look for statutoryrefinement