Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
PRIVACY, ATI & CASL FORUM
Canadian privacy breach classactions
November 24 , 2014
Barry L. Glaspelltel: 416-367-6104email: [email protected]
@glaspell
8
Overview
A. How privacy breaches may be “tailor-made” forclass action
B. “Causes of action” being pleaded
C. Kinds of privacy breach class actions we arefacing
D. Tips to mitigate risks of these class actions
9
A.1 Class action (“CA”) background
CA is a statutory procedure
Permits assembly of many small claims
All provinces have CA statutes as well as theFederal Court
1 representative plaintiff seeks to advance claim forclass, through class counsel
First step is usually the “class certification” hearing,where plaintiff & class counsel are appointed torepresent the class
Notice to class -- opt out or be bound
A.2 CA funding
Most CAs brought on contingency fee basis
Class counsel typically seek 1/3 of class recovery
Class counsel often agree to indemnifyrepresentative plaintiffs from adverse costs awards
Class Proceedings Fund may pay disbursements,provide some protection against adverse costs
May be third party funding
A.3 CA case management
• In Ontario, all CAs case-managed
• Judge assigned after claim served
• Plaintiff bears onus of demonstrating 5 certificationrequirements
• If met, certification is mandatory
• Certification is not a test of merits, but meant to bea “meaningful screening device”
A.4 Five CA certification requirements
1. Must disclose cause of action (e.g., Tsige)
2. Identifiable class of two or more persons
3. Common issue, resolution will advance litigation
4. CA must be preferable procedure for resolutionof common issue
5. Representative plaintiff
A.5 Post-class certification steps
• After certification, next step is usually notice toclass & opt outs
• Will be documentary and oral discovery recommon issues
• Common issues trial
• Trials of individual issues (if necessary)
14
A.6 Class counsel, prospecting for CAs,usually look for …
Claims with minimum $10M settlement value …
Leading to $3M class counsel fees, roughly costto take through to trial in Ontario
Pure privacy claims may be worth $100, $1K,maximum $10K each
Need 1K to 10K compensable claims to reachthreshold to make worthwhile
Cases where few hundred persons may be“affected”, class counsel should have noeconomic interest
15
A.7 PBs can be tailor-made for CAs
Public notice of the PB is what triggers the CA --not the PB itself, or someone actually harmed
Notice recipients become the “class”
Notice will raise questions which usually becomeframed as common issues
There is an argument, likely weak, as to whetherIPC statutory procedure is the preferable procedure
16
A.8 Summary
Typical PB CA involves potential or actualunauthorized disclosure, loss or use of PI
Single event (notice); usually trivial damages; formof “crowdsourcing” many small claims
Class counsel see these claims as novel andreputation building
CDN common law/statutes nascent on “right” toprivacy damages
Do privacy statutes preclude class actions or dothey underpin the claim?
17
B.1 Overview re Causes of Action
Merits PB CA determination has not happenedyet -- litigation cost very high compared to valueof cases
On damages, typical PB CA pleads risk of identitytheft; seeks credit monitoring or fraud insurance;and out-of-pocket costs.
Issue re whether fear alone of (as opposed toactual) abuse of PI grounds cause of action
18
B.2 Range of potential causes
Statutory
Special: ON PHIPA• 2 layers of potential recovery:
Actual harm damages suffered
Wilful/reckless conduct – up to $10K mental distress damages(PHIPA s. 65(3))
General: BC, SASK, MN, NL have Privacy Actcauses of action
Many statutes have no causes of action: PIPEDA
Are the statutes “complete codes”, precludingcommon law claims?
19
B.3 Range of potential causes
Common Law (judge-made)
Contract (e.g., lost info not properly protected)
Negligence (e.g., not encrypted)
Breach of fiduciary duty or confidence
Intentional tort (Tsige -- snooping; or harvestingdata for illicit sale) Is there vicarious liability?
B.4 Jones v. Tsige
• J and T each worked at BMO; T in common lawrelationship with J’s former husband
• T accessed J’s banking records 174 times
• Did not disseminate information
• T apologized, suspended 1 week
• PIPEDA applies to BMO not T
• 1st Canadian appellate court decision finding newPB intentional tort, “intrusion upon seclusion”
B.5 Elements of Jones v. Tsige liability
• Unauthorized intrusion highly offensive toreasonable person, causes anguish/suffering
• Very vague
• Damages range up to $20K
• Is there vicarious liability?
• Does it apply to lost PI, where no financial harm?
• Is Jones v Tsige good law?
• NS says yes; SCC may say no
22
B.6 Jurisdiction issue: class action v.regulatory action
What is prospect regulatory action by PrivacyCommissioner precludes a class action?
Or is “preferable procedure” to class action?
PB notice mandated by legislation, causes classaction -- not someone actually harmed
Cost of personal/newspaper notice of breach;class certification; class settlement; usually farexceeds value of actual harm to those affected
B.7 Hopkins v Peterborough,2014 ONSC 321
• Hospital employee snooping PHI; terminated;patients notified as required by IPC
• Hospital motion to strike; says PHIPA complete code
• Common law tort and statutory right do not co-exist
• Seek to distinguish Jones v Tsige
• Court of Appeal to hear December 15, 2014
• IPC and OHA granted intervener status
• Rouge RESP case on hold pending outcome
24
B.8 Is PHIPA claim exclusive?
If Commissioner makes PHIPA order then
“person affected” by breach may
sue for damages for “actual harm”
“suffered as a result of the contravention”
Language borrowed from provincial securitieslegislation; will it be broadly or narrowly construed, willit preclude tort claims?
Effect: Commissioner’s order res judicata, onlyremaining question is quantifying statutory damages
Complete code?
If await Commissioner order,will claim be statute-barred?
25
Sorts of PB class actions …
26
Sorts of PB CAs …
Cases may be divided into four categories:
1. misadventure -- accident/bad judgment
2. intentional misuse -- snooping
3. crime
4. business policy -- open access
27
C.1 Misadventure
Dumped computers (Cole v Prairie Centre Credit)
Tapes/discs sent by courier go missing (Mazzonnav. DaimlerChrysler Financial, Sofio v. IIROC)
USB stick lost (Rowlands v Durham Public Health)
and found (Montfort)
Ford: Personal info of10K employees uploaded tounsecured website
Low to nil settlement value
C.1 Misadventure:Condon v. Canada, 2014 FC 250
1st Federal Court intrusion upon seclusion classaction certified
Federal Government lost hard drive lost, 583Kstudent loan recipients, loan balances, SINs,birthdates and addresses
No encryption
Can failure to protect PI by leaving hard drive inan unlocked cabinet satisfy Jones test?
Can frustration and anxiety be forms ofcompensable distress?
C.1 Misadventure: Sofio v IIROC (QC 2014)
Mislaid portable, not encrypted
50K customers of brokerage firms
Pleads required to take credit monitoring steps
No identity theft or other fraud reported
Stress/anger part and parcel of everyday life, notcompensable
No serious appearance of right, absentcompensable damages
Not certified; under appeal
30
C.1 Durham Region v. Rowlands
83K patients’ data on lost USB, not found
Received H1N1 flu shot clinics in 2009
Lost data = name, address, phone number, DOB,health card number, name of patient's family doctor
Settlement: Recovery required proof of direct financialharm -- no class member claimed
Effect: Class counsel received $500K to stop whatappears to be a hopeless action (cf Mazzona)
Covered by insurance -- passed on to taxpayers
Is it a good spend of taxpayer money?
31
C.1 Montfort Hospital
USB reported lost; employee took work home
Contained patient name; service summary; date
Not contain OHIP numbers; diagnosis/test result;home address; payment information
Letters in mail to 25K patients: PHIPA s. 12
$25M law suit
Then lost stick recovered
Forensic audit showed not accessedother than by “Good Samaritan”
32
C.2 Snooping cases
Intentional, Jones v Tsige
About 15 CAs, many involving nurses andhospitals, across Canada
Hopkins an example
33
C.3 Crime -- employee
Employee steals PI, harvests it for profit
Employer may be victim
BNS v Evans (clients defrauded)
Rouge v. Broutzas (PHI harvested & allegedlysold to RESP cos)
Limited value-add to contesting certification
Vicarious liability of innocent employer forintentional conduct, or punitive damages?
C.3 Evans v. Bank of Nova Scotia,2014 ONSC 2135
Bank employee provided customer PI to girlfriend
Girlfriend gave to third parties
Customers are victims of identity theft & fraud
BNS offered credit monitoring and admittedresponsibility for pecuniary losses
Said should not be vicariously liable for tort ofintrusion upon seclusion or symbolic damagescaused by intentional misconduct
Class action certified, not plain and obviousvicarious liability claim with fail
Under appeal
35
C.3 Crime -- third party
Hacking (Home Depot)
Usually public notice of security or privacy breach
Often few people really damaged
Cases often settle at low dollars, often withcoupon settlements or cy-pres
Huge exposure to reputation
36
C.4 Business practice
“We intended to do it”
NSA harvesting, under terror pretext
Privacy settings (St. Arnaud c Facebook)
Profit orientation
Usually governing law and jurisdiction clause
Often get into jurisdiction issues
Higher settlement value for class counsel?
Reputation risk
CAs against FB, Apple, LinkedIn
37
Spectrum of PI DB claims/damages
• Jones v Tsige cases
• PI snooping
• Often PHI
• Sometimes targeted
• Intentional
• Role of statutes v common law
• Peterborough RHC
No harm Jones v Tsige cases Crime or Profit
Lost PI PI snooping Fraud/Hacking/Harvesting
PI not accessed Often PHI Stolen ID/GeoLocation
Credit monitoring? Sometimes targeted Always targeted
Not intended Intentional Vicarious liability?
Why class action? Role of statutes vcommon law
Big exposureProvable losses
Durham v. Rowlands Peterborough RHC BNS v Evans / Apple / FB
38
D.1 Avoidance -- USB sticks
Throw them away, without regard to whetherencrypted
If have to use, need encryption and well-communicated policy re risks
39
D.2 Avoidance -- hackers
Is your institution ready for this? -- persons mayseek to harvest information for profit
May be internal, not “hacker”
We have these cases in commercial/bankingcontext -- serious problem
40
D.3 Avoidance -- vendor contracts
Restrict vendors’ use of third party service providers
Allocate risks of class action exposure; indemnities
Consider notification duties, if information lost oraccessed
41
D.4 Avoidance -- business practice
Harvesting and sale or distribution of informationneeds careful legal review by experts
Security analysts
Sensitivity training of employees
42
D.5 Avoidance -- assessment of risks
Assessment of & prioritize risks -- loss of allor part of records more significant thanpreventing every single snooper
Encryption -- all mobile devices
Anti-snooping software -- issues re standardof care and “zoning” access to records
Audits review security/privacy issues, but iffind something, may need disclose
Tired and overworked employee issue
43
D.6 Avoidance -- complaints and claims
Focused response to complaints
Proactive ID and resolution of small claims
Don’t take hard line positions re “the law”
Consideration of proactive steps to resolveor litigate class actions – need to decideearly whether you are going to settle orlitigate and stick to position
Class counsel testing class action credibility-- response affects likelihood of class actionrecurrence
44
D.7 Class action avoidance -- behaviour
Exemplary behaviour key to avoiding classcertification
affects court’s preferable procedure analysis;prepare, publish, effect code of conduct;timeliness and clarity of external communications
Poor post-incident behaviour may become themain cause of action
one purpose of class actions is to dissuade futurebad behaviour; any perception of cover-up, evenif it does not exist, increases likelihood of classcertification and punitive damages,even absent compensatory damages
45
D.8 Avoidance, statutes and legal advice
Call lawyer & insurer first to protect privilege,defence & indemnity obligations
Consult privacy law expert; not area for dabblers
Every security breach not a privacy breach; takecare not to jump to factual or legal conclusions
Some information losses may not be PHIPA s.12“lost”; accidental access may not be PHIPA s. 12unauthorized access
Novel issues, and law in transition
PHIPA may be soon ready forreview/amendments
46
E.1 Conclusions
Huge growth area, only tip of iceberg seen so far
Claims have moved from losses to snoopers,crimes and improper business motives
Stress damages may be effectively recoverableunder Jones v Tsige
Vicarious liability concern
Statutes may not be complete code
47
E.2 Conclusions
Class action often certifiable
Settlement value: Not big, but large cost to defend
1. Worry One: PI custodians hit with hackerharvesting for profit; economic loss cases serious
2. Worry Two: Court not agree re complete code.Potential for conflict between regulatory regimeand common law class action. Look for statutoryrefinement