Following in the footsteps of Jones v. Tsige from the Court of Appeal for Ontario in 2012, the recent British Columbia Court of Appeal decision in Tucci v. Peoples Trust Co. (2020 BCCA 246) appears to be solidifying the future of a common law tort of breach of privacy in Canada. Based on the facts and the appeal, the Court did not feel it was required to ultimately decide whether or not the tort of breach of privacy (or “intrusion upon seclusion”) exists in British Columbia, but the decision signalled that a future data breach case may lead to reconsideration of this issue.

The Court made specific note that the issue poses an “interesting question” for a future appeal and that the law may need to be rethought in this respect. The Court recognized a changing attitude towards the importance of information in today’s society, stating: “personal data has assumed a critical role in people’s lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic.”

It also of interest in that it touches on the complexities of making a determination of whether limitation of liability clauses in website terms of use cover negligent data exposure.

What happened?

People’s Trust Co. is a federally regulated financial services business based in British Columbia. For that reason, the federal Privacy Commissioner had jurisdiction over the data breach.

The basis for the claim was a data breach suffered by the defendant, which impacted the personal information of over 12,000 customers. Social insurance numbers, contact information and dates of birth were all kept in a database that had not been protected by encryption. The defendant also had failed to install certain software updates and patches. This was said to have created vulnerabilities that were exploited by cyber attackers operating out of China.

People’s Trust Co. had made a timely report on the breach to the federal Privacy Commissioner’s Office (“OPC”) and notified individuals in accordance with applicable federal law, the Personal Information Protection and Electronic Documents Act  (“PIPEDA”). Based on the report, the OPC initiated an investigation into the matter. The OPC recommended certain enhancements and mitigative measures. The OPC noted numerous deficiencies in the program of the defendant, which are published in PIPEDA Report of Findings #2015-007, including the lack of: “(i) adequate safeguards in the development, implementation and redesign of its online application web portal; (ii) ongoing monitoring and maintenance of its system to ensure continued protection against evolving security threats; and (iii) adequate privacy procedures to ensure sufficient protection in the development and implementation of information-handling systems.”

The Report concluded by noting that the investigation had been resolved and People’s Trust had implemented appropriate mitigative measures, including completely redesigning its web portal and monitoring its online application system.

The class action is based on claims for harms caused by the bad actors’ dissemination of the claimants’ personal information. There had been some indication that the data was used in phishing scams, but to date, no other harms had been established. The plaintiffs alleged breach of contract and negligence (for failing to adequately protect data), breach of confidence and breach of privacy.

The defendant’s response included a contention that PIPEDA precludes the bringing of a civil action, claiming it is a “complete code” as it relates to personal information processing in Canada. This was clearly rejected by the Court:

“Nothing in the PIPEDA suggests that it is intended to abolish existing private law duties or to eliminate the ability of aggrieved parties to pursue common law causes of action. In my view, the judge was correct in finding that it is not a comprehensive code that precludes the plaintiffs from bringing a common law claim.”

People’s Trust Co. also claimed that its website terms of use, specifically the limitation of liability clauses, precluded an action for breach of contract. The Court declined to decide this issue at the certification stage, noting that the application of this clause is not “straightforward” and determination of whether it covers the situation at hand (leaving sensitive data exposed on a publically accessible network) will require “considerable analysis.”

Conclusions

This case will be one to follow as there is a dearth of Canadian precedent on the merits of breach of privacy claims in mass data breach incidents. If nothing else, it signals that a common law tort is more likely than not to gain traction in Canada going forward as something that should factor into any organizations’ risk assessment processes. It is also a clear sign that claims in negligence for organizations failing to take the appropriate data security measures are most likely to receive the attention of the Court. Relying on broad limitations of liability in website terms of use may not be sufficient to counter these claims.

If you have any questions or would like to discuss your privacy or cybersecurity program, please reach out to David Krebs from our Cybersecurity and Privacy Team.