British Columbia’s highest court says a class action lawsuit alleging negligence and breach of contract against a trust company in a 2013 data breach can go to trial.
In a unanimous decision earlier this month, the B.C. Court of Appeal upheld a lower court decision certifying the action against Peoples Trust for the breach on those grounds. Courts have to certify class actions before they can go ahead.
Unencrypted data of 12,000 customers including names, addresses, email addresses, telephone numbers, dates of birth, social insurance numbers, occupations, and, in the case of credit card applicants, their mothers’ birth names were copied. Account information wasn’t stolen.
The company failed to apply proper patches and software updates on the server holding the database, the decision also noted.
The trust company could appeal the decision to the Supreme Court of Canada. It had asked the appeal court to dismiss the lawsuit on technical grounds. One of them was that its website included this limited liability clause: “Your use of this Website is at your own risk.” It went on to say the trust company could not be liable for any damages suffered for a number of reasons including loss of data. The appeal court said whether and how far that clause applies will have to be decided separately.
What the appeal court decision didn’t deal with is the emerging civil wrong of invasion of privacy, or, in legalese, “intrusion upon seclusion.” That was first recognized by an Ontario court in 2012. Civil torts recognized in one province or territory aren’t binding on other jurisdictions in the country. They have to be recognized individually by courts in each jurisdiction, or by provincial law.
While the class action against Peoples Trust originally included an allegation of breach of privacy and intrusion upon inclusion, the B.C. lower court judge removed them. The judge said those torts didn’t exist in the province because it has a provincial privacy law that victims must use. Neither side appealed that ruling to the Court of Appeal, so it didn’t have to comment.
But it did.
“It is, in some ways, unfortunate that no appeal has been taken” over the lower court’s ruling that breach of privacy had been taken out of the suit, wrote Justice Harvey Groberman. He noted that B.C. courts haven’t directly dealt with the question. “In my view, the time may well have come for this Court to revisit its jurisprudence on the tort of breach of privacy.
“It may be that in a bygone era, a legal claim to privacy could be seen as an unnecessary concession to those who were reclusive or overly sensitive to publicity, though I doubt that that was ever an accurate reflection of reality,” he added. “Today, personal data has assumed a critical role in people’s lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic.”
The question of whether the civil torts of breach of privacy or intrusion upon seclusion exist in addition to provincial privacy laws is also up in the air. In addition to B.C., Saskatchewan, Manitoba and Newfoundland have their own common law privacy legislation.
The decision caught the eye of Saskatchewan privacy lawyer David Krebs of the Miller Thomson law firm.
“It’s a signal that Canadian privacy law is moving in a certain direction, that a common law tort of privacy is here to stay,” he said in an interview Thursday.
“This is another indication that intrusion upon seclusion tort exists in Canada,” he added, perhaps giving lawyers an additional ground to sue companies in addition to negligence for data breaches.
Halifax privacy lawyer David Fraser of the McInnis Cooper law firm noted that the appeal court also supported the lower court decision to remove the proposal to sue the trust company for breach of confidence, that is the data breach was a violation of the confidentially held personal data. The court said to succeed a breach of confidence action had to prove that the trust company misused the information it held, but in this case, there was no such evidence.
University of Ottawa law professor Teresa Scassa, who holds the Canada Research Chair in Information Law, noted that the appeal court also dismissed the trust company’s argument that the victims can’t sue under civil law because the federal Personal Information Protection and Privacy Act (PIPEDA) — which, as a federally-regulated organization Peoples Trust has to follow — provides a resolution mechanism for complaints.
Most lawyers assume that, she said, but “it’s interesting that an appellate court says (PIPEDA) is not a complete code, it doesn’t preclude other avenues of recourse” such as suing for negligence.
Most class action lawsuits over data breaches so far have been settled out of court, Scassa said.