[BreachExchange] Class-action lawsuit claims city shared personal information of 3, 700 employees
Destry Winant
destry at riskbasedsecurity.com
Wed Oct 4 23:15:44 EDT 2017
http://calgaryherald.com/news/local-news/class-action-lawsuit-claims-city-leaked-personal-information-of-3700-employees
In a statement of claim filed in Calgary Court of Queen’s Bench, the
law firm Higgerty Law is seeking an estimated $92.9 million in damages
against the city.
The claim also seeks a further unspecified amount in punitive,
exemplary and aggravated damages.
“In the course of their employment, the class members provided the
city with certain of their personal information in confidence and for
restricted purpose and use,” an amended copy of the lawsuit filed
Tuesday says.
“Such personal information included but was not limited to address,
date of birth, Alberta Health Care Number, Social Insurance Number,
employment income information, employee identification and business
unit numbers and medical records,” it states.
The personal information also included “records related to their
status as employees covered by . . . Workers Compensation Board of
Alberta.”
It says the documentation “included very personal and sensitive
information pertaining to the class members, including their medical,
employment and financial information.”
On June 14 or 15, an unidentified city employee disclosed the personal
information to an employee at another Alberta municipality, the claim
alleges.
“That disclosure was by unencrypted electronic transmission, via email
to both an employment and personal email address,” the statement of
claim says.
“Such disclosure was without the consent of the class members and
therefore constitutes a breach of privacy and confidence against each
of the class members.”
It says the city has alleged the privacy breach was made by the
unidentified individual “for the purposes of receiving technical
assistance, which was not a use of the personal information purpose
for which it was collected or compiled or for use consistent with that
purpose.”
“Further, the privacy breach was an unreasonable invasion of the class
members’ personal privacy.”
It says the city and the unnamed employee breached their duty to keep
the information private.
The fact the information was transmitted unencrypted “makes the
illicit use of personal information easier to undertake and therefore
exposing the class members to an exponentially higher risk of identity
theft and financial fraud.”
Because of the leak, the impacted employees will have to carefully
monitor their own credit and bank account activities for fraudulent
behaviour, it says.
The leak means the employees face potential humiliation and “exposure
to potential harm and harassment,” the claim states.
A statement of defence disputing the unproven allegations has not been filed.
City spokeswoman Vickie Megrath said the city hasn’t been served legal
documents, so couldn’t comment.
More information about the BreachExchange
mailing list