[BreachExchange] Mandatory breach notification in Canada has ‘potential to effectively cause’ class-action lawsuits: PCUC speaker

[Audrey McNeil]

http://www.canadianunderwriter.ca/insurance/mandatory-breach-
notification-canada-potential-effectively-cause-class-
action-lawsuits-pcuc-speaker-1004104574/

Impending changes to Canada’s Personal Information Protection and
Electronic Documents (PIPEDA) could “effectively cause more class-action”
lawsuits down the road because companies will be required to report
information security breaches that pose “a real risk of significant harm,”
a lawyer recently warned insurance professionals.

“Any time there is a privacy breach, within any organization, that has the
potential to create a real risk of significant harm to the individual, the
organization will be required to disclose that to the individuals
involved,” and to the federal Office of the Privacy Commissioner, said
Patrick Hawkins, who spoke at the November luncheon of the Property
Casualty Underwriters Club.

Hawkins is a partner with Borden Ladner Gervais LLP who has represented,
among others, healthcare organizations. At the PCUC luncheon, held Nov. 23
at the DoubleTree Hotel in downtown, Hawkins referred to the Digital
Privacy Act, Bill S-4, which was passed into law in 2015.

Tabled April 8, 2014 by British Columbia Conservative Senator Yonah Martin,
Bill S-4 makes several changes to PIPEDA. It would require firms to notify
people if their personal information has been lost “and there is a
potential to expose us to harm,” Joan Crockatt – at the time the
Conservative MP for Calgary Centre – said in the House of Commons in
October, 2014.

The breach notification requirement “will be brought into force only after
related regulations outlining specific requirements are developed and in
place,” a spokesperson for the Office of the Privacy Commissioner of Canada
told Canadian Underwriter this past January.

“We don’t have a timeline on when they are going to be in force,” Hawkins
said Nov. 23, 2016. “I will say my best guess is some time in 2017.”

The “overall objective” of the data breach notification regulations “is to
ensure that individuals are informed when their personal information has
been compromised and that they have been put at risk of harm as a result so
that they can take steps to protect themselves and mitigate the harm,” the
federal department of innovation, science and economic development states
on its website.

When there is a “real risk of significant harm,” the organization affected
by a data security breach would have to report that to the Office of the
Privacy Commissioner. When there is a breach “that poses a real risk of
significant harm,” to an individual, that individual would have to be
notified. Also – under the yet-to-be-passed regulations – organizations
would have to maintain records of such breaches.

“These particular changes are coming,” Hawkins said. “These are the ones
that have the potential to effectively cause more class actions down the
road.”

Hawkins told attendees there is a “growth industry” in class action
lawsuits alleging privacy breaches, due in part to the Court of Appeal for
Ontario ruling in 2012 in Jones v. Tsige. That ruling – which recognized a
common law tort of “intrusion upon seclusion”  – arose when the court
overturned an Ontario Superior Court of Justice decision dismissing Sandra
Jones’s lawsuit against Winnie Tsige. Jones and Tsige were co-workers at
the Bank of Montreal. Jones was also a customer. Tsige accessed Jones’ bank
records. In 2011, the Ontario Superior Court of Justice noted that Jones
had recourse under PIPEDA. It also  cited Euteneier v. Lee, a Court of
Appeal for Ontario ruling released in 2005 arising from a prisoner whose
clothing was removed by Halton Regional Police after she tried to hang
herself in jail. In Euteneier, the court noted that the plaintiff “conceded
in oral argument …. that there is no ‘free standing’ right to dignity or
privacy.”

But in 2012, in overturning the Superior Court of Justice’s dismissal of
Jones’ lawsuit against Tsige, the Court of Appeal for Ontario found that
changes in technology pose “a novel threat to a right of privacy that has
been protected for hundreds of years by the common law” and by the Canadian
Charter of Rights and Freedoms.

In the Digital Privacy Act, “significant harm is defined really broadly,”
Hawkins said at the PCUC luncheon. “It includes the potential for damage to
reputation. It includes the potential for financial loss, identity theft,
negative effects on credit records.”

Before Bill S-4 was tabled, a private member’s bill proposing mandatory
breach notification was defeated. The private member’s bill – Bill C-475 –
would have changed PIPEDA to require organizations having personal
information under their control to notify the federal privacy commissioner
“of any incident involving the loss or disclosure of, or unauthorized
access to, personal information, where a reasonable person would conclude
that there exists a possible risk of harm to an individual as a result of
the loss or disclosure or unauthorized access.”

Bill C-475 was tabled by Charmaine Borg, an NDP MP from 2011 to 2015. In
2013, Ed Holder – former president of Stevenson & Hunt Insurance Brokers
Ltd. and then Conservative MP for London West – warned fellow MPs that
 Bill C-475 would “require organizations to report to the Privacy
Commissioner every data breach posing a possible risk of harm.” He
suggested at the time this could result in “notification fatigue” among
consumers.

“On the health care side there has been mandatory notification of
individuals since 2004,” Hawkins said Nov. 23. “We have seen the notice
often creates the complaint and leads to a class action.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161229/02db0e5d/attachment.html>