Cybersecurity: Heightened legal, regulatory and reputational risks

Author(s): Michael Fekete, Adam Kardash, Christopher Naudie

Dec 9, 2015

In 2015, there was a flurry of legal and regulatory developments in the Canadian privacy and data management arena, highlighted by privacy class actions, Canadian anti-spam law (CASL) enforcement activity, and key amendments to Canada’s private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA). Collectively, these developments have heightened the need for Canadian organizations to enhance their data governance programs to mitigate an expanding array of legal, regulatory and adverse publicity risks.

We expect 2015 will be viewed as a watershed year in Canadian privacy law. The willingness of the courts to provide an expansive view on the availability of class proceedings to privacy-related matters, the commencement of new class proceedings involving privacy breaches (including proceedings related to the much-publicized data breach involving the Ashley Madison website), the imposition of significant monetary penalties under CASL, and the enactment of PIPEDA’s security breach notification requirement (which will come into effect once regulations are passed, likely in 2016) have significantly altered the Canadian privacy and data management landscape.

Privacy Class Actions

There are private remedies in Canada under statute and at common law to recover damages for invasions of privacy, and in 2015, the courts in Canada issued a number of noteworthy judicial decisions that appear to have created a favourable environment for class proceedings.

In particular, the courts have granted class certification in a number of important privacy cases, and the courts have also found the existence of a broad jurisdiction to grant extra-territorial remedies over online businesses. In light of these and other developments, it has now become commonplace for a business that has experienced a data breach to face multiple and parallel class proceedings in Canada and the United States that seek an aggregate award of damages.

The following developments from 2015 will have considerable risk management implications for domestic and foreign companies that are in the possession or control of personal information of Canadian residents:

• In 2015, the courts in Canada certified a number of significant class proceedings in respect of data breaches. In Condon v. Canada, the Federal Court of Appeal upheld the certification of a class action against the federal government relating to the loss of a hard drive by Human Resources and Skills Development Canada. In John Doe and Suzie Jones v. Canada, the Federal Court also certified a class proceeding against the federal government relating to disclosures of the identities of participants in the federal government’s medical marijuana program. The outcome of these cases suggests that under the right circumstances, the court will certify classes and authorize collective relief for damages against organizations (including governments) that are allegedly reckless in maintaining and safeguarding personal information.

• On the heels of their success in arguing class certification in these and other cases, the plaintiffs’ bar in Canada launched a number of new class actions in 2015, including class actions in respect of data breaches caused by third-party hackers (such as the class action against Avid Media for the data breach of the Ashley Madison website), as well as for the alleged misuse of customer data by companies themselves (such as the $750 million class action against Bell for its relevant ads program). The plaintiffs’ bar has become more active and competitive in light of their recent successes, and we can expect further new filings in 2016.

• In 2015, the Ontario Court of Appeal released a significant decision that removed a major barrier to private class action litigation in the health care sector. More specifically, in Hopkins v. Kay, the Ontario Court of Appeal rejected an argument that the Ontario Personal Health Information Protection Act (PHIPA) was a comprehensive code that precluded tort claims for invasion of privacy. The Supreme Court of Canada denied leave to appeal this decision. As a result, it is now open for individual and class plaintiffs to pursue claims and to seek damages beyond the limited restitutionary provisions in PHIPA.

• In a decision that stands in sharp contrast to Hopkins v. Kay, the B.C. Court of Appeal released an important decision (Ari v. Insurance Corporation of British Columbia) that limited the scope of common law remedies for the invasion of privacy in the province of British Columbia. In particular, on a motion to strike part of a class action involving alleged unauthorized access to and use of personal information by a “rogue” employee, the B.C. Court of Appeal held that the Freedom of Information and Protection of Privacy Act is a comprehensive statute, and there is no cause of action in negligence for breach of the statute. However, the Court refused to strike a claim under the B.C. Privacy Act for vicarious liability against the employer, ICBC, for the actions of its employee.

• In its certification decision in John Doe and Suzie Jones v. Canada, the Federal Court held that there was viable cause of action for the novel tort of “publicity given to private life.” This particular tort is recognized in numerous U.S. states, but it has not yet been widely recognized in Canada. In addition, in a departure from the usual rules of civil litigation, the Court authorized the use of pseudonyms to protect the privacy of representative plaintiffs in privacy cases to facilitate access to justice.

• In Equustek Solutions Inc. v. Google Inc., the B.C. Court of Appeal upheld an extraordinary injunction against the world’s leading online search engine. Further details regarding this case are provided in the article entitled “Canadian courts’ jurisdiction: How long is the “long arm of the law”?”

• Finally, in Douez v. Facebook, Inc., the B.C. Court of Appeal dismissed a proposed privacy class action against Facebook by enforcing a forum selection clause in favour of the courts of California. Further details regarding this case are provided in the article entitled “Canadian courts’ jurisdiction: How long is the “long arm of the law”?”

CASL Enforcement Activity

CASL is perhaps the most stringent anti-spam legislation in the world. Phase 2 of CASL, which imposes strict consent and notice rules covering the installation of computer programs, came into effect on January 15, 2015. The first phase of CASL, which came into force on July 1, 2014, imposed similar requirements in respect of the sending of commercial electronic messages (CEMs).

The penalties for non-compliance are potentially severe: organizations can be subject to administrative penalties of up to $10 million and a private right of action for damages of up to $200 per contravention of the legislation. This private right of action is scheduled to come into force on July 1, 2017.

The Canadian Radio-television and Telecommunications Commission (CRTC) announced a number of enforcement proceedings in 2015. The CRTC issued a Notice of Violation, including a penalty of $1.1 million, against Compu-Finder for sending CEMs without the recipients’ consent and without a properly functioning “unsubscribe” mechanism. In addition, Plenty of Fish agreed to pay $48,000 and Porter Airlines Inc. agreed to pay $150,000 as part of separate undertakings with the CRTC for alleged violations of CASL’s CEM rules. Most recently, Rogers Media agreed to pay $200,000 as part of an undertaking to the CRTC on the basis that the company had allegedly sent CEMs to customers that contained an “unsubscribe” mechanism that did not function properly.

Enforcement of CASL by the CRTC will continue through 2016 and beyond.

We also expect CASL compliance efforts to increase in 2016, as companies seek to mitigate the class action risk associated with the private right of action under the legislation.

Amendments to PIPEDA

Amendments to PIPEDA came into effect in June 2015. Among other things, the amendments include

• a security breach notification requirement, which mandates notification to the Office of the Privacy Commissioner of Canada, affected individuals and other organizations in the wake of a security incident involving a “real risk of significant harm” to affected individuals

• offences related to the contravention of the security breach notification requirements

• a concept of “valid consent” for the collection, use and disclosure of personal information

• exceptions to the consent requirement, including for administering the employment relationship, and for certain investigations

• new powers for the Privacy Commissioner to enter into compliance agreements

In response to these privacy law developments of the past year, Canadian organizations should enhance their data governance programs in 2016 to mitigate the legal, regulatory and adverse publicity risks associated with this evolving landscape.