Cyber Risk: Current Landscape of Personal Information and Privacy Liability in Canada

February 1, 2024

Cyber Risk: Current Landscape of Personal Information and Privacy Liability in Canada

CYBER RISK: CURRENT LANDSCAPE OF PERSONAL INFORMATION AND PRIVACY LIABILITY IN CANADA

Jill M. Shore & Danielle Volpatti

Rev. February 2024

170 Cyber Risk Paper

ABSTRACT: In the last five years, Canada has experienced increased litigation involving data breaches. Confidential personal and corporate information is at risk from a variety of threats ranging from the exploitation of big data to administrative error, workers’ misconduct and criminal hackers. Affected individuals have a number of common law and statutory tools available to seek compensation in court following a breach. In order to minimize their potential exposure, organizations must become knowledgeable about the field of cyber liability, take precautionary actions to prevent breaches, and if data breaches occur, know how to appropriately mitigate the consequences through identification, containment, notification and documentation.

The Growing Need for Client Data Protection

Data breaches are becoming strikingly frequent, and the legal and financial risk to organizations that collect, store and use personal data is increasing. Canada is seeing more data breach cases being brought before the courts, creative litigation strategies being tested, and legislative amendments to privacy laws being developed.

According to a 2023 study by the Ponemon Institute LLC and IBM, lost or stolen records could cost a Canadian organization an average of CA $6.94 million per incident. This is a small improvement from last year’s CA $7.05 million, but Canadian companies are still paying the third highest costs in the world from data breaches.

This has led to a surge of interest in cyber insurance policies to mitigate such risks. In an article published October 18, 2023, Lloyd’s reported just over $9 billion in gross written premiums in 2022, and forecast that premiums will reach between $13 billion and $25 billion by 2025.

Comprehensive protections for personal information are no longer an optional practice. The likelihood of a breach, potential exposure to financial loss, and possibility of legal action has become an impending reality for the average Canadian business.

In this paper, we survey some of the current features of and recent developments in the landscape of Canadian cyber liability and cyber insurance, including recent and pending statutory amendments and key cases. For more information or to discuss any questions, please contact the lawyers of our Cyber and Privacy Liability practice group.

Types and Causes of Client Data Breaches in Canada

The most common type of cyber attack in Canada between March 2022 and March 2023 was phishing, representing 17% of breaches. Other common types, in descending frequency, included: stolen or compromised credentials, cloud misconfiguration, business email compromise, physical security compromise, social engineering, malicious insiders, and accidental data loss or stolen device. Malicious insider breaches, while only making up 8% of data breaches, were the most financially devastating – costing $7.98 million per incident.

The root causes behind these events include administrative error, workers’ misconduct, and criminal hacking, as well as the exploitation of big data and corporate profiteering, i.e., companies’ collection of large amounts of personal information from their clients or third parties and the use or disclosure of that information for profit without the prior valid consent of these individuals. Lawsuits flowing from these types of cases are typically brought as class actions.

Often, data breach cases arise as a result of an administrative error. An organization may disclose personal or sensitive information by accidentally sending it to the wrong address, misplacing it, or losing it. Depending on the type of administrative error, resulting lawsuits may give rise to individual claims or class actions.

Workers’ misconduct cases occur when employees, former employees or contractors (aka malicious insiders or “turncloaks”) take or access the personal or sensitive data of colleagues, customers, or other third parties without authorization, for their own private use or profit, which may or may not involve criminal intent. Litigation flowing from workers’ misconduct cases usually includes claims against the employee, as well as claims for vicarious liability against the employer for the conduct of that employee.

Cyber breaches resulting from criminal hacking (which includes phishing, ransomware etc.) occur when third parties breach an organization’s computers or network and use the information illegally obtained to gain a profit, send a moral message to the organization or public, or generally cause a disruption to the affected organization or individuals. These types of cases often involve criminal conduct and make it more likely that fraud, identity theft or property damage will occur, which can result in higher damages.

A challenge for class actions that seek more than nominal damages is proving pecuniary or quantifiable damages if no fraud or identity theft has occurred. Prior to July 2020, class action plaintiffs could overcome this hurdle by alleging waiver of tort. Waiver of tort was pleaded in cases where a plaintiff’s only recourse was to seek disgorgement of profits because although they could prove conduct akin to negligence, they could not prove such conduct resulted in any actual damage to the class members. Claims for waiver of tort were successfully certified under the lower standard at certification, but the Supreme Court of Canada’s seminal decision in Atlantic Lottery Corporation Inc. v. Babstock concluded that waiver of tort is not a free-standing cause of action.

Punitive damages, however, still play an important role as the focus shifts from the harm suffered by the plaintiffs to the wrongful conduct of the organization.

Statutory Causes of Action that Protect Client Data

Three different types of statutes in Canada may provide a legal remedy to victims of a data breach: personal (and health) information protection statutes, such as the federal Personal Information Protection and Electronic Documents Act SC 2000, c. 5 (“PIPEDA”) (including proposed reforms under Bill C-27 and provincial laws deemed to be substantially similar); provincial Privacy Acts that provide a statutory right of action for breach of privacy in certain provinces; and a right to sue for damages under the federal Canadian Anti-Spam Legislation, SC 2010, c. 23 (“CASL”). Each category is discussed separately below.

PIPEDA and Bill C-27

PIPEDA regulates the collection, use and disclosure of personal information by private organizations, and creates a remedy where such information is collected, used, or disclosed without a person’s consent. The Office of the Privacy Commissioner of Canada is authorized to investigate complaints about the misuse or mishandling of such personal information, and if it concludes the complaint has merit, affected individuals may sue in Federal Court for damages. PIPEDA applies across Canada, unless a province has enacted legislation deemed to be substantially similar to PIPEDA. To date, only British Columbia, Alberta, and Quebec have substantially similar legislation applicable to the private sector at large, and Ontario, Newfoundland and Labrador, New Brunswick, and Nova Scotia have enacted substantially similar legislation applicable to health information. Further, Alberta and British Columbia have passed privacy laws that protect employee information. Separate information protection legislation applies to personal, health, and/or employment information held by federal and provincial governments and other public bodies.

Under PIPEDA, organizations are subject to strict breach notification requirements. In the event of a breach, organizations must notify, as soon as possible, the federal Privacy Commissioner, all affected individuals, and any third parties that could mitigate the loss. Notification obligations are triggered when there is a “breach of security safeguards” that could reasonably create a “real risk” of “significant harm” to an individual. Further, organizations must keep a record or security breach log of any and all data breaches involving personal information. Fines up to $100,000 may be levied if an organization knowingly fails to report a data breach or fails to keep a security breach log.

In June 2022, the Federal Government proposed amendments to modernize federal privacy law in response to emerging technologies and increased risks. The long debated Bill C-27 (i.e., the Digital Charter Implementation Act, 2022), now at the committee stage, proposes to introduce three new pieces of legislation addressing consumer privacy rights (the Consumer Privacy Protection Act), electronic documents (the Electronic Documents Act), and artificial intelligence (the Artificial Intelligence and Data Act).

The Artificial Intelligence and Data Act (“AIDA”), is facing particular pressure for approval. AIDA and its current proposed amendments, are designed to place “critical guardrails around AI”, to ensure safe and responsible deployment. The planned amendments would regulate both widely-used “general-purpose” AI systems (e.g., ChatGPT) and “high-impact” systems (e.g., those using biometric data for ID purposes, health care, emergency services, etc.).

On October 17, 2023, the Minister of Innovation Science, and Industry François-Philippe Champagne presented at the Standing Committee on Industry and Technology, during the Committee’s deliberations on Bill C-27. He stressed the importance of avoiding further delay in regulating AI through the AIDA: “AI technology already permeates our society, it will be difficult to change expectations or retrospectively address harms that have already occurred”.

If approved and enacted, AIDA would clarify obligations of different actors across the AI value chain, and delineate responsibilities over high-impact AI systems between those who develop them, those who make them available, and those who manage their deployment.

Provincial Privacy Acts

British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador have each enacted a Privacy Act, which provide another legislated means for plaintiffs to seek damages. The Acts create a separate statutory cause of action premised upon a breach of a right to privacy, which is not restricted to the protection of personal information. The provincial statutory claims for privacy breach require that the act leading to the breach of privacy be intentional. Proof of economic loss or other specific harm is not a prerequisite for liability or damages.

Canada’s Anti-spam Law (CASL)

CASL is a statute that regulates electronic communications for commercial purposes (i.e., by way of text, email, photos, websites, etc.). It also prohibits a wide range of commercial electronic activity including the alteration of transmission data in an electronic communication, the installation of computer programs without consent, the use of false or misleading statements online to promote a business interest or product, the collection of an electronic address obtained by way of computerized data mining, and the collection of personal information obtained from a computer system by way of a violation of federal law, unless narrow exceptions apply. A person who breaches the statute faces potential regulatory investigation and significant “administrative monetary penalties”.

Common Law Causes of Action that Protect Client Data

Common law causes of action provide another means for individuals to seek compensation after a data breach. Outside of British Columbia, the tort of intrusion upon seclusion may apply. This tort, recognized by the Ontario Court of Appeal in Jones v. Tsige in 2012, provides a common law cause of action that permits a plaintiff to recover up to $20,000 in damages without having to demonstrate that any pecuniary loss was incurred. Liability arises only where the invasion of privacy is intentional or reckless, lacks legal justification, and would be considered offensive to the reasonable person.

Notably, a plaintiff can only claim the tort of intrusion upon seclusion against the actual intruder and not an organization holding the information intruded upon. In November 2022, the Ontario Court of Appeal released a decision after hearing three grouped appeals, concerning three different classes seeking to certify claims of intrusion upon seclusion. The plaintiffs in each action sought to apply intrusion upon seclusion to defendant organizations who collected and stored information for commercial purposes, and who failed to take adequate steps to protect the information from third-party hackers. The Court concluded that intrusion upon seclusion cannot be a basis for liability against an organization defendant who is not itself an “intruder”. A key element of the test for intrusion upon seclusion is the state of mind requirement, which says the defendant must be intentional or reckless in engaging in the prohibited conduct. The prohibited conduct is the intrusion on privacy. Therefore, to say that an organization was reckless in failing to guard such information misapplies the test: the relevant conduct at issue is not the failure to guard against such an intrusion, it is the intrusion itself.

The tort of public disclosure of private facts was applied in the privacy context in Jane Doe 464533 v. D., a 2016 Ontario “revenge porn” case. This tort may provide a remedy where a public disclosure of a private fact has occurred, the act of the publication is highly offensive to a reasonable person, and the matter is of no legitimate concern to the public. In the Jane Doe case, the court awarded much higher non-pecuniary damages despite the cap set in Jones v. Tsige for non-pecuniary losses, due to the sensitive subject matter and psychological effects on the plaintiff. However, with no appellate authority to date confirming the existence of the tort of public disclosure, it has yet to cement its place in our jurisprudence as a free-standing cause of action.

In addition to these specific privacy-related torts, individuals affected by a data breach may have valid legal claims arising from a breach of contract, negligence, breach of confidence, breach of fiduciary duty, or breach of trust on the part of the holder of the data. Claims in Canada have also been advanced alleging the torts of conversion and breach of bailment. With respect to all of these various causes of action, if the data breach arose as a result of an employee’s misuse of information made available through the course of employment, a plaintiff may be able to hold the employer organization vicariously liable.

Case Studies

The decision in Karasik v Yahoo! Inc. concerned a motion to approve the settlement of a national class action arising from data breach by third party hackers. The action had been certified in Ontario. Parallel proposed class actions were pending in other provinces including British Columbia, Alberta, and Saskatchewan.

Counsel in the Saskatchewan action objected to the settlement and, because of this contention, the Court found it necessary to do a deep dive into the case law on privacy breach class actions. The Court described these actions as “a burgeoning genre of cases but nascent because, although many cases have been certified, none have yet proceeded to a trial.”

The Court’s research yielded 36 reported privacy class actions from 2000 to 2021. The five main fact patterns arising from privacy suits are as follows: lost information falling into the hands of someone that uses it for maligned purpose; information stolen by employee and misused (i.e., a malicious insider); violation of statutes in the handling of personal information; outside criminal hackers; and the failure to disclosure the receipt of unlawfully obtained information and use of such information.

The main causes of actions advanced in the above cases were:

  1. breach of confidence;
  2. breach of contract;
  3. breach of fiduciary duty;
  4. breach of s. 7 of the Canadian Charter of Rights and Freedoms;
  5. breach of federal Personal Information Protection and Electronic Documents Act (PIPEDA) and or the Privacy Act;
  6. breach of provincial privacy legislation;
  7. invasion of privacy;
  8. negligence; and
  9. unjust enrichment.

Of the 36 reported cases, 27 had been certified or authorized, a certification success rate of 80%. None of the 36 reported cases had yet produced trial decisions, but 11 reached settlement approvals. The Court noted that the sampling of settlements in the above cases reflect very modest per capita recoveries, almost to the point of being nuisance awards, which may be due to the difficulty plaintiffs face in establishing specific causation. Unless and until a trial determination yields a more than nominal award of general damages, it is likely defendants will continue to lean on their causation defences, rebuffing any expectations of enormous payouts.

In the immediate case, the Court commented on the strong bargaining position of the defendant, given the nascent case law and the absence of actual financial harm. In the court’s opinion, the settlement responded appropriately to these risks. The court ultimately approved the settlement, finding it to fall within the zone of reasonableness.

The sampling of cases reviewed by the Court in Karasik highlights the imbalance between a plaintiff’s advantages at certification, and the formidable obstacles they face after, in establishing both liability and harm. Further, the strong bargaining position held by organizational defendants in privacy and cyber breach class actions has arguably increased since the Karasik decision because of the Ontario Court of Appeal’s 2022 trilogy appeal decision that the tort of intrusion upon seclusion cannot be claimed against defendants who are not the actual intruder.

Actions Organizations Can Take to Minimize the Cost of a Data Breach

Although a data breach can be extremely costly to an organization of any size, the impact of the breach can be minimized by adopting mitigation strategies early in the process. The 2023 Ponemon data breach study found three main factors can reduce the per capita cost of data breach: adoption of a DevSecOps approach (i.e., integrated security testing in the software development process), employee training, and incident response planning and testing.

Following a breach, an organization needs to take immediate action to identify, contain, and document the breach, and notify appropriate parties, which may include law enforcement, Privacy Commissioners, and/or affected individuals. Identifying the nature and extent of the data loss, as well as containing the breach and securing the organization’s networks to prevent any further loss or unauthorized access should be a top priority. In most cases, organizations should immediately contact a forensic technological support service provider to help identify the cause and scope of the breach, determine the nature of the data affected, secure the organization’s networks and data from further loss or intrusion (which will help minimize reputational losses and business interruption claims), and preserve electronic evidence to prove what happened and how.

Prompt identification of the cause and containment of the breach may also affect the insured’s legal obligations and defences. Due diligence is a defence in proceedings before a Privacy Commissioner, and may also be a defence to any ensuing lawsuits. In other cases, the cause of the breach may confer recovery rights against other parties, such as an internet provider or computer services firm that failed to provide or maintain appropriate security measures. Organizations may need legal advice to identify which jurisdiction’s laws may be triggered and what is required to comply with them, and to ensure that the organization’s interests are being protected with a view to defending against any ensuing litigation or regulatory investigation.

Given the risk of litigation flowing from a data breach, and the potential for regulatory investigation, legal counsel should be retained immediately to assist with investigations, evidence preservation, documentation of the breach, and legal representation before the Privacy Commissioner and courts (as needed), as well as ensure the organization’s compliance with any applicable statutory timelines.

The particular legal, accounting, technical, public relations or other consulting services an organization will require following a data breach event will depend on the circumstances of the breach and the nature of the business. Costs for such services can be substantial.

Conclusion

Personal information and privacy liability in Canada is a growing field giving rise to an increasing number of significant lawsuits. Organizations that collect, use and disclose personal information should be mindful of the requirements and risks of handling such information. While the occurrence of a data breach may not always be predictable, organizations that handle personal information must recognize their vulnerabilities and ensure that adequate preventative and post-breach systems are in place in order to reduce the financial and legal exposures if a breach occurs. The consequences of a breach are amplified if an organization’s response to the breach is handled poorly. Regardless of the size of the organization, a data breach can cause immediate harm to an organization’s senior management, bottom line, clients, and reputation, and the negative effects of a data breach can continue to impact the business and its clients for years to come.

We're here to Help

Work With Us

Globe and Mail Best Law Firms 2022 Canadian Lawyer Magazine 2021-2022 Top 10 Insurance Defence Boutique Canadian Lawyer Magazine 2023-2024 Top 10 Insurance Defence Boutique

Named One of Canada's Top Insurance Defence Litigation Boutiques by Canadian Lawyer magazine