Privacy and information security, including cybersecurity, now rank among the top enterprise-wide risk management issues facing organizations in both the private and public sector in Canada. Legal risk is currently one of the most important drivers in this area, with the potential for significant liabilities and costs.
The legal landscape for privacy and information security has changed dramatically in recent years. Previously, a privacy or information security incident would often result in a complaint to a privacy commissioner. The outcome in many of those cases was a non-binding set of recommendations which did not identify the organization. Legal risk and reputational risk were thus usually relatively minimal.
In addition, claims against organizations were very rarely pursued in the courts and typically did not result in damages being awarded. Nor were class action claims pursued. Early cases made it difficult for plaintiffs to recover damages in the absence of egregious circumstances and actual harm (e.g. identity theft or fraud). In addition, in the relatively few cases where damages were awarded, the amounts were modest (all less than $5,000 for individual claimants).
Contrasted against the above background, since late 2013 in particular, Canada has seen a significant increase in litigation activity, class action certifications, and the potential for staggering damage awards for privacy and information security incidents. In a related area, Canada's anti-spam law has heightened the legal risks and monetary penalties associated with commercial electronic messages and computer programs. The second enforcement action under this law resulted in a $1.1-million monetary penalty.
Lessons learned
The following key take-aways have emerged from the current body of decided cases and pending litigation in the table of cases below:
All organizations face potential privacy and information security legal risk
Public sector institutions and the health, retail and financial sectors unquestionably have faced some of the greatest risks given the sensitivity of the information they process. However, it is important to be mindful of the fact that all organizations hold personal information about their employees, as well as sensitive business information (including information relating to other organizations). Risks and claims have arisen in each of these areas, including through the use of service providers;
Risks can arise from unauthorized organizational uses of information, not just hacking and cybersecurity incidents
Many of the current litigation claims of course involve privacy and information security "breaches" of electronic and paper information, in the ordinary sense of the word – i.e., hacking, lost or stolen hard drives and USB keys, rogue employees and snoopers. However, litigation has also arisen, and class actions have been certified, in respect of otherwise ordinary business uses of information, for example, on the basis that it may be a "breach" for an organization to use information for a business purpose without obtaining proper consent.
Preparedness, detection and breach response are crucial.
Courts and privacy regulators recognize that nobody is perfect. The fact that a breach has occurred does not mean that there is legal liability. Organizations can mitigate or eliminate the risk of liability, and the risk of damages, by implementing appropriate policies and procedures, outsourcing practices, training, detection systems, safeguards and incident response. In a number of cases, liability for a breach was avoided where such measures had been implemented. On the other hand, it is important to note that an inadequate response to a breach can translate directly to legal liability. In a number of cases, plaintiffs have sought damages in respect of organizations’ response to an incident, in addition to the initial breach itself.
Conclusions
The current trend of increased legal risk for privacy and information security in Canada is almost certain to continue. With the promise of significant damage awards for a breach of privacy itself, without the need to prove additional harm, plaintiffs will likely continue to bring litigation claims and class proceedings in increasing numbers.
Settlements in these cases are expected to be driven by the potentially staggering liability at trial should a claim succeed, as well as defendants' likely desire in many cases to avoid sweeping and invasive litigation discovery of their privacy practices (e.g. based on allegations that they put profit before privacy).
The anticipated introduction of a breach notification requirement in Canada's national data protection law, the Personal Information Protection and Electronic Documents Act, is likely to fuel increased litigation and regulatory complaints in Canada as it will require organizations to give notice of breaches. Although many organizations currently provide voluntary breach notices for reputational and legal risk management reasons, a mandatory requirement in PIPEDA is expected to result in increased awareness of the need to notify, and, ultimately, to a greater number of notifications.
Finally, in addition to potential liability to pay significant damages to third parties who are affected by privacy and information security incidents, there are often considerable costs associated with avoiding, preparing for and responding to such incidents, including in defending lawsuits and regulatory investigations. These liabilities and costs have increased interest in cyberliability insurance in Canada over the past year, which is expected to continue as organizations and service providers grapple with the evolving risks.
About the Author
Alex Cameron is a partner with Fasken Martineau in Toronto.