The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Saturday, May 30, 2009
According to CTV News, a Quebec movie theatre is liable for $10,000 in damages when it searched a family's bags (ostensibly for video recording equipment) and exposed the eldest daugther's birth control pills to her unknowing parents. See: CTV.ca Cinema ordered to pay $10K in damages for search.
(Before extending this decision to the rest of Canada, remember that the private right of damages for privacy invasion is different in Quebec.)
Saturday, April 05, 2008
(I couldn't resist.)
Mr. and Ms. Boring of Pittsburgh is suing Google for intentional invasion of privacy since Google's Street View feature shows a picture of the home despite the fact that their street is marked as a private road. The Smoking Gun has the facts and their pleadings:
Couple Sues Google Over "Street View" - April 4, 2008If you look at the pictures of their property, you might think that if the Borings were concerned about their privacy they would have put a fence around their pool. I'm just saying ...
APRIL 4--A Pittsburgh couple is suing Google for invasion of privacy, claiming that the web giant's popular "Street View" mapping feature has made a photo of their home available to online searchers. Aaron and Christine Boring accuse Google of an "intentional and/or grossly reckless invasion" of their seclusion and privacy since they live on a street that is "clearly marked with a 'Private Road' sign," according to a lawsuit the couple filed this week in Allegheny County's Court of Common Pleas. A copy of the April 2 complaint can be found below. According to the Borings, they purchased their Oakridge Lane home in late-2006 for "a considerable sum of money," noting that a "major component of their purchase decision was a desire for privacy." But when Pittsburgh was added last October to the roster of cities covered by Google's "Street View" feature, the Borings allege, their "private information was made known to the public," causing them "mental suffering" and diminishing the value of their home (which cost the couple $163,000, according to property records). The Borings are seeking in excess of $25,000 in damages and want a court order directing Google to destroy images of their home. Click here for some photos of the Boring property, which is now even easier to locate via Google Maps, since the plaintiffs included their home address on the lawsuit's first page. And while they are litigating, perhaps the Borings should consider suing Allegheny County's Office of Property Assessments, which includes a photo of their home (which was built in 1916 and sits on 1.82 acres) on its web site. Here's a screen grab. (8 pages)
UPDATE (2008.04.06): The Wall Street Journal's Law Blog has a response from Google:
There is no merit to this action. It is unfortunate litigation was chosen to address the concern because we have visible tools, such as a YouTube video, to help people learn about imagery removal and an easy-to-use process to facilitate image removal.
As a matter of policy, imagery for Street View is taken in public streets and what any person can readily capture or see in the public domain. Street View is a popular, engaging feature that allows people to easily find, discover, and plan activities relevant to a location.
What's most interesting -- at least from my perspective -- is that this argument doesn't hold much water in Canada. Up here, there are two different privacy laws. There is some caselaw that's similar to tort law in the US suggesting that you can sue for invasion of privacy, if there's been an "unreasonable invasion of privacy". In the US, there is no expectation of privacy in the streets or in a public place and, other than in Quebec, that's probably the law in Canada. The second law is PIPEDA, which is a separate statute that governs all collection, use and disclosure of personal information in connection with commercial activity. Since Google's doing commercial activity, the law requires consent for the collection and disclosure of personal information. (There's some serious doubt that the photo of your house without any other information would be your personal information.) Since street view often includes photos of people, Google would require consent to use those photos for commercial purposes. Since the Google street sweepers do not get consent, there's no easy way to have street view in Canada.
I expect that Google will have technology to blur out individuals so they can take street view to Canada and other jurisdictions where privacy laws would prohibit photos of pedestrians.
Thursday, August 23, 2007
A plaintiff seeking compensation for having personal information compromised has to face the hurdle of needing to prove damages. Under a conventional cause of action for negligence, harm is an essential element. If there is no harm, there's no negligence. No negligence, no cash. Just a risk of harm or an increased risk of harm is not enough.
This was recently affirmed by a US federal appeals court, which denied a class action brought following the release of personal information of customers of Old National Bancorp. See Wired's coverage:
Threat Level - Wired Blogs
Tens of thousands of Old National Bancorp customers whose personal and financial information was hijacked by a computer hacker cannot recover damages from the Indiana banking institution who lost the data in 2005, a federal appeals court ruled Thursday.
In dismissing a proposed class action against Old National Bancorp, the 7th U.S. Circuit Court of Appeals said damages were unavailable to victims of data theft if those victims did not suffer economically.
The three-judge panel of the circuit, mirroring decisions of federal courts in Ohio, Minnesota, Arizona and Michigan, ruled (.pdf): "Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy."
The plaintiffs did not allege direct financial loss and did not claim they had been the victim of identity theft. They alleged they suffered "substantial potential economic damages" and demanded compensation for emotional harm out of fear they would suffer economic damages by those who stole their information.
The bank's customers also demanded a "monitoring procedure to insure prompt notice to plaintiffs of any attempt to use their confidential personal information stolen from the defendants."
The appeals court also ruled that the law in Indiana, where the bank is located, did not protect the customers either.
"Had the Indiana Legislature intended that a cause of action should be available against a database owner for failing to protect adequately personal information, we believe that it would have made some more definite statement of that intent," the court wrote.
The court added that the plaintiffs "have not come forward with a single case or statute, from any jurisdiction, authorizing the kind of action they now ask this federal court, sitting in diversity, to recognize as a valid theory of recovery under Indiana law."
The court noted that the investigation into the security breach was under seal. But the judges added that "the scope and manner of access suggests that the intrusion was sophisticated, intentional and malicious."
Sunday, April 08, 2007
This is an interesting development.
An Australian court has awarded damages for breach of privacy following the revelation by the Australian Broadcasting Corporation of the identity of a rape victim. This is important to Australia, but may also have a secondary effect here in the great white north, as Canadian courts are relatively open in citing and following other common law decisions. For the full scoop, check out Open and Shut: Victorian Court awards damages for breach of privacy.
Thursday, February 08, 2007
In most cases of fraud following a security breach, the biggest problem for consumers seeking a remedy is proving the connection between the breach and the ensuing fraud. According to CIO Blogs, the TJX breach is different and a small bank in New England has made the connection. It has found the smoking gun and says it will seek damages against the company.
This may be the wakeup call that will force companies to be more diligent about security. See: CIO Blogs - The TJX security breach. This one's different. Way different. |.
Thanks to John Gregory for the link.
Friday, January 26, 2007
The second (that I know of) conviction under Canada's new voyeurism laws took place yesterday in Halifax.
The Daily News: News Former sailor pleads guilty after trying to videotape neighbour
LINDSAY JONES The Daily News
CRIME – A former sailor has pleaded guilty to trying to videotape a woman while she was changing in her own apartment.
In August of 2006 the woman was getting dressed in her walk-in closet when she spotted a video camera in the window pointed towards that part of the room. She was changing in the closet because her window was only partially covered by a blanket.
Karlson Glen Chaulk, who had been in the armed forces for nearly seven years, lived in the apartment above her. The two did not know each other, the court heard.
The woman called police and Chaulk admitted to committing the offence. He asked police if there was any way to make it go away, the court heard. Police found no images on the video camera.
Chaulk has two previous convictions, for impaired driving and possessing narcotics.
The court heard the victim moved from the residence because she no longer felt safe, costing her her damage deposit and moving expenses.
Chaulk told the court he was “truly sorry” for his actions and promised it would never happen again. “I do realize now that I shouldn’t have conducted myself in the way I did with the camera,” he said.
Judge Michael Sherar said not only is the charge sad and juvenile, but also deplorable. He asked Chaulk what he intended when he surreptitiously looked into someone else’s apartment. He also outlined how everyone has the right to privacy in their own home.
Chaulk has since resigned from the Defence Department and plans to move to Alberta tomorrow.
He was sentenced in Halifax provincial court yesterday to 90 days probation, ordered to pay a $500 fine and $450 restitution to the victim, as well as undergo counseling. He must also stay 150 metres from the woman’s home and workplace.
Chaulk is the second person in Canada to be sentenced for voyeurism, since the law was enacted in November 2005. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.
The only other prosecuted case of voyeurism in Canada also took place in the province.
Winston Charles Patriquin of Port Howe, Cumberland Co., pleaded guilty last August to using a video camera to tape a girl in the bathtub.
Technology takes place of peeping Toms: lawyer
A Halifax privacy lawyer says technology is taking the place of the guy lurking outside the window.
David Fraser said what’s traditionally considered trespassing is now occurring digitally, without the physical presence of a perpetrator.
“People can be observed in a number of different contexts,” he said. “Hidden cameras in change rooms in stores. Hidden cameras in bathrooms in hotels.”
Canada’s voyeurism law was enacted in November 2005 to better protect children and other vulnerable victims from harm. The law makes it illegal to “surreptitiously observe or make a visual recording” for a sexual purpose.
Fraser said the law reflects the potential seriousness and intrusiveness of voyeurism. Enacting it was necessary, he says, to keep up with technological advances and the advent of miniature, wireless cameras.
“Thousands of companies sell wireless cameras and it’s pretty plain in the description of their products that they’re selling them for this sort of voyeurism,” he said. “Once this information is in digital form, it’s very easily transmitted.”
— Lindsay Jones
Thursday, January 25, 2007
David Canton's regular Canoe.ca and London Free Press column this week discusses the movement toward recognizing the right to sue for invasion of privacy. See: eLegal Canton: Can we sue for privacy invasion?.
Tuesday, January 23, 2007
Wired's 27B Stroke 6 is reporting on an interesting decision from New Jersey in which an appeals court has held that internet users have a right to privacy in their "ISP Address" or "screen name". While technologically incorrect, I'll leave it to others to comment on whether it's technically correct. See: WIRED Blogs: 27B Stroke 6: Jerseyites Have Right to Protect "ISP Address".
Saturday, January 20, 2007
Monday, December 18, 2006
The Ontario Superior Court of Justice has just released an interesting case considering relief from the implied undertaking rule and the potential of a tort of invasion of privacy in Ontario. (The implied undertaking rule generally prohibits the use of any information obtained in litigation for a purpose other than the instant litigation.)
Shred-Tech Corp. v. Viveen, 2006 CanLII 41004 (ON S.C.) is a case in which Shred-Tech is suing former employees for violating a non-competition covenant. The plaintiff Shred-Tech hired a private investigator to look into the situation and the PI's report was part of the rationale for initiating the lawsuit. When the PI's report was disclosed to the defendants as part of pre-trial discovery, the defendants discovered that the PI had obtained the defendants' calling records from Bell Canada and had covertly videotaped on the defendants' new business premises.
In the motion before the Court, the defendants sought an order for relief from the implied undertaking rule so they could use the materials to launch complaints under the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5; and the Private Investigators and Security Guards Act, R.S.O. 1990, c.P. 25.
The Court granted the order requested and made the following observations (the observations about the tort of invasion of privacy must be considered to be obiter dicta, but will likely be quoted as further support of the existence of the tort in Ontario):
The distinguishing feature of this motion is the reference to privacy rights, a relatively new development in our law. Public concern as to the manner of collecting personal information, and the use made of it resulted in legislative response. The Personal Information Protection and Electronic Documents Act came into existence in 2000 and is presently under review, no doubt due to the now recognized importance of privacy rights. A regulatory body was established to handle complaints regarding contraventions. There is, of course, other legislation that may be relevant to the nature of the complaint regarding the investigator’s conduct.
 In Ferency v. MCI Medical Clinics 2004 CanLII 12555 (ON S.C.), (2004), 70 O.R. (3d) 277 (Ont. S.C.J.), the defendant retained a private investigator to conduct video surveillance of the plaintiff. At trial, the defendant sought to use the video evidence for impeachment purposes. The plaintiff’s opposition to admission of the evidence relied on the Personal Information Protection and Electronic Documents Act. Dawson J. rejected the plaintiff’s submissions and raised the question of the statute’s application in the circumstances of that case. He also determined, by applying the principles of agency, it was the defendant who, in effect, collected the information for personal use in the defence of the plaintiff’s allegations.
 Ferency, as noted, dealt with the issue of admissibility of evidence at trial. Of particular importance was that the surveillance occurred in public. Dawson J. found the plaintiff had given “implied consent” saying at para. 31:
The complainant has effectively, by commencing this action and through her pleadings, put the degree of injury to her hand and its effect on her life into issue. One who takes such a step surely cannot be heard to say that they do not consent to the gathering of information as to the nature and extent of their injury or the veracity of their claim by the person they have chosen to sue. Consent is not a defined term under the Act, and there is no indication in the Act that consent cannot be implied.
 In the case at bar, however, the defendant’s present evidence to suggest information was obtained in circumstances that do not support a finding of consent, implied or otherwise, particularly with reference to their Bell Canada records.
 There is some debate as to whether there now exists a tort of invasion of privacy. I am of the view recognition of such a tort in law is the logical result of the acknowledgment of privacy rights. There must be a remedy available for the breach of any right. In this regard, I am in agreement with the comment by Stinson J. in Somwar v. McDonald’s Restaurant of Canada Ltd.,  O.J. No. 64 (Ont. S.C.J.) where, at para. 29, he said:With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with the Charter values and an ‘incremental revision’ and logical extension of the existing jurisprudence.
 The investigation appears to have resulted from the concerns of the plaintiff regarding the conduct of the defendants in establishing a competing business. The allegations raised by the defendants regarding the manner of the investigative process are serious. Evidence is provided in support of these allegations. The evidence is not challenged. Indeed, by their failure to defend the counterclaim and respond to this motion, Sintrack and Mrowiec are deemed to admit the validity of the allegations. The defendants’ Bell Canada records, for example, were obtained by the investigator without the consent of the defendants or court order. The obvious question is how such occurred and, indeed, whether an illegal act is involved.
 The evidence presented by the defendant is sufficient to establish, at least, the basis of their claim. This triable issue will be determined in due course.
 In this case, it would be unjust to restrict the enforcement of privacy rights to the lawsuit. If the rights were violated, damages may be awarded but such, in my view, ought not be the exclusive remedy. Regulatory bodies, established for this very purpose, must be permitted to investigate the complaint and have made available to it the best evidence. Preventing a regulatory investigation, by restricting the evidence that may be considered would, in effect, condone what may be an illegal act. Such is clearly not the intent of the deemed undertaking rule.
 The defendants have established entitlement to the relief claimed on this motion regarding Sintrack and Mrowiec. The intended complaint is not for an improper purpose but, rather, for a legitimate inquiry by a regulatory body. While connected to the issues raised in the lawsuit, the complaint goes further in terms of the challenged conduct.
 There is no evidence, at present, implicating the plaintiff or its corporate officials in the investigative process. Indeed, in their defence to the counterclaim, they deny any involvement. It is to be noted, as well, the plaintiff made disclosure of the investigative report and other information as required in the discovery process.
 Counsel for the defendants relies on the concept of agency in arguing in favour of allowing the complaint to proceed regarding the plaintiff, Glass and Roberto. The principles of agency may be relevant in a consideration of admissibility of evidence, such as in Ferency, or with respect to the tort claim. To subject others to a regulatory investigation necessitates a foundation for the claimed relief. Agency, in my view, is insufficient for this purpose.
 Counsel for the defendants also suggested a lack of evidence ought not be a determining factor, referring to the comments of Granger J. in 755568 Ontario Ltd. v. Linchris Homes Ltd., supra, at p. 651 where he said:
The plaintiff in its motion, which is not supported by any affidavit material setting out its motive, seeks leave to send the transcripts of the examinations for discovery to the police in order that an investigation can be carried out, and presumably charges laid, if there are reasonable and probable grounds to believe that an offence has been committed. In my view I need not, nor should I, determine if there are reasonable and probable grounds to believe the defendants have committed a criminal offence. The sole issue is whether the request of the plaintiff is a bona fide request or made for a collateral purpose.
 With respect, I do not read this passage as saying evidence is not required. Granger J. refers to a “bona fide request” which, in my view, necessitates some evidence. Otherwise, an innocent party could be subjected to regulatory or other investigation. Such would be prejudicial in terms of the lawsuit and, as well, improper.
 In this respect, the motion as it pertains to Shred-Tech, Glass and Roberto is premature. Examinations for discovery have not yet taken place. It may be that evidence will become available and, therefore, the defendants ought then be permitted to seek relief. At this point, however, without an evidentiary foundation, the motion must be dismissed as against these parties.
 On behalf of the plaintiff, counsel submits prejudice will result even by allowing the complaint to proceed with respect to the investigators. No affidavit or other evidence was presented in support of this position. Judicial notice, as referred to in Ribeiro, would acknowledge the possibility of some involvement in the complaint process, such as a witness. It is to be noted, however, it was the plaintiff who retained the investigators.
 I do not see any significant prejudice to the plaintiff in this regard. Any prejudice is far outweighed by the injustice to the defendants if the complaint could not proceed. The defendants have an absolute right to present their complaint to the regulatory bodies. The documents and other information is the best evidence and such is of critical importance in a regulatory inquiry.
 I am also of the view there is a public interest in allowing the complaint to proceed against the investigators. A potential breach of a privacy right is an important matter for the complainant and for the public. If the complaint is found to be legitimate, prevention of future abuse of the rights of others is an important consideration.
Thursday, March 23, 2006
The March 2006 edition of the Canadian Privacy Law Review is out and it includes the following article:
(Reprinted by permission of LexisNexis Canada. Inc., from Canadian Privacy Law Review,. edited by Michael Geist, Copyright 2006.)
With so much focus on PIPEDA, the PIPAs, the HIAs, PHIPA and others, the notion that there’s an independent tort of invasion of privacy has been somewhat lost in the shuffle as of late. Newfoundland, Manitoba, Saskatchewan and British Columbia, with their statutory torts for invasion of privacy have settled the debate in those provinces. Observers in the other common law provinces are left, from time to time, scratching their heads as to whether there even is an ability to bring a civil suit for invasion of privacy, independent of any wrong that is addressable under the personal information protection statutes or independent of another actionable wrong, such as trespass.
To use Newfoundland as an example, the Privacy Act makes it an actionable wrong if someone violates the privacy of another:
Violation of privacy
3. (1) It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of an individual.
(2) The nature and degree of privacy to which an individual is entitled in a situation or in relation to a matter is that which is reasonable in the circumstances, regard being given to the lawful interests of others; and in determining whether the act or conduct of a person constitutes a violation of the privacy of an individual, regard shall be given to the nature, incidence, and occasion of the act or conduct and to the relationship, whether domestic or other, between the parties.
The Act further clarifies what circumstances are presumed to be an invasion of privacy and also establishes specific defenses to the tort.
In the remaining common law provinces, including Ontario and the Maritimes, the court decisions have gone both ways about whether there is an independent tort of invasion of privacy. The recent case of Somwar v. MacDonald’s Restaurants of Canada Ltd. opens the door further to this possibility in Ontario.
The facts in Somwar are relatively simple: The plaintiff, Mr. Somwar, was a MacDonald’s employee. The company carried out a credit check on Mr. Somwar without his knowledge or consent, and Mr. Somwar brought an action against MacDonald’s for invasion of privacy, seeking general damages and an award of punitive damages to dissuade the company from repeating this again with other employees. The defendant made an application under the Ontario Rules of Civil Procedure to have the plaintiff’s statement of claim struck out as it disclosed no reasonable cause of action. It was argued that the laws of Ontario do not include the common right of action for invasion of privacy.
At this stage in litigation, the task of the Justice sitting in chambers is not to determine liability or even to decide whether the actions complained of are actionable. The sole task is to determine whether it is “plain and obvious” that the plaintiff’s claim could not proceed if the matter were to go to trial. The striking out a plaintiff’s claim is reserved for those circumstances where proceeding any further would be a waste of time for the parties and the courts. If there is a simple possibility that the plaintiff might succeed at trial, the Civil Procedure Rules are designed to allow it to run its course. Any pronouncements from the bench at this stage in the proceeding must be interpreted in light of this context. The question is not whether there is a common law tort of invasion of privacy, but rather whether there might be. In the result, Stinson J. determined that there might be and goes even further to say there should be.
Lacking any clear pronouncement from the appellate courts, Justice Stinson of the Ontario Superior Court of Justice canvassed a range of lower-court decisions dealing with alleged invasions of privacy. To this end, Stinson J. borrowed from the analytical framework set out by Dean William Prosser in his seminal California Law Review article, “Privacy” and considered Ontario cases that addressed “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.”
The cases cited by Stinson J. in Somwar that fall into this category do not provide unequivocal guidance on whether the such a tort exists. A handful of decisions from Ontario’s lower courts have allowed claims or have at least allowed actions to proceed to trial based upon alleged intentional invasions of privacy, many of which are also associated with other causes of action, such as nuisance. On the motion to dismiss the plaintiff’s claim, the cases reviewed provide sufficient grounds for Stinson J. to conclude that it cannot clearly be said that there is no common law tort of invasion of privacy.
The foregoing is sufficient to dismiss the defendant’s motion, but the Court goes further and offers the conclusion that the time is right for a clear recognition of a common law right to privacy. Stinson J. begins this part of his analysis by posing the question: “is there a right to privacy in Canada and how is it protected?”
In the age of the Charter, the Supreme Court of Canada has been explicit that the common law must evolve to become consistent with “Charter values”. The leading case on this point, Hill v. Church of Scientology of Toronto, is cited by Stinson J., who quotes from Cory J.’s majority decision:
Historically, the common law evolved as a result of the courts making those incremental changes, which were necessary in order to make the law comply with current societal values. The Charter represents a restatement of the fundamental values which guide and shape our democratic society and our legal system. It follows that it is appropriate for the courts to make such incremental revisions to the common law as may be necessary to have it comply with the values enunciated in the Charter.
Section 8 of the Charter provides individuals with a constitutional right that is analogous with the “right to be let alone”: “Everyone has the right to be secure against unreasonable search or seizure.” While the Charter only applies to individuals vis-à-vis the state, the Supreme Court’s pronouncements on Section 8 lead to the conclusion that Charter values require that the common law recognize a “right to be let alone” between individuals.
Stinson J. refers to the judgement written by La Forest J. in R. v. Dyment, in which the Court identifies three zones of privacy, one of which is privacy of personal information. La Forest J. rooted this privacy interest in “the notion of the dignity and integrity of the individual.” Recent advances in technology that can be used to collect and disseminate personal information also prompt Stinson J. to recommend that the common law make the incremental changes to keep up with Charter values and with potentially-intrusive technology:
 With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with Charter values and an “incremental revision” and logical extension of the existing jurisprudence.
While the importance of the Somwar case should not be overstated, keeping in mind that it relates to a motion to strike a statement of claim and is not a final, determinative judgement at trial. The test to be applied is only whether there could be such a cause of action, rather than whether there is one. However, the Court made the notable step of going beyond this simple question by propounding that the Charter and advancing technology may necessitate the updating of the common law to incorporate a clear right “to be let alone” between two private actors. Whether Justice Stinson’s decision will be followed by other lower courts and whether the appellate courts will concur are both open questions, but the decision should not be ignored as a simple interlocutory judgement on a low-threshold question. It likely represents part of a trend toward recognizing a free-standing right to privacy in those provinces where the legislatures have not stepped in to provide a statutory one.
* David T.S. Fraser is the chairman of the privacy group at McInnes Cooper and is also a part-time member of the Faculty of Law at Dalhousie University.
 R.S.N.L. 1990, c. P-21.
 2006 CanLII 202 (Ont. C.J.) (http://www.canlii.org/on/cas/onsc/2006/2006onsc10045.html) (“Somwar”).
 R.R.O. 1990, Reg. 194, Rule 21.01(1)(b).
 William L. Prosser, “Privacy” (1960) 48 Cal.L.Rev. 383.
 Prosser’s article classifies invasions of privacy in the following categories: “(i) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness”. Quoted in Somwar, at para. 9.
 Stinson J. refers to the following cases in this group: Capan v. Capan,  O.J. No. 1361 (H.C.J.) (application to strike statement of claim; defendant did not establish that stalking, harassment and entry into the plaintiff’s home could not found a cause of action); Saccone v. Orr (1981), 34 O.R. (2d) 317 (Co.Ct.) (recording of a private telephone conversation that was subsequently broadcast at a municipal council meeting and then published in a local newspaper; Court concluded that the plaintiff “must be given some right of recovery” for actions of the defendant); Roth v. Roth, (1991), 4 O.R. (3d) 740 (Gen. Div.) (action related to blocking access to property and shutting off electricity of the plaintiff’s cottage; Court concluded that whether the case is actionable depends upon the circumstances and the rights in conflict; invasion of privacy is not derived from a property right and the interests of both the individual and society are served by proceeding); Lipiec v. Borsa,  O.J. No. 3819 (Gen. Div.) (Court awarded damages related to removal of a fence between properties and erection of a surveillance camera pointed at the defendant’s (plaintiff by counterclaim’s) yard); Tran v. Financial Debt Recovery Ltd.,  O.J. No. 4293 (S.C.J.) (reversed on other grounds,  O.J. No. 4103 (Div. Ct.)) (collection agency making repeated collection calls to plaintiff’s workplace after being advised to only call home number; plaintiff recovered under defamation, intentional interference with economic interests, intentional infliction of emotional suffering, and invasion of privacy); Garrett v. Mikalachki,  O.J. No. 1326 (S.C.J.) (dispute between neighbours leading to recovery under “intentional infliction of emotional distress, nuisance or invasion of privacy, and harassment”) and Rathmann v. Rudka,  O.J. No. 1334 (S.C.J.) (harassment amounting to nuisance and invasion of privacy).
 Somwar at para. 23.
  2 S.C.R. 1130.
 Quoted in Somwar at para 26, from Hill at para 92.
  2 S.C.R. 417 (“Dyment”).
 Quoted in Somwar at para 24, from Dyment at para 22.
Tuesday, March 21, 2006
Daniel Solove, professor at George Washington University School of Law and one of the authors of Concurring Opinions, has released a new article that asks the question "what is privacy?" Privacy means different things to different people and Prof. Solove's article tries to break down and organize the concept of privacy. Here's the link and the abstract:
Daniel J. Solove, A Taxonomy of Privacy, 154 U. Pa. L. Rev. 477 (2006)
Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from an embarrassment of meanings. Privacy is far too vague a concept to guide adjudication and lawmaking, as abstract incantations of the importance of privacy do not fare well when pitted against more concretely-stated countervailing interests.
In 1960, the famous torts scholar William Prosser attempted to make sense of the landscape of privacy law by identifying four different interests. But Prosser focused only on tort law, and the law of information privacy is significantly more vast and complex, extending to Fourth Amendment law, the constitutional right to information privacy, evidentiary privileges, dozens of federal privacy statutes, and hundreds of state statutes. Moreover, Prosser wrote over 40 years ago, and new technologies have given rise to a panoply of new privacy harms.
A new taxonomy to understand privacy violations is thus sorely needed. This article develops a taxonomy to identify privacy problems in a comprehensive and concrete manner. It endeavors to guide the law toward a more coherent understanding of privacy and to serve as a framework for the future development of the field of privacy law.
Wednesday, February 22, 2006
Mark Rasch at Security Focus is discussing whether there should be strict liability for data breaches so that those whose information is compromised may sue for damages: Strict liability for data breaches?.
I just recently gave this a bit of thought for an upcoming article for the Ontario division of the Canadian Bar Association's privacy section. Unless there is an actual misuse of the information leading to a loss, the biggest impediment under traditional tort law is going to be proving an actual injury. The tort of negligence requires there to be (i) a duty of care, (ii) a breach of the standard of care and (iii) an injury of some sort directly related to the breach. For most individuals whose information is lost, the injury is an increased likelihood of identity theft or other fraud, and quantifying that risk is mostly speculative. The courts of Canada generally have not been very amenable to compensating bare risks.
PIPEDA itslef contains provisions that allow an aggrieved individual to seek damages in the Federal Court, but there is no mention in the statute that it creates a strict liability tort or waives the usual requirement for demonstrating injury. So far, nobody has taken their complaint seeking damages that far.
We may get some clarity about this if the class action lawsuit against CIBC ever makes it to court in Ontario. Much of the injury claimed in the statement of claim relates to the time and expense related to more vigilant credit and account monitoring. (There is also a claim related to emotional distress and the class is seeking punitive damages.) Hopefully the court will address this question, if it does get to court.
While American legislators are thinking about this issue more than Canadians, it is worth thinking if there should be an entitlement to statutory damages for a failure to notify individuals if sensitive personal information (the disclosure of which can be harmful) is compromised without giving the individuals notice. This would avoid tussles in the court rooms and would give businesses some certainty of their actual exposure. We may even hear about it at the upcoming five year review of PIPEDA.
In the meantime, anybody advancing a claim under this sort of theory of liability will be taking a gamble on the possibility of recovering anything.
Tuesday, January 17, 2006
Thank you to a loyal reader who brought this case to my attention.
The Ontario Superior Court of Justice recently had an opportunity to consider whether you can sue for an alleged invasion of privacy in Ontario. More accurately, the Court considered whether you can even try to sue on this basis. In Somwar v. McDonald's Restaurants of Canada Ltd., 2006 CanLII 202 (ON S.C.), Stinson J. considered a defendant's application to strike a plaintiff's claim for invasion of privacy. The defendant argued that it disclosed no reasonable cause of action.
In the result, the Court let the plaintiff's pleading stand. This does not meant that there is or is not an independent tort of invasion of privacy, but it does suggest that the courts in Ontario will at least hear the plaintiff out.
The facts in this case involve an employer who carried out a credit check on an employee without the employee's knowledge or consent. The plaintiff sued. Because the courts of Ontario have gone both ways on whether you can sue for this, the plaintiff was not thrown out of court.
Stinson J. had some interesting things to say:
Is it fully settled in the jurisprudence that there is no common law tort of invasion of privacy?
 I begin my analysis with this question for the simple reason that if the answer is "yes" that is the end of the plaintiff's case.
 In a law review article written in 1960, the leading American torts scholar, William Prosser, listed four distinct kinds of invasion of privacy interests as follows: (i) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (ii) public disclosure of embarrassing private facts about the plaintiff; (iii) publicity which places the plaintiff in a false light in the public eye; and (iv) appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness: see William L. Prosser, “Privacy” (1960) 48 Cal. L. Rev. 383 at 389. Although Dean Prosser's article was intended as an overview of the American jurisprudence in this area, his analytical framework is helpful in trying to understand the approaches taken by Canadian courts when dealing with these types of claims.
 The complaint in the case at bar concerns the conduct of a credit bureau check on an employee by his employer, without the employee’s consent. This complaint falls within Prosser’s first category of invasion of privacy, i.e. “intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs.” Prosser further described such intrusion as follows:
- there must be something in the nature of prying or intrusion;
- the intrusion must be something which would be offensive or objectionable to a reasonable person;
- the thing into which there is prying or intrusion must be, and be entitled to be, private; and
- the interest protected by this branch of the tort is primarily a mental one. It has been useful chiefly to fill in the gaps left by trespass, nuisance, the intentional infliction of mental distress, and whatever remedies there may be for the invasion of constitutional rights.
 In The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002) G.H.L. Fridman discussed different classifications of torts and observed that courts, in the limited circumstances where damages are awarded for “invasion of privacy”, tend to treat such invasion as an intentional tort. At pp. 20-21 he wrote:Acceptance by the courts … of the possibility of liability for certain kinds of “invasion of privacy,” limited though this may be, suggests that the courts are groping their way towards the idea that, where one person acts in a manner that is known and intended to be injurious to another, liability should ensue, even though no nominate tort such as … intimidation, trespass, or defamation, has been committed, unless the circumstances reveal that there was what can be accepted as a lawful reason, justification or excuse for the perpetration of the act and the infliction of the harm.
 Based on Prosser’s description of intrusion of privacy interests and Fridman’s observations on treatment of “invasion of privacy” by courts, I conclude that the plaintiff’s complaint concerning the invasion of his privacy could be categorized as an intentional tort.
 The potential existence of a common law intentional tort of invasion of privacy has been discussed on various occasions in the jurisprudence of the courts of Ontario. Many of these cases involved intrusion into the plaintiff's seclusion or private affairs and thus fall within Prosser's first category of invasion of privacy interests.
 In Capan v. Capan,  O.J. No. 1361 (H.C.J.), the plaintiff commenced an action against her husband for damages for continuing mental and physical harassment and invasion of privacy. The defendant allegedly stalked the plaintiff during a separation, harassed her with persistent telephone calls at home and at her work place, and forced his way into her apartment. The defendant moved to strike out the plaintiff’s statement of claim based on the absence of a reasonable cause of action. Osler J. dismissed the motion stating (at paras. 14-15):What is complained of here is, in its very essence, an abuse of personal rights to privacy and to freedom from harassment. … [I]t has not been demonstrated that the rights referred to will not be recognized by our courts nor that their infringement will not found a cause of action. In my view, it would not be right, on a motion of this kind, for the court to deprive itself of the opportunity to determine, after hearing the evidence, whether such right exists and whether it should be protected.
 In Saccone v. Orr (1981), 34 O.R. (2d) 317 (Co. Ct.), the defendant recorded a private telephone conversation with the plaintiff without the plaintiff’s consent. The defendant then played the tape at a municipal council meeting. A transcript of the tape was subsequently published in a local newspaper. The court rejected the defendant’s argument that no tort of invasion of privacy existed in Ontario common law. Jacobs Co. Ct. J. said:[I]t’s my opinion that certainly a person must have the right to make such a claim as a result of a taping of a private conversation without his knowledge, and, as against the publication of the conversation against his will or without his consent. Certainly, for want of a better description as to what happened, this is an invasion of privacy and despite the very able argument of defendant’s counsel that no such action exists, I have come to the conclusion that the plaintiff must be given some right of recovery for what the defendant has in this case done.
 In Roth v. Roth reflex, (1991), 4 O.R. (3d) 740 (Gen. Div.), the court held that the defendants’ acts such as locking a gate on an access road, interfering with and blocking the use of the road by the plaintiffs in getting to and from their cottage, and removing a shed, pump and dock with the concomitant shutting off of electricity in the plaintiffs’ cottage at a time when they were not there constituted a harassment of the plaintiffs in the enjoyment of their property. Mandel J. also found that the defendants’ actions amounted to an invasion of the plaintiffs’ privacy. He further rejected the view that privacy flowed from property rights. He wrote (at p. 758):In my view, whether the invasion of privacy of an individual will be actionable will depend on the circumstances of the particular case and the conflicting rights involved. In such a manner the rights of the individual as well as society as a whole are served.
It is also noteworthy that Mandel J. reached the foregoing conclusion after he observed that there is no legislated remedy for invasion of privacy in Ontario, unlike some other provinces.
 In Lipiec v. Borsa,  O.J. No. 3819 (Gen. Div.), the defendants’ counterclaim against the plaintiffs was based on nuisance and trespass. The plaintiffs and the defendants were owners of adjoining residential properties. The court found that the plaintiffs had greatly reduced the defendants’ enjoyment of their property by removing the fence between the two properties and erecting a commercial type surveillance camera aimed at the defendants’ yard. McRae J. noted that intentional invasion of privacy had been recognized as actionable in Ontario in several cases. He found that there was intentional invasion of the defendants’ right to privacy and awarded damages to the defendants.
 In Tran v. Financial Debt Recovery Ltd.,  O.J. No. 4293 (S.C.J.) (reversed on other grounds,  O.J. No. 4103 (Div. Ct.)), the plaintiff had outstanding student loans. Employees of the defendant debt collection agency began calling the plaintiff about the loan, several times an hour, at work. The plaintiff disputed the amount outstanding, but he was never provided with particulars. Despite the plaintiff’s request to be contacted at home, the defendant’s employees continued to call him at work. The court found that the defendant had invaded the plaintiff’s privacy by placing repeated and vexatious calls to the plaintiff’s place of employment. Molloy J. awarded damages to the plaintiff for the torts of defamation, intentional interference with economic interests, intentional infliction of emotional suffering, and invasion of privacy.
 Other cases in which trial judges have found liability based on invasion of privacy falling within Prosser's first category include Garrett v. Mikalachki,  O.J. No. 1326 (S.C.J.) and Rathmann v Rudka,  O.J. No. 1334 (S.C.J.).
 The courts of Ontario have not been unanimous concerning the existence of a common law tort of invasion of privacy. In Haskett v. Trans Union of Canada Inc. (2001), 10 C.C.L.T. (3d) 128 (Ont. S.C.J.), aff'd 15 C.C.L.T. (3d) 194, (Ont. C.A.), the plaintiff alleged that the defendant credit-reporting agencies had unlawfully included his pre-bankruptcy debts in consumer reports and incorrectly reported them as collectible debts. He sought to bring a class proceeding against the defendants for damages based on breach of fiduciary duty, invasion of privacy, and negligence. The defendants moved to strike the statement of claim on the ground that it did not disclose a reasonable cause of action. With respect to invasion of privacy, Cumming J. found that it was plain and obvious that the complaint of wrongful inclusion of inaccurate information in a credit report did not amount to a reasonable cause of action in tort. Cumming J. quoted with approval from Professor Klar in his text Tort Law (Toronto: Carswell, 1991) where he stated at p. 56 as follows:Despite some encouraging suggestions from a few courts, it would be fair to say that the Canadian tort law does not yet recognize a tort action for invasion of privacy per se. Rather “privacy” rights have been protected under the umbrella of other traditional tort actions, and by legislative interventions.
Cumming J. acknowledged, however, that “more recently, there has been some recognition of invasion of privacy as an embryonic tort where there is harassing behaviour or an intentional invasion of privacy.” [Emphasis added.] On appeal, the appellant limited his claimed cause of action to negligence. Thus, the Court of Appeal did not address the ruling of the motion judge with respect to the issue of invasion of privacy.
 In T.W. v. Seo,  O.J. No. 4277 (Ont. S.C.J.) (varied on other grounds at  O.J. No. 2467 (C.A.)), the defendant was an ultrasound technician who videotaped the plaintiff while she was in the change room. The plaintiff’s claim included a claim for damages based on the tort of invasion of privacy. Siegel J. refused to put any questions to the jury relating to this cause of action as he found that “insofar as a common law tort of invasion of privacy was recognized in Canada, it did not extend to these facts.”
 In light of the trial decisions listed in this brief survey of Ontario jurisprudence, and the absence of any clear statement on the point by an Ontario appellate court, I conclude that it is not settled law in Ontario that there is no tort of invasion of privacy.
Is it plain and obvious that the plaintiff’s action cannot succeed, or despite the novelty of the cause of action, is there a chance that the plaintiff might succeed?
 Provinces such as British Columbia, Manitoba, Newfoundland, and Saskatchewan have created a statutory tort of invasion of privacy. See John D.R. Craig, “Invasion of Privacy and Charter Values: the Common-Law Tort Awakens” (1997) 42 McGill L.J. 355, footnote 2. In Quebec, s. 5 of the Charter of Human Rights and Freedoms, R.S.Q., c. C-12, which provides that “every person has a right to respect for his private life”, is directly enforceable between citizens. In Ontario, however, there is no statutory remedy for unreasonable intrusion into an individual’s private affairs.
 With advancements in technology, personal data of an individual can now be collected, accessed (properly and improperly), and disseminated more easily than ever before. There is a resulting increased concern in our society about the risk of unauthorized access to an individual’s personal information. The traditional torts such as nuisance, trespass, and harassment may not provide adequate protection against infringement of an individual’s privacy interests. Protection of those privacy interests by providing a common law remedy for their violation would be consistent with Charter values and an "incremental revision" and logical extension of the existing jurisprudence.
 Such a development in the common law has been viewed as appropriate by many legal commentators: see, for example, the articles by Bell, and Craig, supra. Bell wrote (at p. 235):The emerging social realities of twenty-first century life in Canada include the use of technology that “increasingly facilitates the circulation and exchange of information”, cellular phones that can be used to take photographs, and the seemingly ever-increasing desire by the public at large for media stories, to name but a few examples. A broad embracement of a common law tort of invasion of privacy would reflect an updating of the common law to reflect these emerging social realities….
 Even if the plaintiff's claim for invasion of privacy were classified as "novel" (which, in any event, is not a proper basis for dismissing it) the foregoing analysis leads me to conclude that the time has come to recognize invasion of privacy as a tort in its own right. It therefore follows that it is neither plain nor obvious that the plaintiff's action cannot succeed on the basis that he has not pleaded a reasonable cause of action.
UPDATE: Check out Michael Fitzgibbon's post on this case, in which he offers some helpful comments on the test for striking out a pleading and on what this case may mean: Thoughts from a Management Lawyer: It's Alive (for now) The Tort of Invasion of Privacy in Ontario. (Added 20060118)
Tuesday, October 25, 2005
The pre-trial process in the Cardsystems class action lawsuit continues, while the parties are squabbling over what and how much information Visa and MasterCard should be providing to the plaintiffs about their relationships with Cardsystems: Squabble continues over credit card breach | Tech News on ZDNet.
Monday, August 01, 2005
Recent privacy and security incidents have spawned a whole range of class action lawsuits, but Law.com reports the larger class-action firms in the US are shying away. Into that gap has stepped a number of smaller firms, looking to make precedent in this untested area:
American Lawyer Media's Law.com - Small Firms Blaze a Trail for Privacy Suits
"Matthew Righetti says companies that leak consumer data should be forced to pay. But the San Francisco plaintiffs lawyer can't say how much. Or, for that matter, whether any court would agree with him.
In fact, no one is sure. While electronic privacy breaches have caught the attention of big media -- the Wall Street Journal wrote Monday that they're generating large class actions -- the major class action firms have shied away from.
Since the cases rest on untested laws -- and often involve victims with no monetary losses -- the big plaintiffs firms are letting smaller outfits like Righetti's take the first steps in a litigation area with equally great risks.
Eager to find new practice areas without competition from the big firms that dominate consumer and securities class actions, the small plaintiffs shops have been happy to oblige.
Basing their complaints on disclosure notices that companies, under California law, send to customers whose financial data has been leaked, a bevy of small firms has aggressively pursued the suits.
While the plaintiffs lawyers say the notices fairly reek of liability, the outlook is so uncertain that small plaintiffs shops feel forced to share the risk of privacy suits with other firms...."
Thanks to Rob Hyndman for the pointer to this story.
Monday, July 25, 2005
Journal Gazette | 07/25/2005 | Lawsuits broach data-security breaches
"... The Marin County, Calif., salesman, along with two other plaintiffs, has filed a class-action lawsuit in California Superior Court in San Francisco against CardSystems Solutions Inc., which last month acknowledged that hackers had obtained information on approximately 200,000 credit- and debit-card accounts. The payment-processing concern might have put the personal information of as many as 40 million consumers at risk, including Schultz’s Visa debit-card account.
Schultz, 52, hasn’t discovered fraudulent activity in connection with his Visa account; and even if he wins, he isn’t likely to recoup much money for the time and trouble of monitoring his account and changing his automatic-payment arrangements.
But his suit against CardSystems, of Tucson, Ariz., might help answer one of the biggest questions arising from the recent rash of data-security breaches: Who should pay for damages?
In an earlier era, when little was known about particular hackings, accountability was difficult and data losses were deemed an unavoidable annoyance. Now, merchants, banks, payment processors, credit-card associations and even security auditors and software makers face the prospect of liability for lax practices.
“There is going to be a flood of lawsuits by both consumers and businesses,” said Mark Rasch, a former Justice Department prosecutor and now senior vice president for Solutionary Inc., a security-audit firm in Bethesda, Md. ..."
Thursday, July 14, 2005
According to the Kansas City Star (registration required), a plastic surgeon is at the centre of a class action lawsuit because he is alleged to have taken home an office computer and to have left it at the curb with his garbage without securely removing patient information. The claim is for negligence, invasion of privacy and breach of fiduciary duty: Kansas City Star | 07/14/2005 | Patients sue doctor over old computer.
I just googled the name of the surgeon and came upon the following:
Medical Newswire - Healthcare, Biotechnology News Release Service
Erase PHI Before You Discard Old Hard Drives
"KANSAS CITY, KS (HIPAA Wire) You must strip all data from your computer's hard drive before you throw it in the scrap pile -- or risk exposing patients' PHI.
That's the lesson Daniel Bortnick, a Kansas City plastic surgeon, learned after patients' before-and-after photos and other PHI were found on a computer the surgeon had deposited in his curbside trash.
Robert Dickerson discovered the information and voluntarily gave the computer and its contents to KCTV. The news station then began contacting patients -- who turned to the surgeon's employer, Monarch Plastic Surgery Group, for answers.
Monarch requested and was granted a restraining order that forbids KCTV from "using, publishing, disseminating, broadcasting, distributing, or disclosing" the PHI found on the computer. But KCTV isn't giving up its fight to expose the surgeon's lax privacy and security policies.
"We either have to violate the order, we've got to  the story in a way that doesn't violate it, or we have to say, 'We've got an important story to tell you that the courts won't let us yet. Stay tuned,'" the station's lawyer Bernard Rhodes told the Kansas City Star. Rhodes is taking the case to the Kansas Supreme Court for resolution.
Bottom Line: Protect both your organization's reputation and your patients' PHI by double checking that all data stored on your computer is destroyed -- before you send your hard drives to the trash pile."
Tuesday, July 12, 2005
Wednesday, June 29, 2005
Bank Systems & Technology is running an article that discusses the cost of privacy breaches. Notification can cost $25-30 per customer, and then add $25 per for credit monitoring. Class action lawsuits, even if won, cost millions. The cost to reputation is impossible to calculate and can be devastating to a company.
Effective data governance is the key to avoiding these problems in the first place and strong, proactive responses to incidents are the way to mitigate these losses.
The article is online here:
Bank Systems & Technology : Lost Data Tapes Likely To Be Costly for Citi:
"Lost Data Tapes Likely To Be Costly for Citi
As it stands, however, the incident will cost Citigroup significant money to remedy, starting with the need to assuage affected customers. "The average cost of notifying a customer of a breach is anywhere from $30 to $50 per customer. Then, the monitoring of credit records is an additional $25," relates Maureen Kelly, director of product marketing for security technology firm Vontu (San Francisco).
Citi - and other banks - could go even further toward making the customer feel safe - and that's not a bad idea, notes Vytas Kisielius, president of communications solutions provider Adeptra (Norwalk, Conn.). Kisielius compares the current public relations opportunity to Johnson & Johnson's handling of the Tylenol poisonings in 1982. When consumers no longer trusted its product, J&J responded with tamper-resistant packaging. "They made their customers feel completely safe and secure in their relationship that they had with the company," says Kisielius.
But the cost of reaching out to customers can pale in comparison to the legal costs involved with responding to class-action lawsuits. "You're talking six figures to read the complaint, seven figures before you get to a court," asserts Kevin Kalinich, national managing director for technology and professional risks, of Aon's (Chicago) Technology and Telecommunications Group. Aon offers extensions of "errors and omissions" insurance that cover both indemnification and defense costs of third-party claims or losses due to litigation.
The litigation expenses would kick in even if the defendant has a solid defense. "It'd be very hard for anyone to prevail on a lawsuit, unless they could prove actual harm and they could show it traces back to this security breach," notes Fred H. Cate, director of the Indiana University Center for Applied Cybersecurity Research.
But, "The greatest single cost is in the press disclosure," continues Cate. "Do people think less of Citibank, or, if you're a Citibank customer, are you going to be more likely to move [to another bank] now?"
It doesn't take long.... a class action lawsuit has been filed in California against Cardsystems, related to the recent privacy breach: Lawsuit filed over CardSystems data breach | InfoWorld | News | 2005-06-28 | By Robert McMillan, IDG News Service.
Friday, April 15, 2005
Business Week is usually pro-business, but it has an unusual take on the issue of companies leaking personal information. Give people the ability to sue, individually and in class actions. It may be a blunt instrument, but it speaks the language that business understands.
Personal Data Theft: It's Outrageous:
"... At a time when the Bush Administration and the Republican majority in Congress have put tort reform high on their agenda, talking about new tort rights is distinctly unfashionable in Washington. But creating liability for companies that fail to take proper care of the data entrusted to them is probably the most efficient way to get businesses to do the right thing.
SEE YOU IN COURT? Companies possessing personal data should be required to take all reasonable steps to protect it along the lines already in place for financial data under the Sarbanes-Oxley Act and for medical records under the Health Insurance Portability & Accountability Act. Individuals whose information is lost because a custodian has failed to protect the data adequately should have the right to bring individual suits or class actions for damages.
Tort suits, especially class actions, are a blunt instrument for enforcing good behavior, and they can be abused. But liability is a language that business understands, and monetary disincentives are something corporations respond to. And cumbersome as the court system is, it can be faster and more effective than government civil penalties (criminal sanctions should be reserved for the most egregious cases). This is by no means a magic bullet, but would at least create a monetary incentive, where none now exists, for data companies to be careful.
The incidents of wrongfully obtained data from ChoicePoint and LexisNexis are only the most prominent in what's increasingly a mass assault on the privacy and security of our information. Clearly some government action is needed, mainly to give law enforcement better tools to prosecute obvious cybercrimes such as phishing...."
Thanks to Rob Hyndman for the link.
Thursday, April 14, 2005
In the aftermath of the most recent incident involving Polo Ralph Lauren, Forbes Magazine is asking whether companies should be held liable for identity theft if their lax security is to blame.
Forbes.com: Are Companies Liable For ID Data Theft?:
"A case could be made that [companies whose data is stolen] do have a responsibility," says Anita L. Allen, Henry R. Silverman professor of law at the University of Pennsylvania School of Law. Publicizing private facts about people is a tort, she says, and companies can be held liable even if the victim hasn't suffered a monetary loss. "If they recklessly failed to protect the information, that might be seen by a jury or judge as highly offensive conduct," she says.
Insecure databases of online retailers and information brokers are fueling the problem, providing huge batches of potential identities to steal. So consumers are increasingly asking that businesses be held responsible for securing the personal information they maintain.
In the wake of its security breach, ChoicePoint offered one year's worth of free credit monitoring to the consumers affected. But attorney Peter A. Binkow says consumers deserve more, even though most have not yet been the victim of fraud.
"While that might be a step in the right direction, our belief is that [ChoicePoint's offer] is not enough," he says. One year "is not enough time to see if someone has misused their information."
Binkow's firm, Glancy, Binkow & Goldberg, has filed a class-action suit against ChoicePoint on behalf of consumers who had their information exposed, and he plans to ask for an extension of the one-year monitoring, as well as for the establishment of a system to help consumers who do get hit by fraud. They may also seek monetary damages.
ChoicePoint became aware of the problem when Eileen Goldberg, the mother of one of the company's partners, received a letter from ChoicePoint saying that her personal information had been exposed. She didn't know what to do and took it to her son.
Binkow says ChoicePoint needs to take responsibility for the consumers who don't have those sorts of resources and will likely be confused about how to protect themselves. "I'm an attorney, and I'm fairly confused by this stuff," says Binkow. "If I found out my identity had been stolen, I wouldn't know where to start."
It's unlikely that a court would award monetary damages, unless a judge or jury wanted to make an example of the offending company, according to attorney Allen. But a court might well order remedies like added security precautions or help with credit monitoring.
Unlike ChoicePoint, retail businesses like DSW and Ralph Lauren Polo don't trade in sensitive information like Social Security numbers. But they still might be held responsible for exposing credit-card numbers, particularly if the breach occurred because of poorly implemented or maintained security technology.
Companies are free to establish their own privacy and security policies (most if not all online businesses, including Forbes.com, state their privacy policies online), but all are mandated by the U.S. Federal Trade Commission to follow their stated policies. If they do not, says Allen, they could be charged with fair trade violations. Beyond that, a court might force a company to pay damages if it's clear it didn't do everything it could to protect its customers.
"If some company is extremely negligent in the way they handle data, they could be liable for damages," says Allen. "Any business that exists online has to worry about this.""
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.