Upload
dan-michaluk
View
2.197
Download
0
Embed Size (px)
Citation preview
Privacy risks, incidents and liability -A legal update
Dan MichalukOctober 7, 2015
Statutory happenings
• PIPEDA breach notification a game changer• "Breach of security safeguards" – loss, unauthorized
access, disclosure• When there is a "real risk of significant harm"• Notification and reporting to individual, to the
Commissioner and to organizations in a position to mitigate
• All "as soon as feasible"
2
Statutory happenings
• PHIPA amendment introduced• Breach definition narrowed slightly – stolen, lost,
used or disclosed without authority (unauthorized access gone, thankfully)
• Will continue to be no harm threshold• Will require advice of right to complain• Will require notification to IPC (threshold TBD)• Fines increased from $250,000 to $500,000
3
Direct-to-court claims are alive
• Hopkins v Kay• A person may chose sue or complain to IPC• Suggests that "actual harm" + $10,000 cap for
mental anguish is not an "adequate remedy"• Leave to appeal to SCC pending
4
Class actions are getting certified
• It’s not clear how amenable breach claims are to the class action process• Common framing is negligence, not intentional intrusion• Negligence requires proof of damage
= “serious and prolonged psychological injury”
≠ moral damages, damages for annoyance• Contractual liability can be expressly limited• Doctrine restricts contractual liability for non-$ loss
5
Class actions are getting certified
• Evans - background• Unique, negative facts• Intentional theft of information• Admitted exposure to identity theft• Admitted flaws in “monitoring”• Privacy code promises information “will be kept
secure” and only used for proper purposes
6
Class actions are getting certified
• Evans - certified• Bases
• Intentional intrusion + vicarious liability• Negligence• Breach of contract• Waiver of tort
• Openness to compensate for $ loss not a barrier• Notification/risk group class is appropriate
7
Class actions are getting certified
• Condon – background• Common, benign facts but large population• Lost hard drive never found• No basis in fact for pecuniary loss claim• Simple claim for “inconvenience, frustration and
anxiety”
8
Class actions are getting certified
• Condon – certified• Bases
• Breach of contract – nominal damages• Intentional intrusion (!!!)
• Appeal• add Negligence• add Breach of Confidence
9
Privacy risks, incidents and liability -A legal update
Dan MichalukOctober 7, 2015