Chapter 4: Data Breaches – Planning, Reacting, and Litigating

HTML VERSION

Chapter 4:
Data Breaches – Planning, Reacting, and Litigating

I. Introduction: Breach Risk and Breach Plans

Breaches happen, and their frequency is growing. They are a constant and ever-evolving problem, and should be expected in the course of big data business.

To clarify, a “breach” is a failure of security safeguards. In particular, a breach is the result of various kinds of unauthorized activity with respect to secured data which is usually sensitive, because it is personal, proprietary, relates to national security, or is otherwise confidential.

[See, for example, PIPEDA, s.2(1) “breach of security safeguards”; GDPR, Art. 4(12) “personal data breach”; BC’s PIPA, s.34.]

Even a “small breach” has the potential to cause massive damage. Moreover, as discussed in subsection II of Chapter 3, breaches inevitably result in escalating legal fees. A surprise breach will usually also require drastic quick action, like taking key systems offline without being able to turn on a backup system. Such actions in and of themselves may cause financial loss and reputational damage.

The increasing prevalence of breaches implies an increase in breach risk, which is now a commonly understood market concept. Consumers and courts now take a dim view of companies that are breached due to inadvertence. Companies are not considered the victims—consumers are. Moreover, companies with control over sensitive data, whether direct or indirect, now have commonly recognized duties to act swiftly, and decisively, in reaction to breaches. Swift and decisive action requires prior commitment to a plan of action in the event of a breach—a “breach plan”.

[See CCCS, “Baseline Cyber Security Controls for Small and Medium Organizations”, s.3.1 and BC.1.1-1.3 (last updated Nov 20, 2019); Danny Pehar, “Why Your Company Should Secure A Breach Coach” (Forbes, Jul 29, 2019).]

In this chapter, the discussion of breach planning and related law applies specifically in the context of personal data (as opposed to other kinds of data).

II. Proactive Planning for Breaches

A formal breach plan considers risks and prescribes actionable measures in the midst and aftermath of a cyber incident. It should be custom drafted with respect to any given business or business unit, according to established legal standards and industry best practices. It should also map out a plan for dialogue with regulators and the public in a post-breach scenario, to appropriately balance the priorities of brand preservation and legal compliance.

The immediate objectives of a breach plan are to:

• identify and document operational risk tolerances specific to a given organization within its industry; and
• develop risk-mitigated approaches to data collection, use, disclosure, retention, accuracy, security and disposal.

The ultimate purposes of a breach plan are to:

• minimize delay in reaction to breaches;
• maximize effectiveness of the reaction to breaches;
• minimize damage caused by breaches; and
• minimize liability for breaches.

The process of breach planning starts with a privacy impact assessment (“PIA”). PIAs are mandatory in the public sector, pursuant to the federal government’s directive on PIAs. They are also strongly recommended in the private sector, for building a compliance strategy on the ten foundational privacy principles mentioned in subsection III of Chapter 1.

[Government of Canada, Directive on Private Impact Assessment (Apr 1, 2010).]

One starting place for a PIA is to engage with the OneTrust platform, regarding a multi-jurisdictional privacy program and electronic marketing campaign. Another resource is the Standard Information Gathering (“SIG”) questionnaire, which is helpful for assessing third-party vendor risk. Such measures should be undertaken with the assistance of—or management by—legal counsel. Thereafter, counsel’s job (before a breach occurs) is to perform a deeper and more comprehensive assessment of legal risks, and to steer the company toward appropriate risk handling procedures.

III. Regulatory Breach Issues: Breach Records, Notification and Reporting

As of November 2018, private organizations must keep records of all security breaches exposing personal information, for 2 years after each breach is discovered. The records must contain “any information” to assess compliance with breach record-keeping and reporting requirements. Note also the OPC’s recent declaration that it is actively “examining organizations’ breach records to assess compliance.”

[See PIPEDA, s.10.3(1); Breach of Security Safeguards Regulations, s.6; OPC, “What you need to know about mandatory reporting of breaches of security safeguards” (Oct 29, 2018); OPC, “A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know” (Oct 31, 2019); OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 53.]

A required breach report to the OPC can be made “by any secure means of communication.” Failure to report can result in a fine upwards of $100,000.

[See Breach of Security Safeguards Regulations, s.2(3); PIPEDA, s.28(b).]

The imposed maximum fine, and ease with which a breach report can be made, have apparently caused a shift in attitude towards privacy compliance. Just one year after the mandatory breach reporting requirements went into effect, the volume of breach reports increased five to six times the volume received by the OPC during the same period one year earlier. This statistic clearly indicates that breach reporting is escalating from a compliance matter to a business norm.

[See OPC, “A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know” (Oct 31, 2019); OPC, “Reforming Canada’s privacy laws: Shifting from the whether to the how” (May 23, 2019); OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 53.]

The basic requirements for breach reporting follow. For any breach that creates a “real risk of significant harm” to an individual:

• the individual must be notified in a prescribed form, as soon as feasible, either directly or indirectly depending on the circumstances;
• notification must be given to any organization or government institution that could reduce the risk of harm;
• the breach must be reported to the Privacy Commissioner in a prescribed form, as soon as feasible; and
• the breach record must be disclosed to the Privacy Commissioner upon request.

[See PIPEDA, s.10.1; Breach of Security Safeguards Regulations, ss.2-5; OPC, “What you need to know about mandatory reporting of breaches of security safeguards” (Oct 29, 2018).]

To reiterate, the standard of a “real risk of significant harm” applies on an individual basis. The OPC has clarified that “there can be risk of significant harm even when only one person is affected by an incident.” Moreover, “significant harm” and a “real risk of significant harm” are questions of mixed law and fact, based on:

• the specific circumstances;
• the sensitivity of the personal information involved in the breach; and
• the probability that the personal information has been, is being or will be misused.

[See OPC, “A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know” (Oct 31, 2019); OPC, “What you need to know about mandatory reporting of breaches of security safeguards” (Oct 29, 2018).]

As discussed in subsection I of Chapter 3, even third party data processors are responsible for personal information under their control. Such obligations also extend to breach reporting, and require more than simply notifying the public-facing data controller. As clarified by the OPC, “the obligation to report the breach rests with an organization in control of the personal information implicated in the breach.” As a matter of legal interpretation, this quote should be read with respect to “any organization in control of the personal information….”

[See PIPEDA Report of Findings #2014-004 (Apr 23, 2014); OPC, “What you need to know about mandatory reporting of breaches of security safeguards” (Oct 29, 2018).]

Moreover, as of March 2019, there is an arguably heightened incident reporting standard for financially regulated financial institutions (“FRFIs”). FRFIs must report any high severity technology or cybersecurity incident, irrespective of whether it involves personal information. A similarly high standard of incident reporting is required for IIROC members as of November 2019. There is potential for this enhanced breach-reporting trend to also spread to other sectors.

[See OSFI advisory, “Technology and Cyber Security Incident Reporting” (released Jan 2019, effective as of Mar 31, 2019); IIROC Notice No. 19-0195 (Nov 14, 2019); IIROC Dealer Member Rules (Nov 14, 2019) at 474-75, s.B.1.1.]

Note that, with the increase in breach reports, the OPC has found that the same infiltration tactics are often re-used within industries. For example: “fraud through impersonation, … where bad actors [convince] customer service agents … that they are an account holder … by drawing from publicly available information, information from other breaches, phished information as well as social engineering techniques.”

[See OPC, “A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know” (Oct 31, 2019); OPC, “Reforming Canada’s privacy laws: Shifting from the whether to the how” (May 23, 2019).]

The fact that a breach was accomplished through a re-used tactic is typically not good for the organization involved. It may indicate poor internal security practices leading up to the breaceh. In litigation, such a finding is likely to increase the breached party’s risk exposure.

However, there is good news. An appropriate breach response may mitigate regulatory liability, to the point of reducing an OPC-levied fine to $0, or compelling the OPC to waive a fine altogether. If a fine is unavoidable, consider that the criteria to quantify a fine amount is not prescribed under PIPEDA. Counsel should therefore argue a lower fine amount on the basis of prior OPC cases, and the prescribed factors applicable in Europe.

[See Tucci v Peoples Trust Company, 2017 BCSC 1525 at para. 23; PIPEDA Report of Findings #2014-004 (Apr 23, 2014): “…the fact that a breach has occurred is not necessarily indicative of a contravention of [PIPEDA]. For example, an organization may have appropriate safeguards in place and still fall victim to a determined, clever and/or innovative attacker.”; GDPR, Art. 83(2).]

There also remains a lingering argument that mandatory breach reporting may be unconstitutional, on the basis of division of powers, and because self-reporting compels self-incrimination. These are not easy defences, but may be arguable options with the appropriate litigation counsel.

[See ETHI Committee Report, “Towards Privacy By Design…” (Feb 2018) at 13-14; HMTQ v. Rice, 2007 BCSC 1828 at paras. 8-10, citing cases on the constitutionality of self-reporting in the regulatory sphere.]

Finally, consider also that the early involvement of counsel—prior to a breach—may limit disclosure obligations with respect to the breach file. More specifically, in addition to the other benefits of retaining counsel early, an early retainer may enable counsel to bring all, or most, of the breach file within the scope of solicitor-client privilege.

[See R. v. McClure, 2001 SCC 14 at paras. 2, 5.]

In summary, big data counsel should be retained early for due diligence purposes, and to assess any post-breach legal obligations while positioning the organization to limit its liability and damage, and to limit any damage caused to third parties. As previously stated, that counsel should also liaise with the Public Relations team to limit reputational damage which may result from a breach.

IV. Other Types of Breach Litigation: Private, Class, Criminal, and Constitutional

(a) Available Grounds to Sue for a Breach

It is worth noting at the outset that damages are usually not awardable under PIPEDA, or most public-sector privacy statutes.

[Barbara von Tigerstrom, “Direct and Vicarious Liability for Tort Claims Involving Violation of Privacy” (2018) 96-3 Can. B.Rev. 539 at 545, 2018 CanLIIDocs 295.]

However, this is expected to change. A Parliamentary committee in late 2018 recommended that PIPEDA reforms include protections similar to those in the GDPR—which contains a private right of action against a controller or processor
for “material or non-material damage.”

[See ETHI Committee Report, “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly” (Dec 2018) at 72, Recommendation 20; GDPR, Arts 79, 82; OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 13, 19.]

Moreover, California will soon permit private citizens to commence proceedings for data breaches without actual proof of damages, under the California Consumer Privacy Act (“CCPA”).

[See California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.150(a) (CLCD as of Dec 3, 2019).]

The CCPA’s requirement for devices to have “reasonable security”, along with a recently introduced federal bill to increase IoT security, further positions tech companies to expect private litigation in the event of a breach.

[See California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.91.04(a) (CLCD as of Dec 3, 2019); IoT Cybersecurity Improvement Act of 2019 (S.734 — 116th Congress (2019-2020), as of Dec 3, 2019). Note also the divided U.S. issue of post-breach standing without damages, examined by Arthur R. Vorbrodt in “Clapper De-throned: Imminent Injury and Standing for Data Breach Lawsuits in Light of Ashley Madison” 73 Wash. & Lee L. Rev. Online 61 (2016) at 65-70, 115-116.]

Furthermore, there is evidence that the CCPA is setting a de facto U.S. standard for privacy law. Microsoft recently declared an intention to honour the CCPA throughout the U.S. It is only a matter of time until the other major tech companies in the U.S. follow suit, out of practical necessity. Companies in Canada are expected to follow the same trend.

[See Julie Brill, “Microsoft will honor California’s new privacy rights throughout the United States” (Microsoft, Nov 11, 2019).]

In Canada, at present, even without a present right to sue for damages under PIPEDA, civil actions beyond PIPEDA may still be commenced. In fact, the very absence of a statutory basis to litigate under PIPEDA may, indirectly, support claims in tort and product liability. Courts have recognized “facts that cry out for a remedy” despite the non-application of PIPEDA, for example: when a defendant’s actions are “deliberate, prolonged and shocking.”

[See Jones v. Tsige at paras. 49-51, 69. See also von Tigerstrom at 546-49.]

Available privacy torts include intrusion upon seclusion, public disclosure of private facts (or images), and breach of confidence. Other possible causes of action include defamation, nuisance, negligence, and breach of contract. Any of these causes of action may be brought against an organization on the theory of vicarious liability.

Moreover, any of these causes of action may give rise to a class action, beyond the context of PIPEDA. In fact, corporations should expect class actions in reaction to a breach. As a matter of prosecution strategy, “the odds of plaintiffs recovering meaningful compensation will be greater if there is a defendant organization that will bear direct or vicarious liability, rather than an individual or unknown third party.”

[See Barbara von Tigerstrom, “Direct and Vicarious Liability for Tort Claims Involving Violation of Privacy” (2018) 96-3 Can. B.Rev. 539 at 562, 2018 CanLIIDocs 295.]

Criminal charges may also be laid for invasion of privacy, and where a public entity is involved, a breach may give rise to constitutional law claims.

A sampling of the above referenced causes of action, criminal infractions, and constitutional claims are discussed below, in greater detail.

(b) Intrusion Upon Seclusion

The tort of intrusion upon seclusion requires an intentional or reckless invasion of private affairs, that is unjustified under the law, highly offensive to a reasonable person, and causes distress, humiliation, or anguish. The term “highly offensive” effectively means that the tort only applies to significant invasions of privacy. Moreover, such invasion of privacy can occur in public spaces, for example while an individual is filmed jogging outside. Defences include freedom of expression and freedom of the press.

[See Jones v. Tsige, 2012 ONCA 32 at para. 71-73; Broutzas v. Rouge Valley Health System, 2018 ONSC 6315 at para. 138; Vanderveen v. Waterbridge Media Inc., 2017 CanLII 77435 at paras. 20-21 (ON SCSM).]

Note that, although this tort was recognized by an Ontario court, other provincial courts have acknowledged that the tort may be “federal common law”. There is therefore a good basis for assuming that this tort applies across Canada.

[See: Tucci v Peoples Trust Company, 2017 BCSC 1525 at paras. 44, 47-48.]

No proof of economic harm is required to establish intrusion upon seclusion. However, in the absence of economic harm, general damages will usually be capped at $20,000, with the possibility of additional aggravated and punitive damages in particularly egregious cases.

[See Jones v. Tsige at paras. 74-75, 87-88.]

The tort of intrusion upon seclusion is still evolving, including with respect to commercial adware operations and social media.

[See, respectively, Bennett v. Lenovo (Canada) Inc., 2017 ONSC 5853; Douez v. Facebook, Inc., 2018 BCCA 186, further appeal details forthcoming.]

(c) Public Disclosure of Private Facts and “Revenge Porn”

Damages are generally higher for public disclosure of private facts. This tort has given rise to damages of $100,000 in the “revenge porn” context.

[See Jane Doe 72511 v. Morgan, 2018 ONSC 6607 at paras. 86, 97-99, 146. See also Jane Doe 464533 v. N.D., 2016 ONSC 541 at paras. 58-63, with damages subsequently reduced in Doe v N.D., 2016 ONSC 4920 on procedural grounds, aff’d 2017 ONSC 127 at paras. 55-57.]

(d) Class Actions

With respect to class actions, an increase from the usual $20,000 cap on a per-plaintiff basis will be difficult to justify when:

• compensatory damages are not common to all class members; or
• there is no claimed method to calculate common compensatory damages.

[See the Tucci case at paras. 235, 257; Kaplan v. Casino Rama, 2019 ONSC 2025 at paras. 16, 56-57.]

However, even if damages are capped at $20,000 per plaintiff, “[a]n organization could face significant liability if a [large] number of individuals are affected....” The class size and infringement particulars are generally good initial indicators of a company’s maximum amount of loss, whether due to settlement or judgment.

[Barbara von Tigerstrom, “Direct and Vicarious Liability for Tort Claims Involving Violation of Privacy” (2018) 96-3 Can. B.Rev. 539 at 540-41, 2018 CanLIIDocs 295.]

For example, in a recent PIPEDA class action settlement, where each class member would receive only $150 to $175, the total approved settlement amount was $2.25 million. This quantum is rather modest for a class settlement, but is helpful for demonstrating the consequence of collecting too much personal information from many data subjects.

[See Haikola v. The Personal Ins. Co., 2019 ONSC 5982 at paras. 3-5, 20, 119(xi)-(xii), 121.]

(e) Vicarious Liability

Vicarious liability may also be claimed against a corporate defendant, whose employee/agent caused the breach or exposure of personal information. Such liability is generally established where the breach or exposure arises within scope of employment/agency.

[See Bazley v. Curry, [1999] 2 SCR 534 at paras. 41, 46; Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 at paras. 19, 30, 93-96; Doucet v. The Royal Winnipeg Ballet, 2018 ONSC 4008 at para. 105.]

Case-specific facts are necessary to determine whether an agent has gone “rogue”, or is in fact acting within her agency. Consider the example of a bank employee accessing a particular customer account on an ongoing basis. The facts can determine whether such access serves a valid business purpose, or is actually unjustifiable “snooping”. The latter is a frequent trend among reported breaches to the OPC.

[See Jones v. Tsige at para. 50; Various Claimants v WM Morrisons Supermarket Plc (Rev 1), [2017] EWHC 3113 (QB) at paras 185-86, 193-94; OPC, “A full year of mandatory data breach reporting: What we’ve learned and what businesses need to know” (Oct 31, 2019); OPC, “Privacy Law Reform - A Pathway to Respecting Rights and Restoring Trust in Government and the Digital Economy” (Dec 10, 2019) at 53; OPC, “Ten tips for addressing employee snooping” (Mar 31, 2016).]

Furthermore, vicarious liability may be just the beginning of an organization’s legal battle. The facts giving rise to vicarious liability may also support other claims. For example, breach of contract, breach of fiduciary duty, breach of good faith, emotional suffering and inconvenience, and unjust enrichment.

[See Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 at paras. 35-63.]

(f) Criminal Privacy Offences

There may also be criminal consequences for surreptitiously recording—or simply observing—nude or sexual material when a reasonable expectation of privacy is present.

[See Criminal Code, s.162(1).]

Such a case is easier to defend where the observation or recording was incidental to a lawful purpose. On the other hand, a defence becomes more cumbersome when the privacy interests of children are involved, or a recording discloses the use of “zooming” or other “eavesdropping technology”.

[See R. v. Jarvis, 2019 SCC 10 at paras. 20-23, 28-34, 81, 86-91, 116, 131-33, 139; R. v. Trinchi, 2019 ONCA 356 at para. 46, 59; R. v. Rudiger, 2011 BCSC 1397 at paras. 77, 93-95.]

Because the criminal privacy offence can apply outside of traditionally “private” spaces, businesses should carefully consider how their surveillance practices impact their overall legal risk. One issue to continue watching is whether an agent can provide consent for a data subject, for example: a condominium manager providing consent on behalf of condominium residents to be recorded.

[See R. v. Brewster, 2016 ONSC 8038 at paras. 39-40, 45-65 re no Charter violation for warrantless installation of hallway cameras in condominium building, with brief consideration of consent to install cameras provided by condominium management.]

(g) Constitutional Law

In the public sector, privacy claims can also challenge constitutional rights. Namely, the freedom of expression; the right to life, liberty, and security of the person; and the right to be secure against unreasonable search or seizure.

[See Canadian Charter of Rights and Freedoms, ss.2(b), 7, 8.]

A couple counter examples involve cameras installed by police in condominium common spaces, and the collection of evidence in online “sting operations” against child predators.

[See R. v. Brewster, 2016 ONSC 8038 at paras. 55-65; R. v. Jarvis, 2019 SCC 10 at paras. 57-68; R. v. Mills, 2019 SCC 22 at paras. 24, 28-30, 41-45, 53-56.]

(h) Insurance Coverage

Cyber insurance coverage may also become the subject of dispute, between a breached organization and its insurer. Alternatively, directors’ and officers’ insurance coverage may be disputed. These kinds of disputes were discussed in subsection II of Chapter 3.

V. Conclusion

Breach compliance and litigation often involve complicated questions of law, contentious questions of fact, and a legal mind focused on ongoing strategy. Breach counsel should be familiar with data governance models, compliance mechanisms, regulatory risks, and the relevant causes of action. Litigation experience against regulatory bodies is also beneficial. In the context of reviewing or disputing an insurance agreement, counsel should also know the relevant insurance law principles, and preferably have practical experience litigating against insurers.