British Columbia’s courts need to take a close look at the question of whether the province has a tort for breach of privacy, an appeal court judge suggested in a recent decision arising from a data breach at a Vancouver-based financial institution.
“Today, personal data has assumed a critical role in people’s lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic,” Justice Harvey Groberman wrote for the B.C. Court of Appeal in Tucci v. Peoples Trust Company, released Aug. 31.
As a result of the Tucci ruling, a class-action lawsuit against Peoples Trust can be certified. Allegations that Peoples Trust is liable in any way for a breach have not been proven in court.
Gianluca Tucci and Andrew Taylor are listed as representative plaintiffs.
The Aug. 31, 2020 ruling does make some changes to an earlier class-action certification order released in 2017. However, the defendant trust company lost its bid to have the lawsuit thrown out of court.
One key finding from the original 2017 decision by Supreme Court of B.C. Justice David M. Masuhara still stands, however: Breach of privacy and intrusion upon seclusion are not torts in B.C.
But the main reason why this was not overturned on appeal is because the plaintiffs suing People’s Trust did not raise this on appeal. “The interesting question of whether the law needs to be rethought will have to await a different appeal,” Justice Groberman wrote for the B.C. Court of Appeal in its recent unanimous ruling in Tucci.
In his decision, Justice Groberman cited Jones v. Tsige, released in 2012 by the Court of Appeal for Ontario. In that case, the Court of Appeal for Ontario created a new tort in Ontario, said Patrick Hawkins, a lawyer with Borden Ladner Gervais LLP, during a 2016 presentation to the Property Casualty Underwriters Club. Hawkins was commenting in general on cyber risk and not on the class-action lawsuit against Peoples Trust in B.C.
“Unlike traditional tort law, or traditional civil law and civil damages, proof of harm to a recognized economic interest is not required,” Hawkins said of Ontario law in 2016 of Jones v. Tsige. “So you are not required to prove that somebody has actually suffered damage. Just because you are a little bit annoyed and somebody has looked at your private records, that can be a circumstance where we award damages.”
It may be argued that the new tort in Ontario carries the potential to expand the liability exposure of a business in the instance of a cyber breach.
The class-action in B.C. against Peoples Trust arose from a breach in 2013, when cyber-attackers located in China accessed one of Peoples Trust’s databases. The cyber criminals obtained personal information – including names, addresses, email addresses, telephone numbers, dates of birth, social insurance numbers, occupations, and, in the case of credit card applicants, their mothers’ birth names – of Peoples Trust clients.
As it stands, the plaintiffs in the class action against People’s Trust can still argue the financial institution is liable for breach of contract and negligence, which are not the same as intrusion upon seclusion.
Originally in 2017, B.C. Supreme Court Justice Masuhara said one of the questions for the class action suit would be whether a class member’s nominal damages can assessed in the aggregate. That wording could cause confusion, the appeal court ruled in 2020. Therefore, the question is now re-worded to ask whether a part of the class members’ damages be assessed in the aggregate.
Another change on appeal – in favour of the defendant – was on how non-residents who are class members would be treated. Originally, in 2017, both B.C. residents and non-residents would be certified as class members unless they opted out. As a result of the appeal ruling, the issue of whether the non-resident sub-class follows an opt in or opt out model be now has to be considered by the Supreme Court of B.C.
Feature image via iStock.com/baona