British Columbia Court Of Appeal Upholds Certification Of Data Breach Class Action

• Published date: 15 September 2020
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Privacy Protection, Class Actions, Trials & Appeals & Compensation
• Law Firm: Miller Thomson LLP
• Author: Mr David Krebs

Following in the footsteps of Jones v. Tsige from the Court of Appeal for Ontario in 2012, the recent British Columbia Court of Appeal decision in Tucci v. Peoples Trust Co. (2020 BCCA 246) appears to be solidifying the future of a common law tort of breach of privacy in Canada. Based on the facts and the appeal, the Court did not feel it was required to ultimately decide whether or not the tort of breach of privacy (or "intrusion upon seclusion") exists in British Columbia, but the decision signalled that a future data breach case may lead to reconsideration of this issue.

The Court made specific note that the issue poses an "interesting question" for a future appeal and that the law may need to be rethought in this respect. The Court recognized a changing attitude towards the importance of information in today's society, stating: "personal data has assumed a critical role in people's lives, and a failure to recognize at least some limited tort of breach of privacy may be seen by some to be anachronistic."

It also of interest in that it touches on the complexities of making a determination of whether limitation of liability clauses in website terms of use cover negligent data exposure.

What happened?

People's Trust Co. is a federally regulated financial services business based in British Columbia. For that reason, the federal Privacy Commissioner had jurisdiction over the data breach.

The basis for the claim was a data breach suffered by the defendant, which impacted the personal information of over 12,000 customers. Social insurance numbers, contact information and dates of birth were all kept in a database that had not been protected by encryption. The defendant also had failed to install certain software updates and patches. This was said to have created vulnerabilities that were exploited by cyber attackers operating out of China.

People's Trust Co. had made a timely report on the breach to the federal Privacy Commissioner's Office ("OPC") and notified individuals in accordance with applicable federal law, the Personal Information Protection and Electronic Documents Act ("PIPEDA"). Based on the report, the OPC initiated an investigation into the matter. The OPC recommended certain enhancements and mitigative measures. The OPC noted numerous deficiencies in the program of the defendant, which are published in PIPEDA Report of Findings #2015-007, including the lack of: "(i) adequate safeguards in the development, implementation and redesign of its...