Privacy Breach By Your Rogue Employee: Are You Liable?

Collecting, storing, and using personal information is often the key to developing and delivering individualized products and services in our current economy. As consumers, businesses, and service providers alike become increasingly comfortable using electronic platforms to exchange or store personal information, reports of privacy breaches seem to be on the rise. It is not only the outside hackers that are contributing to these increasing reports, but also employees who have clearly gone rogue.

So what happens if your organization or business gets hacked, or worse yet your employee goes rogue and breaches privacy while in your employ? Can you get sued for breach of privacy where the breach occurs as a result of the unauthorized acts by your employee? How would the Office of the Information and Privacy Commissioner ("OIPC") respond to such an unfortunate situation, and what are the potential ramifications for your business or organization?

Consequences that the Court and the Privacy Commissioner Can Impose for Breach of Privacy

In British Columbia, the Privacy Act, RSBC 1996, c. 373, establishes a statutory cause of action for a breach of privacy. The British Columbia Court of Appeal has confirmed that there is no co-existing common law tort of breach of privacy in British Columbia.i

What this means is that a person whose privacy is breached in British Columbia, either by someone they know or by a stranger, has a right to sue only if the breach meets the elements of the statutory tort set out in the Privacy Act. While persons will not have to prove that they have suffered harm as a result of the breach, they will have to prove that the breach was wilful, without claim or right, and violated their reasonable privacy expectations.

This limited statutory cause of action differs from what may be available in other provinces. Some other provinces have introduced the common law tort of intrusion upon seclusion, which was recognized by the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32. This common law cause of action for breach of privacy is more inclusive as it covers acts that are not only intentional, but acts that are reckless.

In addition to the risk of being sued for breach of privacy in the courts, there is the risk of being subjected to investigation by the OIPC. The OIPC is responsible for providing independent oversight and enforcement of BC's privacy laws, including the Personal Information Protection Act, SBC 2003 c. 63 ("PIPA"), which protects and governs personal information in the private sector. When PIPA was introduced in British Columbia, the legislature recognized that individuals have a right to protect...