BCSC: No private law duty of care exists for breach of FIPPA: Not every personal data breach caused by negligence results in liability
As personal information becomes more and more valuable to businesses and malefactors alike, the unauthorized access, use, and theft of such information is becoming increasingly prevalent. Private and public organizations are subject to statutory mandates with respect to the protection and safeguarding of personal information in their control. However, even when organizations meet or exceed those standards, they simply cannot prevent all breaches.
In a recent decision dismissing an application for certification of a proposed class action, the British Columbia Supreme Court considered whether individuals whose personal information was involved in a malicious data breach had a cause of action against the public body who suffered the breach. In particular, and among other alleged causes of action discussed below, the Court examined whether the affected individuals were able to advance a cause of action in negligence for the public body’s alleged failure to implement its statutorily mandated security requirements under the British Columbia Freedom of Information and Protection of Privacy Act (“FIPPA”). FIPPA applies to public bodies1
In rejecting the plaintiffs’ certification application, the Court held that there is no nominate tort nor private law duty of care based on a breach of s. 30 of FIPPA. Citing previous case law, discussed in more detail below, the Court confirmed that since FIPPA contains a “comprehensive statutory framework for dealing with conduct breaching s. 30 of FIPPA” and does not create a private right of action in damages for breach of its provisions, a duty of care should not be recognized on public policy grounds.
While individuals may not be able to advance civil claims in negligence for breaches of s. 30 of FIPPA (the requirement to take reasonable measures to secure and protect personal information), public bodies that fail to meet this obligation remain subject to investigations, orders, and penalties issued by the Information and Privacy Commissioner for British Columbia.
This case follows a recent trend in private sector class action litigation where courts in certain jurisdictions are raising the bar for certification of a class action in the context of a data breach. For example, courts in Alberta, Quebec and Ontario have all refused to certify a class where the third party bad actor was the main cause of the breach. The recent case authorities continue to demonstrate that it will be difficult to certify a class without sufficient evidence of actual harm.
In December 2020, a public body experienced a data security breach. The security breach was the result of a ransomware attack following a successful phishing attempt on one of its employees. As a result of the security breach, cybercriminals were able to obtain access to the personal and other sensitive information about some of the public body’s current and former employees, and certain third parties. Some of that information was also copied and extracted from the public body’s systems.
For a proceeding to be certified as a class proceeding, the plaintiff must establish:
- That the pleadings disclose a cause of action;
- that there is an identifiable class of two or more persons;
- that the claims of the class members raise common issues;
- that a class proceeding would be the preferable procedure for the fair and efficient resolution of the common issues; and
- that there is a representative plaintiff who: (i) would fairly and adequately represent the interests of the class, (ii) has produced a plan for the proceeding, and (ii) does not have a conflict of interest with other class members.
The Court’s decision focused on the first of these criteria: whether a cause of action had been disclosed. In making its assessment, the Court considered whether it was “plain and obvious” that the plaintiffs’ claims could not succeed. For the following reasons, the Court found that the plaintiffs’ claims did not satisfy the certification requirements, and dismissed the application.
Violation of privacy
Section 1 of the Privacy Act establishes a statutory tort for violation of privacy, where a person wilfully, and without a claim of right violates the privacy of another.
The Court concluded that the word “wilfully” does not apply broadly to any intentional act that has the effect of violating privacy. Rather, it applies more narrowly to the intention of the person doing the violating act. The Court further concluded that “without a claim of right” means an honest belief in a state of facts which, if it existed, would provide a legal justification or excuse.
Since this statutory tort requires that the person who violates privacy have a certain state of mind, the Court found that, in the circumstances of a data security breach resulting from a cyberattack by a third party, it is not the acts of the custodian of the data (whether negligent or even reckless) that violate privacy, but rather, and only, the acts of the third party hacker.
The Court noted that the crux of the plaintiffs’ allegations was that the public body failed to adequately protect and prevent unauthorized access to the personal information subject to the data breach. The Court pointed out that there was no pleading that the public body handled the information without an honest belief that it was entitled to do so or was otherwise doing so in non-compliance with applicable laws. Importantly, the Court held that alleged careless conduct is not a wilful breach of privacy. Ultimately, the Court found that it was the hacker that wilfully violated the plaintiff’s privacy, not the public body, and, as a result, the plaintiff’s statutory privacy tort claim against the public body was bound to fail.
A cause of action in negligence requires the plaintiff to establish that:
- the defendant owed the plaintiff a duty of care;
- the defendant’s behaviour breached the standard of care;
- the plaintiff sustained damage; and
- the damage was caused by the defendant’s breach.
The Court focused on the first of these criteria: the existence of a duty of care.
As the plaintiffs failed to establish that the pleadings disclosed a cause of action, the application for certification was dismissed.
As a result of this decision, public bodies appear insulated from claims based in negligence that the public body failed to meet the requirements of FIPPA in the context of a data breach. The primary recourse for such failures remains the complaint, investigation, and order procedures established by FIPPA and managed by the Office of the Information & Privacy Commissioner for British Columbia (the “Commissioner”). It appears that the Courts are directing individuals seeking remedies for damages which may result from a cyberattack to focus their efforts against the cybercriminals themselves rather than the public body which also suffered from the attack. Recognizing that it is becoming increasingly difficult to identify such cybercriminals, one wonders, what is the responsibility of the organization to assist with the plaintiffs’ efforts to identify cybercriminals for such purposes? For more information on the options available to such wronged parties, please see our related article regarding the use of Norwich orders in Canada to unmask wrongdoers.
However, even though the Court dismissed the application for certification in this case, it is important to note that public bodies are not completely alleviated of all liability for privacy and data security breaches. For example, organizations may face vicarious liability where an employee of the organization intentionally and wrongfully violates an individual’s privacy. As such, it is important for organizations to establish and implement data security policies and procedures and to ensure employees and personnel who have access to personal and sensitive information are trained and monitored for compliance with those policies and procedures.
We also note that private sector businesses which are governed by British Columbia’s Personal Information Protection Act (“PIPA”) are likely not to be afforded the same protections as public bodies, as PIPA does create a private right of action. Per s. 57 of PIPA, once the OIPC issues a final order determining that an organization has breached an individual’s privacy rights under PIPA, the individual can commence a civil action to claim damages for actual harm suffered.
In summary, all public and privacy sector organizations should prudently protect the personal information in their custody or control, however, this decision aligns with the recent trend against certification of a class action where the actual nefarious actor is a third party hacker.
Public bodies are (a) a ministry of the government of British Columbia, including, for certainty, the Office of the Premier, (b) an agency, board, commission, corporation, office or other body designated in, or added by regulation to, Schedule 2, or (c) a local public body (including, local government, health care, social services educational bodies and certain professional governing bodies) but not (d) the office of a person who is a member or officer of the Legislative Assembly, or (e) the Court of Appeal, Supreme Court or Provincial Court.