Failing to adequately safeguard data results in $3.44M settlement

By Tony Poland, LegalMatters Staff • Organizations that fail to adequately safeguard their clients’ personal information risk financial and reputational consequences, says Toronto class action lawyer Margaret Waddell, whose firm helped negotiate a $3.44-million settlement in a cyber hacking case.

Waddell Phillips Professional Corporation, along with Howie, Sacks & Henry LLP and Schneider Law Firm, launched a class action after a privacy breach was announced by CarePartners in June 2018.

The claim alleged that cyber attackers were able to exploit “inadequate and outdated security systems” to extract data containing the personal and health information of thousands of patients and staff. The data consisted of detailed medical records and included financial and contact information, as well as details about patients’ daily lives, workplaces, families and homes.

At the time of the cyberattack, the health-care provider had records relating to about 237,000 patients in its computer system.

Settlement will go to Superior Court for approval

On Nov. 18, CarePartners agreed to pay up to $3.44-million to settle the case. The proposed settlement will go before the Ontario Superior Court in February for approval.

“These cyber hacking cases have become so common. Organizations need to be vigilant,” Waddell tells LegalMattersCanada.ca. “Especially those in the health-care industry, which is known to be a prime target for hackers. Health-care providers, in particular, need to be aware of the risks associated with storing sensitive data and the need to protect their clients’ privacy. 

“This is highly sensitive information. It is health information that, in the cybercrime world, has much more value than something like a credit card because you can change a credit card. You cannot change your health history.” 

She says hackers demanded a ransom after CarePartners’ security system was breached. The health-care provider refused to pay, so the hackers released information on as many as 80,000 individuals to CBC News. The information that was accessed by the hackers may have included detailed medical and employment records along with financial and personal contact information.

Waddell says what made reaching a settlement in this case a challenge is the fact that law “is in a state of flux.”

‘Necessary to prove that there has been a consequential loss’

“While it is not that onerous to prove if corporations have been negligent with respect to their security practices and how they were storing data, the court has recently suggested that it is also necessary to prove that there has been a consequential loss sustained by the clients whose information was stolen in order to establish negligence,” she says.

Waddell points to Owsianik v. Equifax Canada Co., a cybersecurity class-action lawsuit currently before the courts that could be a catalyst for defining and expanding the interpretation of the tort of intrusion upon seclusion – which is not encumbered with the requirement to prove loss arising from the privacy breach.

• Cybersecurity case could ultimately help shape privacy litigation
• Drinking water lawsuits could get politicians back on track
• Baggage fee lawsuit pushes the envelope in consumer class action

At issue in that case is “the question of whether a claim for intrusion upon seclusion can succeed against the collectors and custodians of private information,” according to court documents.

Earlier this year, Ontario Divisional Court panel overturned the certification of the case on the question of whether the defendant would be liable under the intrusion upon seclusion tort. The issue is now headed to the Ontario Court of Appeal.

Tort cannot be used against a hacked company: court

Waddell explains the argument accepted by the majority of the Divisional Court suggests that the people whose information was stolen, but cannot prove that they suffered any immediate pecuniary loss connected to the hack, may not be able to hold the organization storing the data accountable for the breach of privacy. The Divisional Court decision says the affected individuals cannot use the tort of intrusion upon seclusion against the hacked company.

“In Equifax, the court said no, that tort does not apply in the case of a third-party hacker because it was the hacker that did the intruding upon seclusion. Not the holder of the information,” Waddell says.

The problem with the way the tort is being interpreted, she says, is that a hacker may not use or sell the personal information for years to avoid law enforcement detection.

“The victims of these hacks can remain at risk long after the information was stolen,” Waddell says. “These people are faced with possible future consequential loss. They may be subjected to fraud or may have to take extraordinary measures to protect their privacy.  The court’s analysis also fails to appreciate the inherent damage to the individual when their privacy is breached.”

The law “needs to expand to catch up with modern society,” Waddell says.

‘We need to expand the tort definitions to keep up with the times’

“When intrusion upon seclusion was created a 100-plus years ago there was no internet. There was no hacking,” she says. “There was nothing like this ability of third-party bad guys to come in and steal data. And quite frankly, that data didn’t have the value that it has now. We need to expand the tort definitions to keep up with the times.”

Waddell says organizations entrusted to safeguard clients’ information must be held responsible for inadequate security or failing to make an effort to stay ahead of the hackers.

“They are the ones who are ultimately responsible for keeping the data secure,” she says. “It is not unlike a garage owner who’s repairing a car then leaves it out on their lot with the keys in the ignition. If it gets stolen, they are going to be held responsible for the theft. It is completely the same thing with data.”

Waddell says those who collect sensitive personal information should not be “so sanguine to think that just because the law is in a state of flux that they aren’t at risk of a class action when their conduct falls below an acceptable standard” during a security breach.

“They are still going to be held to account,” she says. “There have been so many warnings out there, particularly to health-care providers, about the need to be completely vigilant that you would hope that they would be on the top of their game. Maybe this settlement will help to remind other organizations that there are consequences to a hack besides the loss of their clients’ data.”

More from Waddell Phillips Professional Corporation:

COVID-19 vaccinations approved for children. What happens now?