• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • EN | FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Energy Infrastructure Mining Private Equity & Investment Funds View all
Advisory
Crisis & Risk Management Public Policy
View Client Work
International Experience
Insights News Events Subscribe
Arbitration Angle Artificial Intelligence Insights Business Law Talks Podcast Class Actions: Looking Forward Class Action Quick Takes
Economic Outlook New Energy Economy Series Quarterly Fintech Insights Quarterly M&A Insights Sustainability & the CIO
People
Offices
About
Practices
Industries
Advisory Services
Client Work
Insights
News
Events
Careers
Law Students
Alumni
Payments
Search
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 

Stolen Customer Data Results in Ontario's First Certified Privacy Class Action

June 12, 2014

Written By Michael J. Paris

Businesses that collect personal information have an added incentive to monitor employees handling customer data – Ontario's first class action arising from the new tort of "intrusion upon seclusion" was certified last week.1

In Evans v Bank of Nova Scotia, the plaintiffs sought to certify a class action against the bank and one of its employees, Richard Wilson, who provided private and confidential information about the bank's customers to third parties in an identity theft scam foiled by Calgary Police.

The Breach

Wilson was employed by the bank as a Mortgage Administration Officer and in that role had access to highly confidential customer information. The bank was alerted to a potential privacy breach involving Wilson by Calgary Police, who had recovered several personal profiles of the bank's customers in the execution of a search warrant. The profiles identified Wilson as the individual who had accessed and printed the customer profiles and Wilson later confessed to improperly accessing and disseminating that information.

The bank ultimately identified 643 customers whose files were accessed by Wilson during the relevant period (the Notice Group). To date, 138 members of the Notice Group have advised the bank that they have been victims of identity theft and/or fraud. The bank provided individual compensation to every customer who identified losses arising from the data breach (fraudulently obtained credit cards, unauthorized purchases, account takeovers etc.) and offered a complimentary subscription to a credit monitoring and identity theft protection service to all members of the Notice Group.

The Action

The plaintiffs claim damages from the bank and Wilson for among other things, breach of contract, negligence, waiver of tort and the tort of intrusion upon seclusion. The plaintiffs claim that the bank is vicariously liable for the actions of its employee, Wilson.

The court's certification of the intrusion upon seclusion claim is the first of its kind, but likely a harbinger of things to come as the courts are confronted with the fallout from large scale breaches of privacy and data theft.

The tort itself was recently established in the 2012 decision of the Ontario Court of Appeal in Jones v Tsige2 and its elements were described in that case as follows:

The key features of this cause of action are, first, that the defendant's conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action.

Notwithstanding that the judge did not consider the tort to yet form part of the settled law of Ontario, the claim was certified on the basis that it was not "plain and obvious" that such a claim could not succeed against the bank under a theory of vicarious liability.3

The Importance of Employee Oversight

Although the bank was quick to offer preventative measures for all members of the Notice Group and compensation to the members directly affected, the bank also acknowledged a complete lack of oversight of its employees, including Wilson, with regard to the improper access to personal and financial customer information. Though the bank was not directly involved in the improper access of customer information, the theory of vicarious liability "is strict, and does not require any misconduct on the part of the person who is subject to it."4

Certification does not involve a consideration of the merits of the case and we await the trial outcome (should there be one) to further understand the scope of the tort. As well, it is unclear what damages will be assessed if there is a finding of liability at the merits stage of the proceeding. Nevertheless, the decision provides an added incentive for employers to monitor the activities of their employees in the use of employer technology. As set out in earlier client updates, proactive monitoring can not only diminish the employee's reasonable expectation of privacy over "on the clock" personal use, but can also reduce the likelihood of privacy breaches involving customer information that may now result in class action exposure. Employers should continue to monitor the evolving developments in this area.

For assistance in reviewing or developing policies and procedures to ensure your company is able to effectively review and monitor employee activity on your electronic systems, please contact members of our employment services practice.

Notes

  1. Evans v Bank of Nova Scotia, 2014 ONSC 2135 [Evans].
  2. Jones v Tsige, 2012 ONCA 32
  3. Supra, Evans at para 30.
  4. Supra, Evans at para 23.

Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

Related Links

  • Insights
  • Media
  • Subscribe

Related Expertise

  • Banks & Financial Institutions
  • Class Action Litigation
  • Employment Services
  • Privacy & Data Protection

Recent Posts

In The News

Follow-Ons and Convertibles in Canada’s Equity Capital Markets

May 29, 2025
       

Client Work

Silver Viper Minerals to Acquire Cimarron Gold-Copper Project from CSAC Holdings Inc.

May 27, 2025
       

Updates

Class Actions: Looking Forward 2025

May 22, 2025
       

Speaking Engagements

Lincoln Caylor Speaks on Report Writing in OBA Investigation Series

May 20, 2025
       

In The News

How To Stay Resilient in an Uncertain World

May 16, 2025
       

Announcements

Bennett Jones Wins Big at Benchmark Litigation Awards

May 09, 2025
       

In The News

Managing Risk Amid Tariff Chaos

May 09, 2025
       

Speaking Engagements

Insights on Tariff Strategy and Cross-Border Trade Compliance

May 08, 2025
       

In The News

John Manley on NPR’s Morning Edition on Mark Carney’s White House Visit

May 06, 2025
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2025. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones