The tort of intrusion upon seclusion, as set out by the Ontario Court of Appeal in Jones v Tsige, requires the defendant’s conduct to be intentional, or, at a minimum, reckless. The question is: at what point does the failure of an organization’s security safeguards amount to recklessness? This was the question addressed by the Ontario Superior Court of Justice in the recent case, Wilson-Flewelling v Queensway Carleton Hospital, 2019 CanLII 65155 (ON SCSM) (“Queensway Carleton Hospital”).
The court heard that the Plaintiff, Ms. Wilson-Flewelling, had attended the defendant hospital (“Hospital”) to book a surgical procedure, that the Hospital’s medical office administrator had left a completed surgical booking package in the Hospital’s dedicated, locked drop box, and that the Plaintiff had unexpectedly received the package in the mail a week later. None of the hospital staff could account for how the package ended up being returned to the Plaintiff. The Plaintiff claimed for intrusion upon seclusion. The Hospital denied both that it had received the package in its drop box, and that it had improperly disclosed the Plaintiff’s personal health information.
The Judge found, on the balance of probabilities, that the Hospital had received the records. Nevertheless, the Judge dismissed the Plaintiff’s claim for intrusion upon seclusion, noting that the mysterious disappearance and reappearance of the package was a “single act of inadvertence” insufficient to prove recklessness. The Judge also took the Hospital’s protocol for handling booking records into account, noting that the protocol did not create an obvious and serious risk, was not a marked departure from the norm, and otherwise worked well for the 50 to 60 doctors using it on a regular basis.
The recklessness threshold
Canadian courts have struggled to identify at what point the failure of an organization’s security safeguards amounts to recklessness. With that said, the decision in Queensway Carleton Hospital follows a number of class action certification decisions that provide some insight. These decisions should be read with the caveat that the threshold in a certification motion is a low one; the court may only dismiss a motion if it is plain and obvious that the plaintiff’s claim fails to disclose a reasonable cause of action.
In Condon v Canada, 2014 FC 250 an unencrypted hard drive containing the personal information of over 500, 000 student loan applicants disappeared from the office of the Minister of Human Resources and Skills Development Canada. The Federal Court heard that the Minister’s information technology staff had failed to follow its internal policy by not securely deleting the information from the drive and leaving it unattended in an unlocked cabinet for months. The court certified the class action.
In Canada v John Doe, 2016 FCA 191 Health Canada sent correspondence to around 40, 000 individuals registered in the Marihuana Medical Access Program (“Program”). Breaking with prior practice, the envelopes were visibly marked with a return address to the Program, thereby revealing each individual’s participation in the Program. Reversing the motion judge’s order certifying the intrusion upon seclusion suit, the Federal Court of Appeal held that Health Canada’s conduct did not amount to recklessness, and was, at best, an “isolated administrative error.”
In Tucci v Peoples Trust Company, 2017 BCSC 1525, cybercriminals hacked the defendant trust company’s systems and stole the personal information of over 11, 000 of its clients. The defendant reported the breach to the Privacy Commissioner, which subsequently launched an investigation. The Commissioner found that the defendant had not implemented sufficiently strong safeguards in developing its online portal, had not implemented a comprehensive information security policy, and had neglected to identify and address evolving digital vulnerabilities and threats. On this last point, the Commissioner noted that the result was the storage of unencrypted duplicate customer information on a web server that had not been updated to address a well-known vulnerability – and that this information was compromised during the breach. The British Columbia Supreme Court acknowledged that while it may have been “a stretch” to describe the defendant’s conduct as reckless, it was nonetheless not plain and obvious that the plaintiffs’ claim would fail, nor that the breach would not be attributed to the defendant. The court certified the class action.
Takeaways for business
First, Canadian courts have shown a tendency to situate a breach within a defendant’s broader information-handling practices. If an organization can demonstrate that it has implemented information-handling practices that conform to industry standards, it appears to be less likely that a court will find a single breach to be the result of recklessness. The opposite may be true when an organization has failed to do so. Organizations that do not have a robust privacy program (or are not sure about the status, currency or content of their privacy program) should consider reviewing their current efforts against legislative requirements, industry norms and third party standards.
Additionally, where an organization has established safeguards in the form of internal policies and procedures, its failure to follow those policies may weigh towards a finding of recklessness. Organizations should consider regular audits of their practices against their policies – staff turnover, reorganizations, or changes is governance can mean established, approved processes evolve in ways that are not helpful to the organization.
Finally, these decisions indicate that recklessness may have a temporal component. A court may be less likely to view an organization as reckless if its security safeguards suffer an isolated failure, rather than a failure that takes place over months or is systemic in nature.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, and training.