Previous Dentons Data blog post have explained the application of privacy laws during this pandemic (see here and here) – hint: they still apply. This post builds on that and addresses the privacy litigation risks associated with any failures to comply with these laws, even – and especially – during this pandemic. We ask: What does COVID 19 mean from a privacy litigation risk perspective, and what can companies do to mitigate that risk?
The Litigation Landscape: Where were we before COVID-19?
Following the Court of Appeal for Ontario’s 2012 decision in Jones v. Tsige, establishing the tort of intrusion upon seclusion, there has been a proliferation of class actions relating to alleged privacy breaches. This is especially so over the past few years. While most of these cases have not proceeded to merits hearings, many have already been certified, at least in part. There are some notable exceptions (for example Kaplan v. Casino Rama and Broutzas v. Rouge Valley Health System, where the common issues and preferable procedure requirements were not satisfied).
This is to say that even prior to COVID-19, there was a class action litigation risk from a privacy perspective. Those risks generally stem from three types of events:
- external data breaches by malicious actors (cybercriminals, foreign states, etc.);
- employee privacy incidents, which includes both (a) employee loss of data, for example a lost or stolen storage device; and (b) rogue employees who have used company data for their own purposes or gain; and
- collection or disclosure of personal information without consent (for example, where information collected by one party is shared with another without consent or use of personal information for marketing campaigns or other uses unconnected with the original purpose for collection).
COVID-19: What now?
We expect that this trend of privacy litigation and class actions will continue particularly given the additional risks arising from COVID-19. These risks mirror the three categories of risks outlined immediately above.
The first reason behind the increased risk is the rise in malicious and unlawful online activity (hacking, phishing attempts, etc.). The Canadian Centre for Cyber Security is warning of increased phishing attempts and hackers looking to exploit the new environment, and of increased risk to Canadian health organizations of cyberattacks. Outside of Canada as well, Interpol has warned of malicious actors targeting hospitals during the COVID-19 pandemic by locking them out of their IT systems in order to obtain ransom payments.
In addition, many organizations set up working-from-home arrangements extremely quickly, given the speed with which governments moved to lock down physical work spaces. In some cases, the technology supporting working-from-home was not thoroughly tested, unfamiliar, poorly understood, or incorrectly deployed, creating risk to organizations from outside actors.
Secondly, the risk resulting from employee adherence (or lack thereof) to company privacy practices and policies is amplified in our new work from home environment. With many people now working from home, more is being done virtually, leading to more data and information being available online, and therefore increased opportunities for issues to arise (whether mistakenly or intentionally). Laptops, storage devices and hard copy documents are now all located in someone’s home or shared space, and not in a secure work environment. This leads to increased reliance on employees to make sure that they are taking care (for example, using passwords for work-related videoconferencing, saving documents to a secure drive, not using personal email accounts for work matters particularly where sensitive information is involved).
Finally, personal information that is being collected by certain companies and industries – for example, geolocation data available from cell phones – may be relevant to managing the health crisis. Companies with helpful health information may be asked to share this information from government authorities. Those companies will need to consider whether they are required by law to do so (which may depend on what further legislation may be passed as a result of the emergency) and, if not, whether they have consent to share that information.
Fast Movers: What new privacy litigation is there?
We have already started to see privacy litigation arising from our new environment. Two class actions were commenced in early April against the videoconference platform Zoom in the United States alleging that the platform shared user information with third parties (without consent); and made misstatements about the platform’s security features, including about end-to-end encryption.
In one case, the plaintiffs allege that the platform violated the California Consumer Privacy Act on the basis that the platform did not comply with the requirement to implement reasonable security procedures and give consumers notice before collecting and distributing personal information when it allegedly shared information with a third party. The plaintiffs also alleged that the platform’s business practices violated the California Consumers Legal Remedies Act and California Unfair Competition Law – namely by misrepresenting the app’s characteristics, uses and quality.
Zoom has already responded publicly to criticism it has received and has reportedly taken a number of actions, including creating an advisory counsel, focusing all development work on security (as opposed to new features), and clarifying encryption status.
However, the United States plaintiffs bar has been quick to act on privacy and consumer protection type issues, and we expect the Canadian bar to follow suit. While Canadian privacy legislation differs from the California statute, we still expect to see “copycat” litigation grounded in the federal and provincial statutes and the intrusion upon seclusion tort.
Action Items: What can you do?
It is not all doom and gloom. Companies can do a lot on the front end to mitigate risk, including:
- ensuring appropriate security measures are implemented, reviewed and documented;
- drafting and implementing privacy policies and training employees so that they know how to comply with those policies, and educating employees on various potential external threats or scams;
- retaining access logs to see who has accessed a file;
- monitoring networks for suspicious activity; and
- collecting only the personal information that is reasonable and necessary for the purpose stated, and that they are not retaining data longer than necessary.
These are just some of steps that can assist in preventing a privacy breach, and in mitigating litigation and damages risk in the event a breach occurs by allowing companies to show that they took reasonable steps to protect any personal information they have collected. Dentons can assist organizations with reducing overall risk of litigation and regulatory intervention, and mitigate exposure in the event of a data incident.
For more information about Denton’s data expertise and how we can help your business manage privacy and information during the COVID-19 pandemic, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.