Privacy & Data Management Blog

The BC Court of Appeal (“BCCA”) has indicated a clear shift in its approach to cyber-breach cases that will encourage class-action litigation.

Until now, plaintiffs in British Columbia were generally precluded from advancing privacy tort claims against custodians of personal information that were victims of a criminal cyber attack because the Privacy Act required a “wilful” violation by the custodian.^[1] In a recent decision, the BCCA revisited the concept of “wilful” in the Privacy Act and said it is not plainly obvious a custodian’s failure to protect personal information is insufficient to meet the test of “wilful” under the Privacy Act.  As a result, individuals whose private information is accessed by a third-party hacker can now go to trial alleging the data custodian was reckless in securing their information.^[2]

The impact of this case will be significant for litigation as well as how organizations should address their privacy and cyber-security programs.

Background

TransLink’s network was hacked in December 2020. Over 39,000 individuals were affected, including employees and certain customers with a disability. Cybercriminals demanded a $6M ransom. Following the incident, TransLink provided affected individuals with credit monitoring and fraud protection.

The plaintiffs sought to certify a class-action lawsuit against TransLink.  One of the main claims was breach of privacy under the Privacy Act, which says: “it is a tort, actionable without proof of damages, for a person, wilfully […] to violate the privacy of another”.^[3]

The plaintiffs argued TransLink recklessly failed to safeguard their personal information and this amounted to a breach of the Privacy Act. The plaintiffs relied on TransLink’s obligations under the Freedom of Information and Privacy Protection Act (“FIPPA”). Section 30 of FIPPA provides that public bodies must protect personal information in their possession by “making reasonable security arrangements”.^[4]

The BCCA’s Decision

The BCCA remitted the certification application back to the trial court on a number of grounds, including on the Privacy Act claim.  The BCCA decided that where a third-party hacker accesses a database storing personal information, it is not plain and obvious a data custodian could never be said to be “wilfully” violating the privacy of persons whose personal information is stored.^[5]

The Court framed the Privacy Act’s purpose as being to protect privacy interests and this includes ensuring harms to constitutionally-recognized privacy interests do not go without a remedy.^[6]  The Court noted that the right to privacy includes the right of a person to control the use of their personal information by organizations to whom it is provided. Additionally, there is more than one way for a defendant to violate a plaintiff’s privacy, including by enabling a broader audience to have access to that information contrary to the plaintiff’s reasonable expectations of privacy.^[7]

As a result, the BCCA held that questions of whether the data custodian had reasonable security and was not reckless in storing personal information could go to trial.  This decision also supports a B.C. trial court decision in a different cyber-attack case that was appealed on different grounds.^[8]

Implications for Organizations

The BCCA decision suggests a potentially significant practical burden on organizations regarding their cyber-security program.  Now, plaintiffs can potentially advance a case to trial where cyber-criminals stole the data, to scrutinize the data custodian’s behaviour and the measures it took to protect sensitive information.  The plaintiffs don’t need to show financial harm.  

The question of whether TransLink’s actions were reckless such that they amount to willful conduct culpable under the Privacy Act will probably be determined at the trial of the class action. Prior to the BCCA’s decision, the Privacy Act’s requirement that defendants “wilfully” violate the privacy of another meant that the tort claims based on recklessness^[9] would not have gone to trial, particularly where cyber-criminals were involved.

The decision has additional import for BC public bodies. The BCCA approved using the Freedom of Information and Privacy Protection Act (“FIPPA”) to inform a claim for breach of privacy under the Privacy Act.  While not necessarily permitting a direct claim under FIPPA, the BCCA dismissed the idea that FIPPA was a complete code governing all allegations of FIPPA breaches. Before this decision, plaintiffs could not claim breach of FIPPA except through the procedures under FIPPA (a complaint to the Privacy Commissioner).^[10]

Following the BCCA’s decision, organizations will need to seriously revisit their privacy and security management programs. A particular challenge will be for organizations to establish a cyber-security diligence program that assesses and addresses the risks, threats and vulnerabilities to personal information.  

We routinely advise organizations regarding the numerous policy approaches and standards available for organizations to address these issues and that help them document or even certify their security controls and threat management.  If we can be of any assistance to your organization, please do not hesitate to contact a member of our Privacy and Data Management Group.    

^{[1] See Privacy Act, RSBC 1996, c 373, s.1(1).}

^{[2] G.D. v South Coast British Columbia Transportation Authority, 2024 BCCA 252 [TransLink].}

^{[3] Privacy Act, RSBC 1996, c 373, s.1(1).}

^{[4] Freedom of Information and Privacy Protection Act, RSBC 1996, c 165.}

^{[5] TransLink, supra note 1 at paras. 111 to 112.}

^{[6] Ibid, at para. 114.}

^{[7] Ibid, at paras. 122 and 124.}

^{[8] Campbell v. Capital One Financial Corporation, 2022 BCSC 928 at para. 113; and Campbell v. Capital One Financial Corporation, 2024 BCCA 253}

^{[9] See trial decision, G.D. v South Coast British Columbia Transportation Authority, 2023 BCCA 958, at paras. 47 to 48.}

^{[10] TransLink, supra note 1 at para. 174.}