Content uploaded by Jennifer A. Chandler
Author content
All content in this area was uploaded by Jennifer A. Chandler on Mar 20, 2014
Content may be subject to copyright.
Electronic copy available at: http://ssrn.com/abstract=998305
1
NEGLIGENCE LIABILITY FOR BREACHES OF DATA SECURITY
JENNIFER A. CHANDLER*
Forthcoming in the Banking and Finance Law Review
TABLE OF CONTENTS
Introduction..........................................................................................................................2
Part I Using Liability in Negligence to Address Poor Data Security……………..……..3
Part II Review of U.S. Case Law…………………………………………...……...……10
(a) The problem of establishing that a data security breach caused
identity fraud………………………………………………………………….….10
(b) The problem of establishing “actual harm” where identity fraud
has not yet occurred……………………………………………………………...13
Part III Liability for Data Security Breaches in the Canadian Context………………….17
(a) The recovery of pure economic loss……………………………………....……..18
(b) The effect of statutory data safeguard requirements on the
negligence claim………………………………………………………….……...22
(c) The effect on liability of the intervening criminal acts of third parties………….29
Part IV Setting the appropriate standard of reasonable security measures………..……..32
Conclusion……………………………………………………………………….………38
*Assistant Professor, Faculty of Law, University of Ottawa. I gratefully acknowledge Borden Ladner
Gervais LLP for its support of my research assistant, David Quayat, through the Borden Ladner Gervais
Research Fellowship during the research for this paper. I thank David Quayat and Deric Mackenzie-Feder
for their excellent research assistance in the preparation of this paper, and I thank the anonymous reviewer
for most helpful comments on the paper.
Electronic copy available at: http://ssrn.com/abstract=998305
2
INTRODUCTION
Breaches of data security involving the disclosure of sensitive personal
information have become high profile news.1In January, 2007, TJX Companies Inc.
announced a security breach affecting millions of customer records in Canada, the United
Kingdom, Ireland, the United States and Puerto Rico2and Talvest Mutual Funds
announced the loss of 470,000 Canadian client records.3Thousands of Canadian credit
card holders are reported to have been the victims of fraud as a result of the TJX
Companies Inc. breach.4
These data security breaches can occur in many different ways. In the last few
years, security breaches have involved website security flaws that exposed customer
data,5misdirected faxes,6hacking into poorly secured computer networks and databases,7
loss of paper records, loss or theft of electronic records (on laptops or other storage
devices),8employee theft of information, disposal of confidential financial information in
open public dumpsters,9apparent abandonment of confidential customer information in
open public places,10 and theft of information by employees at third party service
providers.11
One of the key concerns with these data security breaches is that they may lead to
identity fraud. This might include an “account takover” in which the thief takes over an
1A rapidly growing list of major reported security breaches in the United States is maintained at
<http://www.privacyrights.org/ar/chrondatabreaches.htm>.
2TJX Companies, Inc. “Frequently Asked Questions,” (28 March 2007),
<http://www.tjx.com/tjx_faq.html>.
3Privacy Commissioner of Canada, “News Release: Privacy Commissioner Launches Investigation of
CIBC breach of Talvest customers’ personal information,” (18 January 2007),
<http://www.privcom.gc.ca/media/nr-c/2007/nr-c_070118_e.asp>.
4“Winners security breach hits Canadian cardholders,” CTV.ca (25 January 2007),
<http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20070125/sec_breach_070125?s_name=&no_ads
=>; Sinclair Stewart, “Winners security breach hits home,” Globe and Mail.com (25 January 2007),
<http://www.theglobeandmail.com/servlet/story/LAC.20070125.WINNERS25/TPStory/National>.
5Kevin Poulsen, “Tower records settles charges over hack attacks,” The Register.com (22 April 2004),
<http://www.theregister.co.uk/2004/04/22/tower_settles_ftc_hack_charges/>; Kevin Poulsen, “Guess leaks
credit cards of the fashion conscious,” The Register.com (6 March 2002),
<http://www.theregister.co.uk/2002/03/06/guess_leaks_credit_cards/>; U.S. Federal Trade Commission,
“Petco settles FTC charges – security flaws allowed hackers to access consumers’ credit card information,”
(17 November 2004), <www.ftc.gov/opa/2004/11/petco.htm>.
6Speevak v. Canadian Imperial Bank of Commerce (statement of claim issued February 4, 2005, Ont. Sup.
Ct. Justice 05-CV-283484CP)).
7Thomas C. Greene, “Amazon division hacked, thousands of CCs exposed,” The Register.com (March 6,
2001), <http://www.theregister.co.uk/2001/03/06/amazon_division_hacked_thousands/>;
8The Talvest data security breach involved the loss of a hard drive containing client data. Supra note 3.
9U.S. Federal Trade Commission, “Real estate services company settles privacy and security charge –
company tossed consumers’ confidential information in dumpster, company computers were hacked,” (10
May 2006), <www.ftc.gov/opa/2006/05/nationstitleemailtest.htm>.
10 Laura Bobak, “Rogers data leak shows need for mandatory customer notification law, expert says,”
CBC.ca (9 April 2007), <http://www.cbc.ca/cp/media/070409/X040939AU.html>.
11 Andy McCue, “Indian call center staff sold data, TV show says,” CNET News.com (5 October 2006),
<http://news.com.com/2100-7348_3-6123067.html>.
3
existing account, draining a bank account or making fraudulent credit card purchases, or
“true name fraud” in which the thief opens new accounts or obtains new credit using the
victim’s name.12 A victim may be unaware of these latter frauds until he or she discovers
a ruined credit rating or is approached by collections agencies.
Due to the concern over identity fraud, data security issues are now attracting
growing attention from legislators, legal scholars, and an increasing number of litigants.
This article addresses the possibility of using liability in negligence as a means to deter
unreasonably careless data security practices as well as to offer compensation to those
harmed by data security breaches. Although additional civil causes of action may be
relevant depending upon the facts (e.g. breach of contract, breach of confidence, invasion
of privacy, breach of fiduciary duty), the analysis in this article is restricted to negligence
claims brought by the people whose data is compromised. Part I of the article will
discuss the need for civil liability in order to deter careless data security practices. Part II
will review U.S. cases involving negligence liability for breaches of data security,
identifying the key problems facing plaintiffs. Part III will address additional legal
problems that may face plaintiffs in the Canadian context, and Part IV will draw on case
law and regulatory decisions to suggest some conclusions about what are “reasonable”
security measures.
Part I Using Liability in Negligence to Address Poor Data Security
California’s security breach notification legislation came into force in 2003, and
placed an obligation on businesses holding unencrypted computerized personal
information to notify California residents of breaches in the security of that information.13
Since then, numerous other American states have followed suit14 and the U.S. Congress is
considering legislation in the field.15 A similar data security breach notification
requirement exists in Ontario’s Personal Health Information Protection Act16 and the
Privacy Commissioner of Canada has recommended an amendment to the federal
Personal Information Protection and Electronic Documents Act17 (“PIPEDA”) to provide
12 Anthony E. White, “The Recognition of a Negligence Cause of Action for Victims of Identity Theft:
Someone Stole My Identity, Now Who is Going to Pay for It?” (2005) 88 Marq. L. Rev. 847 at p. 851-852;
Kenneth M. Siegel, “Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft,
Personal Information, and the Role of Data Security in the Information Age” (2007) 111 Penn St. L. Rev.
779 at p. 784-786 (discussing forms of identity fraud).
13 S.B. 1386, codified in Cal. Civ. Code § 1798.82.
14 A chart of the legislation is available at <http://www.digestiblelaw.com/files/upload/securitybreach.pdf>.
15 Anne Shelby, Davis Wright Tremaine LLP, “Pending Privacy and Data Security Legislation in the 110th
Congress,” Privacy and Security Law Blog (30 March 2007),
<http://www.privsecblog.com/archives/federal-legislation-pending-privacy-and-data-security-legislation-
in-the-110th-congress.html>; Flora J. Garcia, “Data Protection, Breach Notification, and the Interplay
between State and Federal Law: The Experiments Need More Time,” (2007) 17 Fordham Intell. Prop.
Media & Ent. L.J. 693 (reviewing recent U.S. federal and state legislative initiatives).
16 S.O. 2004, c.3, Sched. A., s.12(2).
17 S.C. 2000, c.5.
4
a duty to notify.18 Even without this legislation, there is a reasonable argument that there
is a common law duty to disclose breaches of data security.19
There is growing scholarly interest in the efficacy of these data security breach
notification statutes.20 As Schwartz and Janger have pointed out, these statutes are
intended to serve two purposes – first, deterring careless data security practices by
imposing a reputational sanction, and second, informing individuals of a risk to their data
so that they may take steps to protect themselves.21 The reputational sanction might
involve loss of market share as customers avoid businesses perceived to have poor
security and a reduction in share value in the stock market. In addition, the expense of
sending a security breach notification to affected parties may itself be a deterrent apart
from the potential reputational sanction.22
However, there are reasons to wonder whether mandatory data security breach
notification requirements really deter poor data security. Schwartz and Janger suggest
that the public is unlikely to impose a significant market sanction by avoiding companies
with a history of poor data security. In some cases, the breach will occur at a “back
office” entity with no direct relationship with consumers (e.g. data processors, couriers or
data brokers).23 Consumers are unlikely to know which “back office” service providers
are used by which retailers and so will find it difficult to avoid those with poor data
security. With other types of businesses, such as banks, customers will incur high
switching costs and so the market penalty for poor data security may be dampened.
Furthermore, with the growing number of data security breaches, consumers may develop
the impression that all or many banks have suffered security breaches so there is little to
be gained from switching.24 In a more general way, as data security breaches continue to
be disclosed across various market sectors, the public will gradually come to perceive
data insecurity as normal and will be even less likely to punish businesses by avoiding
18 Canada, Office of the Privacy Commissioner, “The Privacy Commissioner of Canada’s Position at the
Conclusion of the Hearings on the Statutory Review of the Personal Information Protection and Electronic
Documents Act (PIPEDA),” (22 February 2007),
<http://www.privcom.gc.ca/parl/2007/sub_070222_e.asp#012> at section 12.
19 See e.g., Ethan Preston and Paul Turner, “The global rise of a duty to disclose information security
breaches,” (2004) 22 J. Marshall J. Computer & Info. L. 457 (suggesting that the common law doctrine of
negligent misprepresentation may require notification of data security breaches where a company has
represented that data will be kept private); Vincent Johnson, “Cybersecurity, Identity Theft, and the Limits
of Tort Liability, (2005) 57 S.C. L. Rev. 255 at p. 282. As noted below, plaintiffs often claim that the
failure to disclose a breach promptly is a breach of the duty of care in negligence lawsuits.
20 See e.g., Paul Schwartz and Edward Janger, “Notification of Data Security Breaches,” (2007) 105 Mich.
L. Rev. 913; Kathryn E. Picanso, “Protecting Information Security Under a Uniform Data Breach
Notification Law,” (2006) 75 Fordham L. Rev. 355 at p. 373.
21 Schwartz and Janger, supra note 20 at p. 917.
22 Ibid. at p. 957.
23 Ibid. at p. 946-947, pointing to the Cardsystems and Choicepoint cases as examples where retail
consumer defection would not be a realistic result of notifying affected individuals of the breaches of data
security.
24 Ibid. at p. 948.
5
them.25 Presumably the stock market will react less and less as it learns that the
punishment from consumers is mild and decreasing.
These predictions may be supported by evidence of market behaviour. The public
relations sanction that data security breach notification rules were intended to impose
seem not to be effective. The price of TJX Companies Inc. shares dipped only slightly
with the announcement in January, 2007 of an enormous security breach.26 On the other
hand, the stock prices fell twice as much when the first class action lawsuit was filed a
couple of weeks later. Despite this, TJX Companies Inc. reported increasing sales
throughout the months after the security breach.27 Furthermore, the comments of some
TJX customers suggested a growing desensitization to data security breaches.
“Customers leaving a T.J. Maxx store Thursday in Boston's Downtown Crossing
shopping hub said the retailer's cut-rate prices on clothing and home goods are a
big enough draw to offset any worries about lax data security. They said they
didn't see TJX as any more susceptible to such theft than any other retailer.”28
The fact that many consumers do not appear to be greatly put off by data security
breaches does not necessarily mean that there is no problem to be solved. A recent U.S.
estimate of the volume of identity fraud in the U.S. in 2006 was nearly $60 billion.29
Consumer reaction is perhaps dampened by the fact that cardholder agreements insulate
customers from significant losses resulting from credit card fraud.30 These costs are
nonetheless an economic drain and are transmitted indirectly back to consumers by
financial institutions and merchants in the form of higher fees and prices.31 Furthermore,
information other than credit card numbers may be compromised, exposing affected
persons to greater risks. Identity thieves may open new credit accounts, loans or service
25 Ibid. at p. 916, referring to critics of data security breach notification statutes: “A major objection is that
the current requirement for customer notice generates too many breach disclosure letters. Critics focus on
the disclosure trigger in the California statute and related legislation which requires the sending of
notification letters whenever there is a reasonable likelihood that an unauthorized party has "acquired"
personal information. These critics point to Aesop's fable, "The Boy who Cried Wolf." As Fred Cate writes,
‘if the California law were adopted nationally, like the boy who cried wolf, the flood of notices would soon
teach consumers to ignore them. When real danger threatened, who would listen?’ The Washington Post
has joined this chorus in editorializing against these laws as creating ‘tedious warnings’ that will cause
people to ‘ignore the whole lot.’”
26 Elaine Wiltshire, “Cyber-Enemy at the Gates,” (2007) 23:7 The Bottom Line,
<http://www.thebottomlinenews.ca/index.php?articleid=242§ion=article>, reporting that the price
before the breach was just under $30, and dropped to $29.50 on the day of the breach. Two weeks later,
with the filing of the first class action, the price dropped a further 3.7%.
27 Mark Jewell, “Data Theft Doesn’t Slow Sales for TJX,” Yahoo! Finance (12 April 2007),
<http://biz.yahoo.com/ap/070412/tjx_security_breach.html?.v=1>.
28 Ibid.
29 Better Business Bureau and Javelin Strategy and Research, “New Research Shows Identity Fraud Growth
is Contained and Consumers Have More Control Than They Think,” (31 January 2006),
<http://www.bbbonline.org/IDTheft/safetyQuiz.asp>.
30 Evan Schuman, “The Credit Card Unintended Consequence,” Storefront Backtalk Blog (21 February
2007), <http://storefrontbacktalk.com/story/022207tjxcolumn.php>.
31 Penelope N. Lazarou, “Small Businesses and Identity Theft: Reallocating the Risk of
Loss,” (2006) 10 N.C. Banking Inst. 305 at p.321.
6
contracts in the victim’s name, damaging the victim’s credit report.32 An identity thief
may also impersonate a victim during interactions with police so that the victim obtains a
criminal record. The task of repairing one’s credit and clearing one’s name can be
considerable. For example, the U.S. Federal Trade Commission recommends that
victims obtain official “Identity Theft Reports” to ensure that fraudulent transactions do
not reappear on their credit reports, as well as to prevent collection agencies from
continuing to attempt to collect the debts.33 However, the FTC acknowledges that the
police in some places may be unwilling to take the reports, recommends that identity
fraud victims “be persistent” and offers victims various documents with which to try to
convince the police of the importance of taking the report. If this fails to convince the
local authorities, the FTC suggests that victims should try county and state police.
Clearly, recovering from identity theft can be an arduous and frustrating task.
Even if there are reasons to doubt the deterrent impact of a requirement that
businesses disclose data security breaches, it may still be quite useful in permitting
individuals to mitigate the harm of identity theft. Armed with the knowledge of a data
security breach, individuals are in a slightly better position to dispute fraudulent charges
and other such harms. While mandatory disclosure rules may thus be useful in mitigating
harm, they may not offer much deterrence. In fact, far from disciplining careless data-
handlers by shunning them in the market, consumers may instead punish those who
implement security measures if those security measures lead to higher prices.34 As a
result it is worthwhile to consider other possible deterrents. One such possibility is civil
liability for harms arising from breaches of data security.
Some commentators have expressed reservations about the possibility of civil
liability in this context. Johnson cautions that care should be taken in imposing liability
for breaches of data security given that the potentially considerable losses might be
ruinous, and there is a possibility that overly onerous requirements would also discourage
the use of computer technology in handling data.35 Picanso suggests that an increased
threat of liability might diminish the reporting of data security breaches.36 LoPucki
suggests that our attempts to secure data are futile. In his view, identity theft would be
better addressed by abandoning our attempt to secure the data, and creating alternate
systems of identification that do not rely on secret data.37
32 Federal Trade Commission, “About Identity Theft,”
<http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html> (visited 5 June 2007).
33 Federal Trade Commission, “Defend: Recover from Identity Fraud,”
<http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html#Whatisanidentitytheftreport>
(visited 5 June 2007).
34 Lazarou, supra note 31 at p. 321, suggesting that customers who have not felt the effects of identity theft
may be unwilling to pay the higher costs associated with security measures, which would discourage
businesses from implementing such measures.
35 Johnson, supra note 19 at p. 260: “Obviously, courts must strike a balance that adequately protects the
interests of individuals without discouraging the use of computer technology or driving important
institutions out of existence.”
36 Picanso, supra note 20 at p. 388-389.
37 Lynn M. LoPucki, “Did Privacy Cause Identity Theft?” (2003) 54 Hastings L.J. 1277 and Lynn M.
LoPucki, “Human Identification Theory and the Identity Theft Problem” (2001) 80 Tex. L. Rev. 89. For a
7
Others endorse civil liability in this context. Citron recommends not a negligence
but a strict liability standard in relation to harms caused by breaches of data security.38
She suggests that security breaches are inevitable even with reasonable security
measures. In her view, strict liability would cause database custodians to internalize the
full costs of the inevitable data security breaches and so discourage the maintenance of
databases except where the benefits of doing so outweigh the entire costs of doing so.39
In fact, plaintiffs are increasingly resorting to the courts to sue commercial
organizations following data security breaches, and there is a growing body of U.S. case
law on civil liability for these breaches.40 Three groups of plaintiffs are represented in
these U.S. lawsuits: the people whose data is compromised, the merchants who suffer
charge backs due to the fraudulent purchases made using compromised payment card
information,41 and the banks, which are forced to absorb costs such as the mass
cancellation and reissuing of credit cards.42 Multiple class actions on behalf of persons
whose data has been compromised have also been launched in Canada to recover
damages related to data security breaches.43
critique of LoPucki’s proposals see Daniel J. Solove, “Identity Theft, Privacy, and the Architecture of
Vulnerability,” (2003) 54 Hastings L.J. 1227.
38 Danielle Keats Citron, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of
the Information Age,” (2007) 80 S. Cal. L. Rev. 241 at p. 264.
39 Ibid. at p. 268.
40 Randolph et al. v. ING Life Insurance and Annuity Co. 2007 U.S. Dist. LEXIS 11523 (D.C.); Bell v.
Acxiom Corp. 2006 U.S. Dist. LEXIS 72477 (E.D. Arkansas); Richardson v. DSW, Inc. 2005 U.S. Dist.
LEXIS 26750 (N.D. Ill.), 2006 U.S. Dist. LEXIS 1840 (N.D. Ill.); Giordano v. Wachovia Securities LLC et
al 2006 U.S. Dist. LEXIS 52266 (Dist. N.J.); Stollenwerk et al v. Tri-West Healthcare Alliance 2005 U.S.
Dist. LEXIS 41054 (Dist. Ariz.); Tracy L. Key v. DSW, Inc. 2006 U.S. Dist. LEXIS 69887 (S.D. Ohio);
Hendricks v. DSW Shoe Warehouse Inc. 2006 U.S. Dist. LEXIS 51235 (W.D. Mich.); Kuhn v. Capital One
Financial Corp. Inc. 18 Mass L. Rep. 524 (Supt. Ct. Mass); Guin v. Brazos Higher Education Service
Corp. Inc. 2006 U.S. Dist. LEXIS 4846 (Dist. Minn.); Forbes v. Wells Fargo Bank 420 F. Supp. 2d 1018
(Dist. Minn, 2006); Jones v. Commerce Bancorp, Inc. et al 2006 U.S. Dist. LEXIS 32067 (S.D. N.Y.);
2006 U.S. Dist. LEXIS 65630 (S.D.N.Y); 2007 U.S. Dist. LEXIS 15343 (S.D.N.Y.); Bell v. Michigan
Council 25, 2005 Mich. App. LEXIS 353 (Mich. C.A.); Daly v. Metropolitan Life Insurance Co., 782
N.Y.S. 2d 530 (N.Y. Sup. Ct. 2004); Huggins v. Citibank N.A. et al. 2003 S.C. LEXIS 180 (S. Cal. Sup.
Ct.); Major pending U.S. lawsuits include Parke v. Cardsystems Solutions Inc. et al. (filed July 5, 2005,
Cal. Sup. Ct. No. CGC-05-442624) and Goldberg v. Choicepoint (filed Feb. 18, 2005, Cal Sup. Ct. Case
No. 8C329115), and multiple class actions against TJX Companies Inc. filed in 2007. The TJX Companies
Inc. Annual Report for the fiscal year ending January 27, 2007 states that there were eighteen class action
lawsuits filed between January 19 and March 23, 2007 in the U.S., Canada and Puerto Rico (see
<http://www.sec.gov/Archives/edgar/data/109198/000095013507001906/b64407tje10vk.htm>).
41 See e.g., the claim filed in Parke v. Cardsystems Solutions Inc. et al. (filed July 5, 2005, Cal. Sup. Ct.
No. CGC-05-442624)
42 See e.g., AmeriFirst Bank v. TJX Companies, Inc., et al., (filed January 31, 2007, Mass. Dist. Ct. No. 07-
cv-10169); Sovereign Bank v. BJ’s Wholesale Club Inc and Fifth Third Bankcorp. 427 F. Supp. 2d (M.D.
Pa. 2006); Banknorth, N.A. v. B.J.’s Wholesale Club, Inc. 442 F. Supp. 2d 206 (M.D. Pa. 2006);
Pennysylvania State Employees’ Credit Union v. Fifth Third Bank and BJ’s Wholesale Club, Inc. 2006 U.S.
Dist. LEXIS 40066 (M.D. Pa. 2006); CUMIS Insurance Society Inc. v. BJ's Wholesale Club Inc., No. 05-
1158-J, (Sup. Ct. Mass, Apr. 4, 2005).
43 Taylor et al. v. Queen in Right of Saskatchewan (Worker’s Compensation Board) et al.(filed February 3,
2003, Saskatchewan Q.B. No. 243); Speevak v. Canadian Imperial Bank of Commerce (supra note 10);
Churchman et al. v. TJX Companies et al. (filed January 31, 2007, Man. Q.B. No. CI-07-01-50449); Ryley
8
With few exceptions, the U.S. lawsuits have been unsuccessful because of several
key problems. First, the courts have held that until identity fraud occurs, there is no
“actual harm.” The courts hold that claims for the costs of protective measures such as
credit monitoring services do not relate to “actual harm” but to the fear of a potential
future harm and so they are not recoverable. Second, where identity fraud has occurred,
the courts may find that there is no evidence of a causal connection between the
disclosure of the personal data and the subsequent identity fraud. This is a problem, for
example, where the personal data at issue has been provided to other organizations and so
could have been lost or misused elsewhere. Despite this difficulty, at least one plaintiff
has been able to establish the necessary causal connection.44
In addition to the foregoing problems reflected in the U.S. cases, two other
difficulties might also face plaintiffs in data security breach negligence claims in Canada.
One of these problems is that the damages claimed by plaintiffs in this context are usually
“pure economic loss,” the recovery of which is restricted in negligence claims. It is,
therefore, necessary to explore whether the claims fit within currently recognized
categories of recoverable pure economic loss. If not, it is necessary to determine whether
the recognition of a novel category of recoverable pure economic loss is justified.
Another problem flows from the observation that Canadian courts sometimes refuse to
acknowledge a civil cause of action when a comprehensive statutory regime has been
created to cover the same matter.45 As a result, it is necessary to consider the effect of
legislation such as PIPEDA. In addition, certain provincial privacy statutes directly
address civil liability.46
The picture that emerges from this discussion is discouraging to plaintiffs. There
are many hurdles to be overcome in claiming damages for breaches of data security both
in the U.S. and in Canada. Negligence law deals awkwardly with this problem as it does
v. TJX Companies Inc. et al (filed January 19, 2007, B.C. Sup. Ct. No. 07-0278); Howick v. TJX
Companies Inc. et al (filed January 19, 2007, Que. No. 500-06-000382-073); Churchman et al. v. TJX
Companies Inc. et al. (filed January 19, 2007), Alta. Q.B. No. 0701-00964); Copithorn v. TJX Companies
Inc. et al. (filed January 22, 2007, Sask. Q.B. No. 100); Deyannis et al. v. TJX Companies Inc. et al. (filed
January 26, 2007, Que. No. 500-06-000385-076); Wong et al. v. TJX Companies Inc. et al. (filed January
26, 2007, Ont. Sup. Ct. No. CV-070-272-00); Bordoff v. CIBC Asset Management Inc. (filed January 23,
2007, Que. No. 500-06-000383-071);
44 Bell v.Michigan Council 25, 2005 Mich. App. LEXIS 353 (Mich. C.A.) [“Bell”]
45 In Board of Governors of Seneca College of Applied Arts & Technology v. Bhadauria [1981] 2 S.C.R.
181, reversing (1979), 105 D.L.R. (3d) 707 (Ont. C.A.), the Supreme Court refused to contemplate a new
tort of discrimination on the basis that the Ontario Human Rights Code provided a comprehensive statutory
regime that foreclosed the development of a common law remedy.
46 Personal Information Protection Act, S.A. 2003, P-6.5, ss.57, 60; Personal Information Protection Act,
S.B.C. 2003, c.63, s.57; Health Information Act, R.S.A. 2000, c. H-5, s.105; Personal Health Information
Act, C.C.S.M. c.P33.5, s.62; Health Information Protection Act, S.S. 1999, c. H-0.021, s.61; Personal
Health Information Protection Act, 2004, S.O. 2004, c.3, Sched. A, s.71. Section 71 of Ontario’s PHIPA is
peculiar, as it purports to prohibit civil actions for damage due to neglect that was “reasonable in the
circumstances.” Given that negligence by definition involves unreasonable behaviour, the immunity
provided by s.71 appears ineffective. Plaintiffs will argue that they are not suing for damages arising out of
reasonable actions, but for unreasonable actions and so their lawsuits fall outside s.71.
9
with other problems of the “information age.” Rustad and Koenig argue that tort law has
not kept pace with the need to protect consumers in cyberspace. 47
“Today, the information industry is insulated from paying the true cost of their
wrongdoing much like the railroads, canals, utilities, and assembly-line factory
industries of nineteenth-century America. Cybertort remedies must expand in
order to perform their traditional function of social control in the information age,
an era in which the nature of injuries is being transformed. Even in cyberspace,
tort law exists to vindicate, not veto, consumer protection. Outmoded immunities,
no-duty rules, and defenses should be consigned to the ashbin of history.”48
Although Rustad and Koenig were speaking specifically of internet-based harms,
the problem of identity theft is another ill of the information age. The modern explosion
of identity theft is a function of the technologies of data storage and processing, which
permit the retention of large amounts of data.49 It also flows from the fact that modern
life involves a multitude of transactions with strangers and so creates a pervasive need for
individual authentication.50 The pattern of tort law’s awkward and uneasy response to the
harms of the information age is reflected not just in cyberspace and with respect to
identity theft but is also seen in the slow emergence of civil remedies for privacy
violations in Canada.
Given all of the difficulties facing the plaintiff in seeking damages under common
law negligence principles, it may be necessary for the legislature to act to create a
statutory right of action. Should courts not manage to craft solutions, the legislatures
may do so. For example, a new law in Minnesota requires entities that retain payment
card data beyond certain limits to reimburse financial institutions for their costs in the
event of a breach in the security of that data.51 Other U.S. states are also considering
similar legislation. Bill No. 21352 was filed in the Massachusetts legislature in early
2007.53 Bill No. 213 includes a provision holding “a commercial entity” liable to banks
for the costs of reasonable actions taken in response to actual breaches of data security at
47 Michael L. Rustad and Thomas H. Koenig, “Cybertorts and Legal Lag: An Empirical
Analysis,” (2003) 13 S. Cal. Interdis. L.J. 77 at p. 87-88.
48 Ibid. at p.140.
49 Citron, supra note 38 at p.246-247.
50 Solove, supra note 50.
51 An Act An act relating to commerce;regulating access devices;establishing liability for security
breaches;providing enforcement powers;proposing coding for new law in Minnesota Statutes, chapter
325E, Minnesota Statutes, Chapter 108-H.F. No. 1758, available at
<http://ros.leg.mn/slaws/2007/0/108.pdf>.
52 An Act relative to enhancing the confidentiality and protection of certain consumer information,
Massachusetts House Bill No. 213 (2007), available at
<http://www.mass.gov/legis/bills/house/185/ht00pdf/ht00213.pdf>.
53 Peter J. Howe, “Bill targets retailers for costs to fix data thefts: They say plan would fatten bank profits,
not protect public,” Boston Globe (20 February 2007)
<http://www.boston.com/business/globe/articles/2007/02/20/bill_targets_retailers_for_costs_to_fix_data_th
efts/>; Anne Broache, “Mass. Bill wants stores to pay more in data breaches,” C/NET News.com (23
February 2007), <http://news.com.com/Mass.+bill+wants+stores+to+pay+more+in+data+breaches/2100-
7348_3-6161536.html>.
10
the commercial entity. It would also hold the commercial entity liable to the banks for
the costs of certain enumerated actions taken by the banks as a result of potential
breaches of data security (e.g. cancellation or reissuing of credit cards, and refunds or
credits to customers for unauthorized transactions).54 This liability cannot be avoided by
contract, as it applies “notwithstanding any other provision of law or contract and in
addition to any other liability of a commercial entity to a bank…”55 Interestingly,
“commercial entity” is defined to include governmental bodies.56 To the extent that
governments hold data relevant to the banks, this liability could be considerable given the
numbers of citizens interacting with governments.
Financial institutions represent a more powerful lobby than consumers, and it is
unclear whether legislatures will also create a more general statutory right of action that
is available to consumers. In the absence of a statutory right of action available to
consumers, this article will assess the strengths and weaknesses of the common law of
negligence in providing a cause of action for those harmed by breaches of data security.
Part II Review of U.S. Case Law
The body of U.S. cases dealing with liability in negligence for breaches of data
security has grown fairly rapidly, and cases continue to be brought despite a low rate of
success by plaintiffs.57 This low rate is due mostly to several recurrent difficulties facing
plaintiffs. The following section will review these difficulties, assessing the arguments in
the Canadian context.
The main problems faced by plaintiffs vary according to whether they have
suffered identity fraud or not. Where the plaintiff has not yet suffered identity fraud but
is concerned about the risk of identity fraud following a data security breach and seeks
compensation for monitoring costs, the U.S. courts have tended to consider that no actual
harm has yet been suffered. If the plaintiff has suffered identity fraud, the plaintiffs often
(but not always) fail because they cannot prove that the security breach caused the
identity fraud. In both cases, courts may also characterize the harms as pure economic
losses, the recovery of which is restricted in negligence.
(a) The problem of establishing that a data security breach caused identity fraud.
Dealing first with cases in which the plaintiffs have suffered identity fraud
following a data security breach, several cases illustrate the difficulty of establishing
causation.58 In Stollenwerk,59 one of the plaintiffs suffered identity fraud six weeks after
computer hard drives were stolen from the defendant’s office. Several accounts were
opened in his name and $7,000 was charged to the accounts. The judge noted that the
54 Supra note 52 at s.4.
55 Ibid.
56 Ibid. at s.1(2).
57 Supra note 40.
58 The plaintiffs in Jones and Kuhn (supra note 40) failed, in part due to inadequate evidence of causation
even though they had suffered identity fraud.
59 Stollenwerk, supra note 40.
11
fact that the identity theft occurred after the theft of the hard drives was not enough to
establish causation. She noted that the plaintiff had provided the same information that
was used to commit the identity fraud to organizations other than the defendant. As a
result, an inference of causation would be unreasonably speculative on the evidence
provided. She stated,
“The mere use of such information in the course of acts of identity fraud,
therefore, does not permit a finder of fact to draw the reasonable inference that the
unidentified identity thieves obtained it from Defendant.”60
Jones also illustrates how difficult it will be for plaintiffs to establish causation
even where identity fraud has occurred. In that case, the plaintiff suffered extensive
identity fraud.61 Identity thieves had taken money from her account, attempted to deposit
and cash fraudulent cheques in a fraudulent bank account opened in her name, opened a
fraudulent utility account, filed and received a “rapid refund” with a fraudulent tax return
in her name, falsified her social security record and ruined her credit rating. The plaintiff
struggled to establish causation, suggesting that the information used to obtain a
fraudulent cheque from her insurance company was only possessed by the defendant
bank. As a result, she argued, the defendant “must have committed a negligent breach of
duty.”62 The Court rejected this argument, which it characterized as an invocation of the
doctrine of res ipsa loquitur.
The plaintiff appears to have lost this argument for two reasons. First, the court
doubted that the information in question was solely in the control of the defendant.
However, it appears that she would have lost the argument even if the information had
been solely in the control of the defendant as she could not point to any act of negligence
on the defendant’s part and the Court was unwilling to accept that identity fraud is a kind
of event that would ordinarily occur only if there had been negligence on the defendant’s
part.63
“Plaintiff avers, in essence, that Commerce must have committed a negligent
breach of duty because the combination of personal information used to
fraudulently attain a check from Plaintiff’s insurance company was only
possessed by Commerce, and no other institutions or entities. However, it cannot
be said that the identity theft here is an event that “ordinarily does not occur in the
absence of someone’s negligence,” just as it cannot be generally said that criminal
activity requires some prior negligence to succeed. The thieves might well have
stolen Plaintiff’s information without any negligence on the part of Commerce.”64
60 Ibid.
61 Jones, supra note 40.
62 Ibid. at 5-6. The judgment quotes the plaintiff as follows: “The key pieces of information used to create
the fraudulent [State Farm Insurance] check(s) could have only come from Commerce, thereby linking
Commerce to unauthorized access, theft and/or unlawful disclosure of my confidential information.”
63 Ibid. at 12.
64 Ibid. at 12.
12
Not all plaintiffs have been unsuccessful. In Bell v. Michigan Council 2565 the
plaintiffs were members of the defendant union. The treasurer of the union took the
plaintiffs’ personal information home. The treasurer’s daughter was later convicted of
identity fraud after a notebook was found in her possession listing the names, social
security numbers and drivers’ license numbers of the plaintiffs as well as the fraudulent
purchases made in their names. The plaintiffs succeeded in their arguments that the
union owed them a duty to protect their personal data against misuse by third parties, that
the union had been careless in failing to protect their personal data, and that this
negligence had facilitated the identity theft.
The Bell case involved unusually good evidence of causation. In many cases, the
causation element will create a considerable difficulty for plaintiffs. The personal
information used for identity theft is often provided to more than one organization. It can
also be stolen using spyware,66 phishing websites, or unpublicized breaches of security at
other organizations. It will be difficult for a plaintiff to obtain the necessary evidence of
how the criminal who defrauded him or her obtained the relevant personal information.
Nevertheless, the Bell case does indicate that where good evidence of causation exists,
plaintiffs may be able to recover for negligent handling of personal data that later results
in identity fraud.
Furthermore, it appears that banks may provide some assistance to plaintiffs, at
least with respect to breaches in the security of payment card data at retailers. Very
quickly after the public announcement of the TJX Companies Inc. security breach, a
banking association began to announce publicly that its members had linked fraudulent
credit card purchases to the security breach.67 This willingness to make public statements
may reflect the banks’ growing unhappiness over having to bear the costs of preventive
measures such as canceling compromised payment cards.68 Public announcements of this
type might provide some assistance to individual plaintiffs who are seeking to establish
causation. However, the utility of this information to plaintiffs may be limited.
Individual credit card holders are unlikely to suffer significant losses resulting from credit
card fraud due to contractual limitations of liability favouring the card holders. With
respect to identity fraud relating to bank accounts or debit cards, the banks’ interest in
publicly announcing that they have traced the fraud to a third party’s security breach may
vary somewhat according to the terms of their contracts with their banking customers.
Should the contracts leave some responsibility for the relevant transactions to customers,
some banks may find it worthwhile to keep quiet.
65 Bell v. Michigan Council 25, supra note 40.
66 Graeme Wearden and Tom Espiner, “Thousands of Brits fall victim to data theft,” CNET news.com (10
October 2006), <http://news.com.com/2100-7348_3-6124342.html> describing the discovery of a computer
holding the personal information gathered using a “backdoor” program on the computers of 2300 Britons.
67 Allan Holmes, “The TJX security breach. This one’s different. Way different,” CIO Blogs (1 February
2007), Sinclair Stewart, “Winners security breach hits home,” Globe and Mail.com (25 January 2007),
<http://www.theglobeandmail.com/servlet/story/LAC.20070125.WINNERS25/TPStory/National>.
68 Holmes, ibid.
13
(b) The problem of showing “actual harm” where identity fraud has not yet occurred.
The situation for plaintiffs whose data has been negligently exposed, but who
have not yet suffered identity fraud is different. Their challenge is not in establishing
causation, as they are not attempting to link the data security breach to subsequent
identity fraud by an unknown third party. Instead, they run into trouble because courts
question whether the exposure to increased risk of identity fraud is “actual harm.” Since
a showing of actual or imminent harm is an essential element of a negligence cause of
action, the courts have rejected their claims.69 Of course, plaintiffs dispute the suggestion
that the disclosure of their personal information is not a present injury. They point to the
immediate monetary and emotional costs, and suggest that the injury can be valued
economically as the cost of reasonable protective measures. They often seek damages for
mental distress as well as compensation for the time lost in closing accounts, contacting
credit bureaus and reviewing credit reports, and the financial cost of protective services
such as credit monitoring services or identity theft insurance. Nevertheless, courts have
been generally unreceptive. The court in Forbes put it this way:
“[T]he plaintiffs’ injuries are solely the result of a perceived risk of future harm.
Plaintiffs have shown no present injury or reasonably certain future injury to
support damages for any alleged increased risk of harm. For these reasons,
plaintiffs have failed to establish the essential element of damages.”70
Some courts express the concern that, in many cases, it is not known whether the
data that has been carelessly exposed has actually fallen into criminal hands or will be
used to commit identity fraud. For example, in cases where laptops are stolen, the courts’
expectation seems to be that the thieves are interested in the hardware and that the hard
drives are more likely to have been simply wiped clean.71 In Randolph, which involved a
stolen laptop, the Court stated that,
“Plaintiffs clearly allege that their Information was stolen by a burglar, but they
do not allege that the burglar who stole the laptop did so in order to access their
Information, or that their Information has actually been accessed since the laptop
was stolen. Plaintiffs’ allegations therefore amount to mere speculation that at
some unspecified point in the indefinite future they will be the victims of identity
theft.”72
In another case, a court was unwilling to conclude that identity fraudsters had
acquired personal information contained in a UPS package that was lost in transit.73 The
package could simply have been lost or destroyed. The court in Stollenwerk addressed
this type of uncertainty by indicating that,
69 See e.g.,Giordano, supra note 40, Forbes, supra note 40, Randolph, supra note 40.
70 Forbes, supra note 40.
71 Stollenwerk,supra note 40; Guin, supra note 40.
72 Randolph, supra note 40 at p.19.
73 Giordano,supra note 40.
14
“[a]bsent evidence that the data was targeted or actually accessed, there is no
basis for a reasonable jury to determine that sensitive personal information was
significantly exposed.”74
It appears that the Randolph and Stollenwerk courts would have treated the matter
differently if there had been evidence that the data had clearly been targeted or accessed.
One assumes that this would include cases in which hackers break into databases of
personal information, or in which criminals pose as legitimate subscribers to a data
broker’s database of personal consumer information (as in the Choicepoint security
breach). In these cases, the likelihood of harm is less speculative because data has
clearly been targeted and accessed.
However, other courts have refused to permit recovery even where there was
evidence that data was deliberately targeted by hackers. The DSW Inc. cases arose when
hackers broke into DSW’s computerized payment systems, in which the retailer
maintained the credit and debit card numbers, chequing account numbers and driver’s
licenses of about 1.5 million customers. In the Key v. DSW Inc. case, the judge stated
that the plaintiff had failed to show that a third party intended to make fraudulent use of
her identity.
“Plaintiff’s claims are based on nothing more than a speculation that she will be a
victim of wrongdoing at some unidentified point in the indefinite future.”75
In Hendricks v. DSW Inc., the court characterized the plaintiff’s claim as an
entitlement to damages “to buy peace of mind, or to help her determine if and when a
claim accrues through actual loss.”76
The plaintiffs have tried to respond in another way. They point to the so-called
“medical monitoring” cases in which some courts have permitted plaintiffs to recover the
costs of medical monitoring after exposure to toxic chemicals (e.g. PCBs, asbestos, and
drugs found to have harmful but latent side effects). The data security breach plaintiffs
argue that their situation is analogous.
The U.S. courts have so far been unreceptive to this argument. They have stated
that in the medical monitoring cases, there is evidence of actual exposure to the toxin
(even though the subsequent development of disease is uncertain), whereas in the data
security breach cases, there may not be evidence that the data has even been “exposed” to
thieves77 or that a third party intends to make unauthorized use of the information.78
Defendants have also argued that the policy concerns at issue in medical
monitoring cases are different from those in data security breach cases. They argue that
74 Stollenwerk, supra note 40 at p.12.
75 Ke, supra note 40 at p.17.
76 Hendricks, supra note 40, at p.11.
77 Giordano,supra note 40; Stollenwerk,supra note 40; Forbes,supra note 40.
78 Key,supra note 40.
15
the interest in data security is not as compelling as the interest in preserving public
health.79 Furthermore, they argue, any injury from identity theft can be fully
compensated with money once it arises, whereas harm to health cannot be fully
compensated monetarily.80
There are two key distinctions being drawn between the medical monitoring cases
and the data security breach cases. First, they differ in how certain we are that the
present exposure will result in future harm. In the medical context, we know that there is
a present significant exposure to a toxin that is known to produce disease in a certain
number of cases. In the data security breach context, we do not necessarily know if the
data has been taken or just destroyed. However, where we do know that data has been
targeted or, even more compelling, a proportion of the data has been used in identity
fraud, the analogy between medical monitoring and data security breach cases is more
persuasive.
Second, the two contexts are said to differ in relation to the public policy interests
at issue. The court in Stollenwerk found that human health is more compelling an interest
than financial health, and that the harm caused by a data security breach could be
completely remedied once it occurs with money damages while harm to health cannot.
However, given the harmful effects of financial insecurity and fraudulent impersonation
on human health and psychological well-being, these apparently self-evident conclusions
are questionable.
The policy reasons for which some courts have permitted the recovery of medical
monitoring expenses would seem to apply in the data security breach context. In the U.S.
Supreme Court’s decision in Metro-North Commuter Railroad Co. v. Buckley,81 the court
expressed a concern that the recognition of medical monitoring claims might lead to a
flood of awards that might deplete the funds available to compensate those suffering
actual harm. As a result, the court expressed approval of the limitations and cautions
built into certain judicial decisions that recognized damages for medical monitoring (e.g.
court-supervised funds to administer medical monitoring costs). Despite its concerns
regarding medical monitoring awards, it acknowledged the policy considerations that had
led some state courts to provide a remedy, including the unfairness of requiring the
negligently-exposed plaintiff to bear the cost of monitoring. To this, one could add the
importance of deterring and discouraging behaviour that puts others at risk. The Court in
the case of In re Paoli Railroad Yard PCB Litigation raised the importance of deterrence
as a function of the tort system.
“The policy reasons for recognizing this tort are obvious. Medical monitoring
claims acknowledge that, in a toxic age, significant harm can be done to an
individual by a tortfeasor, notwithstanding latent manifestation of that harm.
79 Stollenwerk,supra note 40: The court found this to be a persuasive argument, noting that “[i]t is, in large
part, this public health interest that justifies departure from the general rule that enhanced future risk of
injury cannot form the sole basis for a negligence action.”
80 Ibid.
81 521 U.S. 424 (1997).
16
Moreover, as we have explained, recognizing this tort does not require courts to
speculate about the probability of future injury. It merely requires courts to
ascertain the probability that the far less costly remedy of medical supervision is
appropriate. Allowing plaintiffs to recover the cost of this care deters
irresponsible discharge of toxic chemicals by defendants and encourages plaintiffs
to detect and treat their injuries as soon as possible. These are conventional goals
of the tort system as it has long existed in Pennsylvania.”82 [emphasis added]
These policy arguments in favour of the recovery of monitoring expenses apply in
the context of data security breaches. The early detection of identity fraud reduces the
harm to the plaintiff as well as the harm that ramifies throughout the economy through
credit card charge backs. It is also likely that liability for monitoring expenses might help
to deter unreasonable carelessness and lead organizations to take better care of sensitive
information.
The U.S. Supreme Court’s concern about a flood of awards seems less acute in
the data security breach context than in the case of the discharge of a toxin into the
environment. The group of plaintiffs in a data security breach case is circumscribed
rather than indeterminate and unlimited. A defendant is able to constrain its exposure by
limiting the amount of information it retains.
There has been some discussion of medical monitoring claims in Canadian cases.
In Wilson v. Servier Canada Inc.83 the court considered a class certification application
dealing with weight loss drugs that were withdrawn from the market due to concern over
life-threatening side effects. The plaintiff sought to recover damages for the costs of
medical screening and diagnosis, including any subrogated claims by provincial and
private health benefit insurers.84 The defendants objected that Canadian tort law does not
permit plaintiffs to recover medical expenses to detect a possible injury, and further that
merely creating a risk of injury is not actionable.85 The court noted that U.S. cases on
the recovery of medical monitoring costs were conflicting, but that plaintiffs have been
successful where they have proved their exposure to a toxic substance that causes a
significantly increased risk of contracting a serious latent disease.86 The court ruled that
the recoverability of medical monitoring costs was a suitable common issue for the
purpose of the class certification hearing.87 The court commented further that it was
arguable that plaintiffs ought to be compensated for the medical screening made
necessary by the exposure.
“If it is proven that exposure to a toxic substance significantly increases the risk
of contracting a serious disease it is arguable that persons exposed to that toxic
substance – even if medical screening ultimately determines that they have not
82 In re Paoli Railroad Yard PCB Litigation 916 F.2d 829 (3rd Cir. 1990) at p. 852.
83 [2000] O.J. No. 3392 (Ont. S.C.J.)
84 Ibid. at para 127.
85 Ibid. at paras. 129-130.
86 Ibid. at para. 132.
87 Ibid. at para. 133.
17
contracted the associated disease – should be compensated for the cost of medical
screening made necessary by their exposure. (It has been noted that Health
Canada’s advisory issued September 15, 1997 recommended that persons who
had taken either drug should consult their physician immediately.)”88
The certification of the class action was upheld by the Divisional Court,89 but
eventually culminated in a settlement.90
The plaintiffs in data security breach cases are in a very difficult position. They
are instructed by the defendants (as well as by government bodies91) to take certain
measures to protect themselves against identity fraud following a data security breach.
This suggests that the measures are reasonable. Should identity fraud occur, they will be
expected to have taken reasonable steps to mitigate their damages, likely including the
recommended self-protective measures.
In other words, the plaintiffs must incur this expense without a very strong
likelihood of being able to recover it if they succeed in preventing identity fraud, or of
being able to recoup it later once identity fraud occurs since causation is so difficult to
establish. Meanwhile, the negligent defendant transfers the cost of the data security
breach to the innocent plaintiffs. Although U.S. case law to date suggests that plaintiffs
face a steep uphill battle in attempting to obtain damages to cover the cost of self-
protection measures such as credit monitoring services or identity theft insurance, it is to
be hoped that Canadian courts will note the advisability of causing careless organizations
to internalize the costs of their own carelessness. In this way, the organizations will
hopefully be encouraged to adopt reasonable safeguards to protect sensitive data in their
care or to limit the amount of data that they retain.
Part III Liability for Data Security Breaches in the Canadian Context
It is likely that the problems facing U.S. plaintiffs that were outlined above will
also arise in Canada. Another problem that is mentioned from time to time in the U.S.
cases is the “pure economic loss” rule, which restricts the recovery of pure economic
losses in negligence.92 This issue will also arise in Canada, as will be discussed below.
In addition, another interesting issue that arises in Canada is the question of whether
plaintiffs are obliged individually to follow the procedure set out in legislation such as
PIPEDA rather than resorting to a class action before the courts. These procedural
restrictions may arise by virtue of the decision in Board of Governors of Seneca College
88 Ibid.
89 Wilson v. Servier Canada Inc. (2000), 52 O.R. (3d) 20 (Ont. Div. Ct.)
90 Wilson v. Servier Canada Inc. (2005), 252 D.L.R. (4th) 742 (Settlement Order). The settlement
agreement is available at <www.kleinlyons.com/diet/sett_agmt.pdf>.
91 Privacy Commissioner of Canada, “Identity Theft – a Primer,” (March 2007),
<http://www.privcom.gc.ca/id/primer_e.asp>; Federal Trade Commission, “What to do if your personal
information has been compromised,” (March 2005) <http://www.ftc.gov/bcp/edu/microsites/idtheft/>.
92 See Johnson, supra note 19 at p. 296, for a discussion of this issue under the different rules applicable in
the United States.
18
v. Bhadauria93 in which the Supreme Court of Canada rejected a novel common law tort
claim where the legislature had created a comprehensive statutory scheme to deal with
the matter at issue. If plaintiffs are forced to use the PIPEDA procedure this would
greatly reduce the deterrent impact of civil liability on careless data security. Finally, it is
worthwhile addressing the suggestion that defendants should not be responsible for the
intervening criminal acts of third parties who steal data or commit identity fraud. This
section will address these issues in turn.
(a) The Recovery of Pure Economic Loss
A “pure economic loss” is a loss that is not associated with physical injury to the
plaintiff’s own person or property.94 Canadian tort law has developed special rules
regarding the recoverability of pure economic loss in negligence cases.
It would seem that the harm associated with data security breaches and identity
fraud is most often pure economic loss. This might include the cost in time and money of
preventing or restoring damage to credit and the cost of defending against collection
attempts.95 In some cases, the breach of data security has been associated with
subsequent personal physical injury, including murder.96 This is fortunately rare. Most
plaintiffs allege mental distress as a result of the breach, which would count as physical
injury rather than pure economic loss. However, the mental distress rarely rises to the
level that seems to be required to provide a basis for a negligence action (i.e., mental
distress manifesting itself in a diagnosable illness).
Nevertheless, mental distress to the requisite degree may occur in some cases.
The plaintiff in Jones alleged that she had suffered the aggravation of a psychiatric
condition as a result of the identity theft, which forced her to close her business.97 The
Jones court did not address whether this loss was compensable since the plaintiff’s claim
failed for lack of evidence of causation, the bank having replaced the funds taken from
the plaintiff’s account and there being no evidence linking the extensive identity theft to a
security breach at the defendant bank. Randolph et al v. ING Life Insurance and Annuity
Co.98 suggests that other forms of personal injury claims might be possible in appropriate
cases. The plaintiffs in Randolph argued, inter alia, that the personal safety of police
personnel was at risk following the theft of the plaintiffs’ personal information (including
names and addresses). Personal injury claims might also arise where personal
information is used by stalkers to locate their victims.99 Johnson also proposes a
93 Supra note 45.
94 Bruce Feldthusen, Economic Negligence, 4th ed., (Scarborough: Carswell, 2000), at p.1.
95 Johnson, supra note 19 at p.299, footnote 296, suggesting that victims might also have to bear
opportunity costs resulting from bad credit, such as higher interest and lower credit limits.
96 Remsburg v. Docusearch, Inc. 816 A.2d 100 (N.H. 2003), which dealt with the sale of personal
information about a woman to a stalker who used it to locate and murder her.
97 Jones v. Commerce Bank. N.A. et al. 2006 U.S. Dist. LEXIS 65630 (S.D.N.Y. 2006) at p. 4-8.
98 Supra note 40.
99 Supra note 96.
19
hypothetical property damage claim where a newspaper’s records are hacked to permit
burglars to determine who is away on vacation.100
However, in most cases the losses resulting from a data security breach relate to
the costs in time and money of preventing identity fraud (e.g. closing accounts,
monitoring credit reports, purchasing insurance or identity theft prevention services) or
remedying the consequences of identity fraud (e.g. the considerable amounts of time and
effort required to restore damaged credit, or the purchase of services to assist with this
effort). These appear to be pure economic losses.
A plaintiff might attempt to avoid the characterization of the harm as “pure
economic loss” by arguing that personal information is a form of property which can be
“damaged” by being disclosed. This seems unlikely to succeed given that Canadian
precedent suggests that data loss is pure economic loss that is not recoverable. In
Seabord Life Insurance Co. v. Babich [1995] B.C.J. No. 1868 (B.C.S.C.), the defendant
knocked over a wooden hydro pole causing a power outage that interrupted the plaintiff’s
computer system and caused the loss of some data, which had to be re-entered into the
system. The court held that the data loss was a pure economic loss rather than property
damage. The court further declined to award damages for pure economic loss due to the
policy concern that such an award would expose the defendant to indeterminate liability
as any number of potential plaintiffs might have been affected by the power outage, and
because the court felt that the proximity between the defendant and plaintiff was
insufficient.
The question then remains: If the damages at issue in breaches of data security
are “pure economic loss,” are they recoverable? Common law courts have historically
been reluctant to grant recovery of pure economic losses in negligence. The policy
concerns underlying this reluctance are the fear of imposing ruinous and indeterminate
liability on defendants out of proportion with their degree of fault,101 the fear that
lawsuits will proliferate and absorb excessive amounts of scarce judicial resources,102 the
need to respect and protect contractual allocations of loss, and the desire to preserve the
vigorous free market competition that might be discouraged by the prospect of liability
for the negligently-inflicted pure economic loss of a competitor.103 In addition, pure
economic losses are viewed as “less compelling of protection than bodily security or
proprietary interests.”104
100 Johnson, supra note 19 at p. 294.
101 This concern was expressed by Justice Cardozo in Ultramares Corp. v. Touche (1931), 174 N.E. 441,
255 N.Y. 170 (C.A.), where he noted the risk of ruinous and open-ended liability “…in an indeterminate
amount for an indeterminate time to an indeterminate class.” The Supreme Court of Canada considers the
“spectre of unlimited liability to an unlimited class” when deciding whether to recognize a novel duty of
care in negligence (Cooper v. Hobart (2001), 206 D.L.R. (4th) 193 (S.C.C.)), and when deciding whether to
permit the recovery of pure economic loss in a novel context (“the scope of indeterminate liability remains
a significant concern underlying any analysis of whether to extend the sphere of recovery for economic
loss” (Martel Building Ltd. v. Canada (2000), 193 D.L.R. (4th) 1 (S.C.C.)).
102 Supra note 94 at p.11.
103 John G. Fleming, The Law of Torts, 9th ed., (Sydney: Law Book Co. Ltd., 1998) at p.193.
104 Martel Building Ltd. v. Canada (2000), 193 D.L.R. (4th) 1 (S.C.C.) [“Martel”].
20
Nevertheless, Canadian law now recognizes various categories of recoverable
pure economic loss, including those resulting from negligent misrepresentation, negligent
performance of a service, negligent supply of shoddy goods or structures, relational
economic loss and the liability of statutory authorities.105 Several of the established
categories of recoverable pure economic loss may be relevant in the data security breach
context, namely liability for negligent misrepresentations and liability for negligent
performance of a service.
In order to establish a claim in negligent misrepresentation, the plaintiff must
establish (1) that there is a duty of care based on a "special relationship" between the
representor and the representee; (2) that the representation in question was untrue,
inaccurate, or misleading; (3) that the representor acted negligently in making the
misrepresentation; (4) that the representee relied, in a reasonable manner, on the
negligent misrepresentation; and (5) that the reliance was detrimental to the representee
in the sense that damages resulted.106 The duty of care mentioned in element (1) is
established by showing a prima facie duty of care, and that the prima facie duty of care is
not negatived or limited by policy considerations.107 In order to establish the prima facie
duty of care, the plaintiff must show that the defendant ought reasonably to have foreseen
that the plaintiff would rely on his or her representation and that the plaintiff’s reliance
was reasonable in the circumstances of the case.108 At the second stage, the court will
address policy considerations, of which the major concern in negligent misrepresentation
cases is indeterminate liability.109
Liability for negligent misrepresentation seems appropriate for certain data
security breaches, particularly those in which a defendant has claimed through its privacy
policy or otherwise that it uses reasonable measures to protect personal information. A
plaintiff will need to show that he or she was aware of the representation and provided
personal information in reliance on the representation. The concern over indeterminate
liability is certainly less persuasive in this context than in the auditor liability context at
issue in cases such as Hercules Management.110 Liability in the data security breach
context may be large but it is determinate in certain ways. The breach will affect a
bounded number of persons (although it may be less clearly bounded in time or with
respect to the value of the individual losses). In addition, a defendant in the data security
breach context has much greater control over potential liability than an auditor who
cannot control who will choose to rely on audited financial statements that are made
public. Organizations that hold data can restrict the amount and type of data they hold in
order to limit their liability in the event of a security breach. The possibility of
indeterminate and disproportionate liability might also be addressed by restricting the
recovery to certain types of damages. Johnson would restrict recoverable damages to the
105 Ibid., at para. 38.
106 Queen v. Cognos, [1993] S.C.J. No. 3, at para. 33.
107 Hercules Management Ltd. v. Ernst & Young, [1997] S.C.J. No. 51.
108 Ibid. at para. 24.
109 Ibid. at para. 31.
110 Ibid.
21
out-of-pocket expenses involved with preventing or remedying identity fraud, denying
recovery for lost time and opportunities lost due to bad credit.111 In his view, the danger
of indeterminate and disproportionate liability is too great particularly with respect to
opportunity costs.112
Liability for the negligent performance of services is also recognized as giving
rise to recoverable pure economic loss, and may offer another basis upon which to argue
that pure economic losses are recoverable for negligently-caused data security breaches.
If neither of these established categories seems well-suited to the data security
breach situation, this is not the end of the inquiry as the Supreme Court has stated that
new categories of recoverable pure economic loss can be recognized in appropriate cases.
It has set out a framework for doing so in Martel Building Ltd. v. Canada.113 The
approach used is the familiar two-stage Anns test, as more recently developed and
clarified in Cooper v. Hobart.114 The first stage focuses on the question of whether there
is a prima facie duty of care because the harm to the plaintiff was reasonably foreseeable
and a relationship of proximity existed between plaintiff and defendant. Cooper v.
Hobart offered some guidance on the meaning of proximity.
“Defining the relationship may involve looking at expectations, representations,
reliance, and the property or other interests involved. Essentially, these are
factors that allow us to evaluate the closeness of the relationship between the
plaintiff and the defendant and to determine whether it is just and fair having
regard to that relationship to impose a duty of care in law upon the defendant.”115
At the second stage of the inquiry, the court determines whether there are
remaining policy reasons to refuse to recognize a duty of care. These residual policy
considerations “are not concerned with the relationship between the parties, but with the
effect of recognizing a duty of care on other legal obligations, the legal system and
society more generally. Does the law already provide a remedy? Would recognition of
the duty of care create the specter of unlimited liability to an unlimited class? Are there
other reasons of broad policy that suggest that the duty of care should not be
recognized?”116
In my view, the case for the recovery of pure economic loss in the context of data
security breaches is fairly strong. Even if the categories for negligent misrepresentation
or the negligent performance of a service are unsuitable, a case can be made for a new
category of recoverable pure economic loss.
111 Johnson, supra note 19 at p. 301-302.
112 Ibid. at p. 302: “To say that a negligent database possessor should be liable to a broad class of persons
for all of their lost opportunities - as well as out-of-pocket and perhaps other damages - would quickly pose
a serious risk of liability disproportionate to fault.”
113 Martel,supra note 104 at para 39 et seq.
114 Cooper v. Hobart, [2001] 3 S.C.R. 537.
115 Ibid. at para. 34.
116 Ibid. at para. 37.
22
It is eminently foreseeable that lax security standards might result in the
compromise of personal data that is in the care and control of an organization, and that
this would expose the data subjects to the risk of identity theft. With respect to whether
there is a relationship of proximity, such that it is “just and fair” to impose a duty of care,
a plaintiff relies on the custodian of his or her personal information to use reasonable
safeguards to protect it. Furthermore, a plaintiff is also entitled to expect that reasonable
safeguards will be employed given that data custodians are obliged to do so under statutes
such as PIPEDA. To this one might add that the custodian of the information normally
voluntarily assumes this responsibility – it need not take and store another person’s
personal information. In the business context, it does so presumably because it is
economically advantageous to it to do so. As a result, a prima facie case can be made
based on foreseeability of harm as well as a relationship of proximity founded on reliance
and reasonable expectations.
With respect to the existence of policy reasons to negative or limit the prima facie
duty of care, it is true that other remedies are available such as those available under
PIPEDA. However, the enforcement regime offered by PIPEDA may be inadequate to
deter the careless handling of data.117 The deterrence of unreasonably careless conduct is
also a policy reason favouring imposition of liability in this context.118 Johnson makes
the point that liability in this case ought not to catch holders of data by surprise given
they are already obliged under statute to adopt reasonable data safeguards.119 With
respect to the specter of indeterminate liability (a key policy concern underlying judicial
reluctance to permit the recovery of pure economic loss), as discussed above, recovery
for data security breaches does not create uncontrollable and indeterminate liability.
(b) The Effect of Statutory Data Safeguard Requirements on the Negligence Claim
The plaintiff in a negligence claim must establish that the defendant owed him or
her a duty of care. The question in this context, then, is whether holders of personal data
owe a duty of care to the data subjects to take reasonable measures to protect that data
from disclosure. A duty of care may be created by statute or by judges through the
application of common law principles.
In California, a statutory cause of action has been enacted in the Civil Code.
Section 1798.81.5(b) provides that a business must “implement and maintain reasonable
security procedures and practices appropriate to the nature of the [personal] information,
to protect the personal information from unauthorized access, destruction, use,
modification, or disclosure.”120 Section 1798.84 makes the statutory protection non-
waivable, and provides that a customer injured by a violation of the statute may bring a
117 The efficacy of the ombudsman model contained in PIPEDA has been raised in the current statutorily-
mandated review of the Act. Privacy Commissioner of Canada “PIPEDA Review Discussion Document”
(July 2006) < http://www.privcom.gc.ca/information/pub/pipeda_review_060718_e.asp#008>.
118 See the discussion of policy issues from the American perspective in Johnson, supra note 19 at p. 276-
277.
119 Ibid. at p. 277.
120 California Civil Code, § 1798.81.5(b). Note that certain institutions are excepted from this provision by
§1798.81.5(e).
23
civil action for damages.121 Although an explicit statutory cause of action helps to settle
the question of whether there is a duty of care, the California Civil Code provisions have
been criticized for not providing direction on what security practices and procedures are
required and for not making it clear what forms of damages may be recovered.122 In
particular, there is uncertainty over whether damages for emotional distress and pure
economic loss are recoverable under the statute.123
Where there is no explicit civil cause of action within the statute, a duty of care
may still be found according to common law negligence principles. Any applicable
statutes will be relevant to this inquiry even if they don’t explicitly mention a civil cause
of action. In Canada, a statutory requirement may provide evidence of a duty of care in
negligence.124 On the other hand, the Supreme Court of Canada has held that where the
legislature has created a complete code to deal with a particular problem, the common
law courts may not create a parallel set of common law remedies that would undermine
the legislature’s attempt to address the problem.125 It is accordingly necessary to consider
Canadian laws that impose requirements to safeguard personal data in order to determine
their effect on a possible negligence cause of action.
A number of statutes are relevant to data security breaches in Canada. The
federal Personal Information Protection and Electronic Documents Act (“PIPEDA”)
creates obligations relating to the handling of personal information, including an
obligation to use reasonable safeguards to protect the information.126 PIPEDA applies in
all provinces except Alberta, British Columbia and Quebec, which have enacted their
own “substantially similar” legislation. Ontario has enacted “substantially similar”
legislation applicable only to personal health information. These provincial acts also
impose obligations to use reasonable safeguards to protect data.127
The question arises about the effect of this legislation on the common law action
in negligence. As the Supreme Court of Canada has indicated,
“[t]o determine what interaction there is between the common law and statute
law, it is necessary to begin by analyzing, identifying and setting out the
121 Cal. Civ. Code, §1798.84(a) and (b).
122 Johnson, supra note 19 at p.265-266.
123 Ibid.
124 R. v. Saskatchewan Wheat Pool [1983] 1 S.C.R. 205.
125 Supra note 45.
126 Supra note 17. Principle 7 provides that “personal information shall be protected by security safeguards
appropriate to the sensitivity of the information.” The security safeguards must protect against loss or theft,
as well as unauthorized access, disclosure, copying, use or modification. Section 4.7.3 indicates that the
methods of protection should include (a) physical measures (e.g. locked cabinets and limiting physical
access), (b) organizational measures (e.g. security clearance, and limiting access on a “need to know” basis,
and (c) technological measures (e.g. encryption and passwords). Organizations must make their employees
aware of the importance of maintaining confidentiality (4.7.4) and must take care in the disposal or
destruction of information to prevent access by unauthorized parties (4.7.5).
127 Personal Information Protection Act, S.A. 2003, c. P-6.5, s.34; Personal Information Protection Act,
S.B.C. 2003, c.63, s.34; An act respecting the protection of personal information in the private sector,
R.S.Q. c. P-39.1, s.10; Personal Health Information Protection Act, S.O. 2004, c.3, s. 12.
24
applicable common law, after which the statute law's effect on the common law
must be specified by determining what common law rule the statute law codifies,
replaces or repeals, whether the statute law leaves gaps that the common law must
fill and whether the statute law is a complete code that excludes or supplants all of
the common law in the specific area of law involved.”128
Setting aside the provincial legislation for the purpose of the analysis in this
article, PIPEDA creates a fairly comprehensive scheme for the protection of personal
information in the private sector. It describes obligations and provides a scheme to
enforce the obligations. The Supreme Court has indicated that when the legislature
creates a comprehensive scheme to govern a particular matter, the courts are foreclosed
from developing common law remedies in tort.129 If this precedent applies in the case of
PIPEDA, those affected by a data security breach may be required to go through the
PIPEDA process, including a complaint to the Privacy Commissioner followed by an
application to the Federal Court for damages, rather than being able to proceed directly
with a civil lawsuit outside the PIPEDA scheme.
The significance of this is that PIPEDA appears to not permit a class action on
behalf of those affected by a breach of data security. First, s.14(1) of PIPEDA specifies
that a complainant may bring an application, rather than an action before the Federal
Court. Second, the current interpretation of PIPEDA appears to prevent a representative
of a group from proceeding before the Federal Court on behalf of the group. In Turner v.
Telus Communications Inc.,130 the Federal Court considered the standing of a union to
apply for a hearing before the Federal Court under s.14(1) of PIPEDA. Section 14(1)
provides that “a complainant” may apply to the Court for a hearing after receiving the
Privacy Commissioner’s report. The Court first noted that s.11(1) of PIPEDA provides
that “an individual” may file a written complaint with the Privacy Commissioner.131
Both Telus and the Privacy Commissioner argued that the union was not entitled to file a
complaint since it was not “an individual.”132 The Court accepted that this union was not
“an individual” although it left open the question of whether a union could be “an
individual” where a collective agreement between the union and employer authorized it
to represent its members for the purposes of PIPEDA.133 However, in this case, the union
was not “an individual” and had not made a complaint under s.11(1). As a result, it was
not a “complainant” under s.14(1) and was not entitled to apply to the Federal Court for a
hearing. Although Turner is not strictly on point, this case suggests that an individual
complainant would not be entitled to represent others in a hearing before the Federal
Court or in a complaint to the Privacy Commissioner.
If those affected by a data security breach must proceed individually through the
PIPEDA process before individually attempting a claim for damages before the Federal
128 2747-3174 Québec Inc. v. Quebec (Régie des permis d'alcool) [1996] S.C.J. No. 112, at para. 97.
129 Supra note 45.
130 Turner v. Telus Communications Inc. [2005] F.C.J. No. 1981.
131 Ibid. at para. 34.
132 Ibid.
133 Ibid. at para. 37.
25
Court, the legal repercussions for negligent data custodians are likely to be significantly
lessened. In those cases where plaintiffs have not yet suffered identity fraud and are
seeking only the costs of credit monitoring, it is less likely that they will be willing to
incur the expense of proceeding alone in Federal Court. This type of loss is the kind of
small but widespread loss that is economically suited to the class action mechanism.
Therefore, the consequence of forcing plaintiffs into the PIPEDA process may be to
remove the deterrent impact of civil liability for unreasonably insecure data handling
practices.
Returning then to the question of whether the enactment of PIPEDA forecloses
the availability of a parallel common law remedy before the courts, it is necessary to
consider the Supreme Court’s decision in Board of Governors of Seneca College of
Applied Arts & Technology v. Bhadauria.134 In Bhadauria, the Supreme Court
overturned the Court of Appeal’s recognition of a new intentional tort of discrimination
because the Ontario Human Rights Code had established a comprehensive procedure for
the vindication of the rights affected and the public policy at issue. As noted above,
PIPEDA too creates a reasonably comprehensive set of obligations and an enforcement
mechanism.
The Supreme Court applied the Bhadauria rule in a different context in Frame v.
Smith.135 In that case, the Supreme Court considered the claim by a father for damages
resulting from his estranged wife’s alleged frustration of his right of access to his
children. The Court stated that courts have been reluctant to recognize a tort to govern
this situation, and that, in any event, this claim had been overtaken by legislation that
dealt in a comprehensive manner with the issues arising from the custody of children.
The statutory scheme provided courts with a range of powers to enforce custody
arrangements and to impose fines and imprisonment for the obstruction of court orders
relating to custody or access. The Court found the situation in Frame to be analogous to
that in Bhadauria, as both involved a comprehensive statute that had been enacted to deal
with the problem “in the face of rudimentary common law development.”136 There was
no need to supplement the comprehensive statutory scheme with “common law
accretions” which might undermine the statutory scheme.137
Does PIPEDA foreclose the recognition of liability in negligence for data security
breaches because PIPEDA already imposes an obligation to protect data security and a
system for enforcing that obligation? Despite Bhadauria, there are two reasonable
arguments to suggest that PIPEDA does not foreclose civil liability in this context.
First, a claim in negligence for damages resulting from data security breaches
does not seek to have the court recognize a new tort, nor is this a situation of
“rudimentary common law development.” Instead, the claim is based on the well-
established tort of negligence. In Bhadauria, Laskin C.J.C. appeared to distinguish
134 Supra note 45.
135 (1987), 42 D.L.R. (4th) 81 (S.C.C.).
136 Ibid. at para. 13.
137 Ibid at para. 15.
26
negligence from the claim raised by the plaintiff, which he characterized as novel and
unrelated to existing legal duties.
“It is one thing to apply a common law duty of care to standards of behaviour
under a statute; that is simply to apply the law of negligence in the recognition of
so-called statutory torts. It is quite a different thing to create by judicial fiat an
obligation--one in no sense analogous to a duty of care in the law of negligence--
to confer an economic benefit upon certain persons, with whom the alleged
obligor has no connection, and solely on the basis of a breach of a statute which
itself provides comprehensively for remedies for its breach.”138
Negligence is a well-established tort even if it is applied from time to time in
novel contexts. Nevertheless, a difficulty may arise if the damages sought in this case are
a form of pure economic loss the recovery of which is not yet acknowledged by Canadian
negligence law. If it is necessary to craft another category of recoverable pure economic
loss, the argument that plaintiffs in data security breach cases are not asking for the
recognition of a new tort may be vulnerable.
Second, in both Bhadauria and Frame, the Supreme Court concluded that
provincial statutory regimes foreclosed the development of a common law remedy in tort.
The argument that a federal statutory scheme (such as PIPEDA) should do so could be
argued to violate the constitutional division of powers, which assigns responsibility for
“property and civil rights” to the provinces under s.92(13) of the Constitution Act,
1867.139 Nevertheless, federal laws establishing comprehensive schemes to address
certain matters have also been held to foreclose private civil claims relating to the same
matters, although any potential constitutional question does not seem to have been
raised.140
Where there are valid (i.e., intra vires) but inconsistent federal and provincial
laws, Canadian constitutional law applies the “doctrine of federal paramountcy” to
resolve conflicts in favour of the federal law.141 This would be the case where one law
expressly contradicts another,142 or where the provincial law would frustrate the purpose
of the federal law,143 but a provincial law that merely duplicates or supplements a federal
law is not inconsistent with the federal law.144 In the present case, however, we are
considering whether a federal legislative scheme (presumably validly enacted by
Parliament) may supplant a common law remedy. The issue from the traditional
paramountcy perspective is whether there are conflicting statutes. A useful thought
experiment is to ask whether a provincial law creating a statutory cause of action for
negligence in the handling of personal data would be inconsistent with the scheme
138 Ibid. at p. 189.
139 R.S.C. 1985, Appendix II, No. 5.
140 See, e.g. Allen v. C.F.P.L. Broadcasting Ltd. [1995] O.J. 497 (Ont. Gen. Div.); Conrad v. Imperial Oil
(1999), 173 D.L.R. (4th) 286 (N.S.C.A.).
141 Peter Hogg, Constitutional Law of Canada (Scarborough: Carswell, 2007-) at p.16-2.
142 Ibid at p.16-4.
143 Ibid at p. 16-5.
144 Ibid at p. 16-8.
27
created by PIPEDA. To the extent that PIPEDA aims to create an administrative and
initially non-litigious system for the resolution of disputes there may be some
inconsistency. PIPEDA provides a scheme whereby complaints are investigated by the
Privacy Commissioner of Canada, and applications to the Federal Court for binding
orders or damages awards may only take place following the Privacy Commissioner’s
report in the matter.145 Several provincial laws have been recognized by the Governor in
Council as substantially similar to PIPEDA, and therefore applicable in lieu of
PIPEDA.146 It is noteworthy that these laws also provide for administrative complaints
and investigation processes, albeit with stronger administrative remedial powers than
PIPEDA, and in some cases a subsequent cause of action for damages.147
The previous thought experiment involved a provincial statutory cause of action
for damages arising from a breach of data security. In the current context, however, the
potential conflict is between PIPEDA and a common law claim in negligence. It seems
fairly clear that the federal government may create statutory causes of action, as long as
they are sufficiently related to a legislative scheme that falls within the enumerated
federal heads of power.148 The current problem is whether the federal government may
oust or limit civil liability by enacting a comprehensive administrative scheme to address
a particular problem.
Hogg cites several cases in which the constitutional validity of federal statutory
limits on civil causes of action have been considered.149 In Clark v. Canadian National
Railway Co.,150 the Supreme Court considered a negligence claim against the railway
brought by a child who had been struck by the train. The claim was brought after the
two-year limitation period set by the Railway Act but before the expiry of the applicable
provincial limitation period. The Court characterized the problem as follows:
“Rights of action for damages for personal injury and the procedure relating
thereto is a matter which, for constitutional purposes, falls within exclusive
provincial legislative competence in relation to “Property and Civil Rights”
(Constitution Act, 1867, s.92(13)) and “Procedure in Civil Matters” (s.92(14)).
Parliament has exclusive legislative jurisdiction in relation to railways and works
declared to be for the general advantage of Canada (ss. 91(29), 92(10)). Under
which head of power does the prescription of the respondent’s action fall? The
case law does not present a crystal clear answer.”151
145 Supra note 17 at ss.14 and 16.
146 Supra note 17 at s. 26(2). The Governor-in-Council has in fact recognized the legislation of four
provinces as substantially similar.
147 Supra note 127.
148 Hogg, supra note 141 at p. 18-21 to 18-23. See also Kirkbi AG v. Ritvik Holdings Inc. [2005] S.C.J. No.
65.
149 Hogg, supra note 141 at p. 18-23.
150 [1988] 2 S.C.R. 680.
151 Ibid. at para. 27.
28
Various courts had previously held that the federal limitation provision was
incidental to the federal power over railways, and was therefore intra vires.152 However,
in Clark the Supreme Court held that a limitation provision was not an “integral part” of
the federal jurisdiction in relation to railways, which had to do with planning,
establishing, supervising and maintaining the construction and operation of railways.153
Rather, the limitation provision was “an attempt to reframe for the benefit of railway
undertakings the general legal environment of property and civil rights in which these
undertakings function in common with other individuals and enterprises.”154 As a result,
it was constitutionally invalid on the facts in Clark. The Supreme Court held that the
Railway Act’s limitation period would apply only to breaches of statutory causes of
action validly created under the Railway Act.155
In another case, however, a federal limitation on civil liability was held to be
applicable. In Whitbread v. Walley156 the Supreme Court considered the constitutionality
of two provisions in the Canada Shipping Act, R.S.C. 1985 c. S-9 limiting liability for
damages resulting from injury to person or property in a case involving a pleasure craft.
The Supreme Court held that tortious liability arising in the maritime context is governed
by maritime law, which falls within the exclusive jurisdiction of the federal Parliament.
The Court went on to note that,
“if a right of action comes within provincial legislative jurisdiction, so too must a
limitation of that right. The same reasoning must surely apply in respect of rights
of action that come within the legislative jurisdiction of the federal
government.”157
It was essential in Whitbread that “maritime law” existed as a body of federal law
which, the Supreme Court had previously held, encompassed the common law of tort,
contract and bailment.158 This law fell within federal jurisdiction by virtue of
Parliament’s power to legislate with respect to “navigation and shipping” per s.91(10) of
the Constitution Act, 1867. The Supreme Court distinguished Whitbread from Clark.159
It suggested that Clark involved a purported federal limitation to an action for damages
arising under provincial law, while Whitbread concerned tortious liability arising under
federal maritime law.
“Little more need be said to show that Clark and the present case are completely
distinguishable. There is in Parliament's jurisdiction over railways (and other
federal works and undertakings) nothing even remotely comparable to the body of
maritime law that is a central feature of its jurisdiction over navigation and
shipping. The tortious liability of those who own and operate railways, unlike that
152 Ibid. at paras. 28-39.
153 Ibid. at para. 52.
154 Ibid. quoting La Forest J.A. in Clark v. CNR, (1985) 17 D.L.R. (4th) 58.
155 Ibid. at para. 53.
156 [1990] 3 S.C.R. 437.
157 Ibid. at para.19.
158 Ibid., at paras. 18-22, 26.
159 Ibid. at para. 33.
29
of those engaged in navigation and shipping generally, falls to be determined
according to the ordinary and generally applicable law of negligence -- that is,
according to "provincial law".”160
It would seem, based on these cases, that the validity of federal limits on common
law tort actions depends upon the context, and is more likely where there is a
comprehensive body of federal law that can be said to have incorporated tortious liability.
It does not seem entirely obvious when this will be the case, although the long-standing
and distinctive nature of maritime law may make this clearer in the context of boating
accidents. In the context of data protection legislation, it seems unlikely that the federal
government could point to a sufficiently well-developed and distinctive body of law that
could validly oust or limit a negligence claim brought under the ordinary rules of tort.
It is perhaps worth noting that the Ontario Superior Court of Justice has recently
moved forward with the recognition of the common law tort of invasion of privacy
notwithstanding the existence of PIPEDA. Unfortunately, this is not entirely solid
evidence that tort law can develop in parallel with PIPEDA to deal with privacy
protection because PIPEDA would not have applied to the facts in Somwar v.
McDonald’s Restaurants of Canada Ltd.161 in any event. Somwar involved a claim
against an employer who was not subject to the requirements of PIPEDA in relation to
information collected about employees.162 As a result, the question of whether PIPEDA
foreclosed the availability of a common law remedy in that case was not relevant since
PIPEDA was inapplicable.
A complete constitutional analysis is beyond the scope of this article, but the issue
seemed sufficiently interesting to be raised for the consideration of the reader. As noted
above, there may be a reasonable policy argument based on Bhadauria that the parallel
availability of common law remedies in negligence might undermine a constitutionally-
valid federal attempt to create an administrative system to resolve disputes over data
privacy. On the other hand, the fact that Bhadauria foreclosed the recognition of novel
torts rather than the application of negligence law, as well as the argument based on the
constitutional division of powers, suggest that it may be inappropriate to interpret
PIPEDA as having the effect of ousting claims in negligence.
(c) The effect on liability of the intervening criminal acts of third parties.
Defendants in data security breach cases sometimes argue that they should not be
responsible for the intervening criminal acts of third parties who steal personal
information or those who use the information to commit identity fraud. This issue is
sometimes approached as a question of duty: Does the defendant owe a duty of care to
160 Ibid. at para. 33.
161 Somwar v. McDonald’s Restaurants of Canada Ltd. (2006) CANLII 202 (Ont. S. C. J.).
162 By virtue of s.4(1)(b), PIPEDA applies to employee information collected by organizations that are
engaged in federal works, undertakings or businesses. See Privacy Commissioner of Canada, “Fact Sheet:
Application of the Personal Information Protection and Electronic Documents Act to Employee Records,”
<http://www.privcom.gc.ca/fs-fi/02_05_d_18_e.asp>.
30
protect the plaintiff from injuries caused by third parties? It is also examined as a
question of remoteness: Does the criminal act fall within the scope of the risk created by
the defendant, and so remain the defendant’s responsibility, or does it sever the causal
connection?163 There is some analytical confusion in the cases, but it is probably enough
to note that Canadian courts have held defendants responsible for the harm resulting from
the intervening criminal acts of third parties in a variety of contexts.
For example, a car dealership was 20% liable for leaving keys in the cars on its lot
when a thief speeding away with one of the cars struck and killed a pedestrian.164
Canadian courts have also held landlords responsible where their inadequate security
measures expose tenants and entrants to attack by unknown third parties.165 In the U.S., a
similar approach is taken. Johnson cites Kline v. 1500 Mass. Ave. Apartment Corp.166 in
which the court held that a landlord was not required to act as an insurer of its tenants’
safety, nor was it expected to provide protection akin to a municipal police service, but it
was expected to those protective measures that were within its power and capacity to
take.167 The court emphasized that the landlord was the only one with the ability to take
the measures required to protect the tenants. As Johnson notes, this is also the situation
in the case of data protection.
“Individual data subjects are in a poor position to protect database information
from intruders. The database possessor, in contrast, is the only one with the ability
to mitigate the risk that intruders may cause harm. As in Kline, the database
possessor can spread the cost of providing database security to a broader class of
data subjects, at least in cases where there is customer relationship between the
plaintiff and defendant. Kline, like Palsgraf, suggests that, at least in some
circumstances, database possessors should owe data subjects a duty to exercise
reasonable care to protect data from intruders.”168
Apart from the fact that the holders of personal data are best-placed to protect the
data in their care, other familiar strands of common law thinking are relevant to
determining whether there should be a duty of care. The courts are more likely to
recognize a duty of care where a defendant has a relationship with the plaintiff169 and
where the defendant can be said to have voluntarily assumed an obligation of care and
induced the plaintiff to rely on him or her.170
In the cases under consideration in this article, the holders of data are often in a
commercial relationship with the plaintiffs. In addition, whether or not the defendants
163 Lewis Klar, Tort Law, 3rd ed., (Toronto: Carswell, 2003), at p. 439.
164 Cairns v. General Accident Assurance Co. of Canada [1992] O.J. NO. 1432 (Ont. Gen. Div.) Note that
courts have ruled against the plaintiffs in most cases involving keys left in cars.
165 Allison v. Rank City Wall Can. Ltd. (1984), 29 C.C.L.T. 50 (Ont. H.C.).
166 439 F.2d 477 (D.C. Cir. 1970).
167 Johnson, supra note 19 at p. 273.
168 Johnson, supra note 19 at p. 274.
169 The requirement of a “proximate relationship” in finding a new duty of care is discussed in cases such as
Cooper v. Hobart (supra note 114).
170 Klar, supra note 163 at p. 196.
31
have privacy policies in which they agree to use reasonable measures to safeguard data,
customers are entitled to rely on the assumption that reasonable safeguards are in place
since this obligation is already imposed by statute. Presumably a business could
expressly notify customers that it will not take reasonable steps to safeguard their data,
and thus avoid the implicit assumption of a duty of care.171 Short of such notification,
businesses that choose to take and hold the personal data of the plaintiffs could be said to
have voluntarily assumed a duty of care by inducing the plaintiffs’ reasonable reliance.172
As Johnson points out, the lack of a commercial relationship can undermine the
plaintiff’s claim.173 In Huggins v. Citibank N.A.,174 the Court rejected the plaintiff’s
claim for “negligent enablement of imposter fraud,” because there was too weak a
relationship between the plaintiff and the defendant bank which had issued credit cards to
an imposter in the plaintiff’s name. In that case, the banks argued that they owed no duty
to the plaintiff since he was not their customer. In the context under discussion in this
article, however, there is a relationship between the defendant business and the plaintiff.
The plaintiff’s personal information has generally been provided to the business in the
course of a commercial transaction.
In the case of data security breaches, the whole purpose of security safeguards is
to protect sensitive data from accidental disclosure as well as from deliberate attempts by
third parties to access sensitive data. The duty (whether based on statutory obligations in
PIPEDA or on the voluntary assumption of responsibility when an organization takes and
holds the personal information of another) itself thus contains an implicit objective to
defend against deliberate criminal attack. To suggest that a defendant cannot be
responsible if such an attack occurs means that the duty is rather empty.
Furthermore, the reason why sensitive data is protected is precisely because it
may be used for criminal identity fraud. This is the foreseeable harm arising from the
compromise of sensitive data. To argue that this harm is too remote (i.e., that it does not
fall within the scope of the risk created by the defendant) once again makes little sense.
This is exactly the risk that is created when an organization fails to protect sensitive
information in its care and control from improper disclosure.
This reasoning receives support from the recent statements by the B.C. Privacy
Commissioner on the meaning of “reasonable security measures.” The Commissioner
recently indicated that the statutory requirement for the implementation of reasonable
171 PIPEDA is predicated on the consent of the data subject to the collection, use and disclosure of personal
information. There is nothing in PIPEDA to suggest that the data safeguard requirement cannot be waived,
although there is equally nothing to suggest that the safeguard obligation is subject to negotiation with data
subjects. See PIPEDA, supra note 17.
172 For a discussion of this argument under U.S. law, see Johnson, supra note 19 at p. 278-280.
173 Johnson, ibid at p. 274-275.
174 355 S.C. 329, 585 S.E.2d 275 (2003).
32
security measures will be satisfied only if the risks of criminal activity and other
intentional wrongdoing are considered in establishing security arrangements.175
Part IV Setting the appropriate standard of reasonable security measures
Assuming that a plaintiff can navigate around the problems mentioned above, he
or she must also establish that the defendant breached its duty of care by falling below the
applicable standard of care. Custodians of personal information may wish to further
protect themselves from liability by adopting as a minimum the expected standard of care
for the protection of data security.
This is a new application of negligence law, with most of the U.S. cases having
been decided very recently, and we have no Canadian decisions to guide us.
Nevertheless, some clues to the reasonable standard of care in Canada can be gleaned
from a number of different types of sources.176 These include the body of U.S. cases
dealing with liability for data security breaches, Canadian statutory data safeguard
requirements (e.g. PIPEDA), the orders of the federal and provincial Privacy
Commissioners relating to breaches of the statutory data safeguard requirements, the U.S.
Federal Trade Commission consent orders relating to actions against businesses for
inadequate data security precautions, U.S. statutes that impose data protection
requirements, such as the Gramm-Leach-Bliley Financial Modernization Act177 (and
guidelines promulgated under that Act) and the Health Insurance Portability and
Accountability Act of 1996,178 and various industry standards for information security
management, such as ISO/IEC 17799:2005 “Code of Practice for Information Security
Management.”
It is likely that reasonable care in relation to data security will be very context-
dependent. In addition, some aspects of the standard are likely to change rapidly as the
nature of attacks and counter-measures shifts. This is particularly the case with cyber
security. Other aspects of the standard, such as physical security measures (e.g. locked
doors and cabinets) are less likely to change as quickly.
As noted earlier, the plaintiffs in most of the cases decided so far have been
unsuccessful for various reasons other than a failure to show a breach of the applicable
standard of care.179 Nevertheless, the claims made by the plaintiffs in the decided and
175 B.C. Information & Privacy Commissioner, Investigation Report F06-01 “Sale of Provincial
Government Computer Tapes Containing Personal Information” [2006] B.C.I.PC.D. No. 7,
<www.oipc.bc.ca/investigations/reports/InvestigationReportF06-01.pdf> at p.17.
176 See Picanso, supra note 20 at p. 378 (discussing the standard of care in the U.S. context).
177 Pub. L. No. 106-102, 113 Stat. 1338 (1999), (codified in various sections of 12 and 15 U.S.C.A.).
178 Pub. L. No. 104-191, 110 Stat. 1936 (1996), (codified in various sections of 18, 26, 29 and 42 U.S.C.A.)
179 The courts do not often reach an inquiry into standard of care because they reject the claims for failure
to state recoverable damages, or for other reasons unrelated to standard of care. Nevertheless, the court in
Guin (supra note 40) suggested that the defendant had not been unreasonable in permitting an employee to
take data home on a laptop, where the employee lived in a relatively safe neighbourhood and had taken
reasonable precautions to protect his house from intruders. The court in Bel lv. Michigan Council 25
(supra note 40), on the other hand, found the defendant union was negligent in permitting the treasurer to
take the data home, where it was stolen by the treasurer’s daughter.
33
pending cases offer some insight into what plaintiffs will urge as the appropriate standard
of care. Plaintiffs have complained of the failure to protect physical premises against
theft of data, the failure to protect physical property such as laptops on which data
resides,180 carelessness in permitting employees to take unencrypted sensitive information
home where it was subsequently stolen or misused by third parties,181 the failure to use
proper computer security measures (including encryption, firewalls, anti-virus and anti-
spyware software, monitoring network access, controlling communications to and from
the network, security testing and vulnerability scanning),182 the retention of information
without authorization,183 the failure to follow the Payment Card Industry Data Security
Standards,184 the violation of Visa and MasterCard data security rules,185 the failure to
inform affected individuals promptly of the breach in data security,186 carelessness in
selecting and supervising third parties who were hired by the defendants to provide data
processing services,187 carelessness in using the fax machine resulting in repeatedly
sending sensitive information of customers to the wrong fax number,188 the failure to
train and supervise employees regarding privacy,189 the failure to use encryption and
secure communication lines,190 and the failure to implement appropriate governance
processes to ensure that senior management is informed of breaches of customer privacy
and violations of PIPEDA.191
It is noteworthy that the claim that it was negligent not to notify promptly those
affected by a security breach has been made in Canadian jurisdictions where there is no
applicable statutory data breach notification requirement.192 Prompt notification may, in
the future, be recognized as an element of the required standard of care in negligence.
Statutory standards are also relevant to common law negligence as they provide
useful (although non-dispositive) evidence of the reasonable standard of care in
negligence.193 As a result, PIPEDA and the provincial personal information protection
180 Stollenwerk,supra note 40; Daly, supra note 40.
181 Guin,supra note 40; Bell v. Michigan Council 25,supra note 40, Randolph, supra note 40.
182 Parke v. Cardsystems Solutions Inc. et al., supra note 40.
183 Ibid.
184 Ibid.
185 Ibid.
186 Randolph, supra note 40.
187 Taylor,supra note 43; Forbes,supra note 40; Parke,supra note 40.
188 Speevak,supra note 43.
189 Ibid..
190 Ibid..
191 Ibid..
192 This claim has been made not just in California where there is a statutory notification requirement
(Parke et al. Cardsystems Solutions Inc. et al, (supra note 40) but also in the Saskatchewan class action
filing in Taylor (supra note 43). It has also been raised in Speevak, (supra note 43), and many of the
Canadian class actions filed against TJX Companies Inc. (see citations, supra note 43). The statements of
claim are available from the CBA class action database at
<http://www.cba.org/classactions/class_2007/main/index/>.
193 Saskatchewan Wheat Pool, supra note 124; Klar, supra note 163 at p. 325-327; G.H.L. Fridman, The
Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002), p. 631-633.
34
legislation that operates in lieu of PIPEDA in certain provinces will be relevant to the
standard of care in a negligence lawsuit.194
Section 4.7 of Schedule 1 of PIPEDA provides that “personal information shall
be protected by security safeguards appropriate to the sensitivity of the information.”
The subparts provide further detail on this obligation. The security safeguards must
protect against “loss or theft, as well as unauthorized access, disclosure, copying, use or
modification.”195 The nature of the required safeguards will vary according to the
sensitivity of the information, as well as the amount, distribution, format and method of
storage of the information.196 The methods of protection adopted ought to include (a)
physical measures (e.g. locked cabinets and limited physical access), (b) organizational
measures (e.g. security clearance, and limiting access on a “need to know” basis), and (c)
technological measures (e.g. encryption and passwords).197 Organizations must make
their employees aware of the importance of maintaining confidentiality.198 Organizations
also must take care in the disposal or destruction of information to prevent access by
unauthorized parties.199
The statutory provisions use terms such as “reasonable” or “appropriate” security
measures. Decisions of the Privacy Commissioners under these statutes shed some light
on what this means in practice. Among the findings of the Privacy Commissioner of
Canada that consider principle 4.7 and its subsections are contraventions relating to mis-
directed email,200 faxes,201 and mail,202 personal information placed in a publicly-
accessible recycling bin rather than being shredded,203 disposal of poor quality
photocopies in the garbage rather than by shredding,204 internal use of paper containing
personal information as scrap paper,205 and the theft of a laptop stolen from a locked
194 Section 34 of Alberta’s Personal Information Protection Act S.A. 2003, P-6.5 provides that
organizations must protect personal information in their custody or control by making reasonable security
arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification,
disposal or destruction. Section 34 of British Columbia’s Personal Information Protection Act S.B.C. 2003
c. 63 contains a similar requirement as does Quebec’s Act respecting the protection of personal information
in the private sector R.S.Q., c.P-39.1, s.10 and Ontario’s Personal Health Information Protection Act,
2004, S.O. 2004, c.3, Sched. A, ss. 12-14.
195 Supra note 17.
196 Ibid. at section 4.7.2, Schedule 1.
197 Ibid. at section 4.7.3, Schedule 1.
198 Ibid. at section 4.7.4, Schedule 1.
199 Ibid. at section 4.7.5, Schedule 1.
200 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #360 (14 November 2006),
<www.privcom.gc.ca/cf-dc/2006/360_20061114_e.asp>.
201 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #332 (12 April 2006),
<www.privcom.gc.ca/cf-dc/2006/332_20060412_e.asp>.
202 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #337 (9 June 2006),
<www.privcom.gc.ca/cf-dc/2006/337_20060609_e.asp>; Office of the Privacy Commissioner of Canada,
PIPEDA Case Summary #335 (27 June 2006), <www.privcom.gc.ca/cf-dc/2006/335_20060627_e.asp>.
203 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #356 (23 October 2006),
<www.privcom.gc.ca/cf-dc/2006/356_20061023_e.asp>.
204 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #128 (4 March 2003),
<www.privcom.gc.ca/cf-dc/2003/cf-dc_030304_5_e.asp>.
205 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #72 (7 October 2002),
<www.privcom.gc.ca/cf-dc/2002/cf-dc_021007_1_e.asp>.
35
car.206 In all of these situations, the data custodian was found not to have been employing
reasonable security measures.
In addition, the findings make it clear that where an organization has in place
appropriate policies and procedures, the organization will be found to be in contravention
if an employee does not follow the policies or procedures.207 It is noteworthy that the
Privacy Commissioner has approved in appropriate cases various corrective steps
including notifying affected individuals,208 and obtaining credit monitoring services for
affected individuals.209 This further supports the view that the failure to take steps after a
breach to mitigate damage (including notifying affected persons) falls below the standard
of reasonableness, and so would constitute negligence. The Privacy Commissioner
announced in January 2007 that she is currently investigating the data security breaches
at Winner’s/HomeSense and Talvest Mutual Funds. These decisions will clarify how
these forms of security breach (hacking and a lost hard drive) are to be assessed under
PIPEDA.
The decisions of the provincial Privacy Commissioners can also be extremely
useful in shedding light on the meaning of reasonable security measures. For example,
the B.C Privacy Commissioner’s Investigation Report F06-01 “Sale of Provincial
Government Computer Tapes Containing Personal Information”210 contains eight pages
of useful discussion of the topic even though it applies to a breach of security by the
government.211 Among the points made by the B.C. Privacy Commissioner is that even if
the relevant legislation does not require that security measures be documented, it is a
diligent and prudent practice to define and document security measures and to implement
training and oversight to ensure that the measures are understood and applied.212
Furthermore, reasonable security measures can only be defined following “a methodical
assessment of risk that assesses both the foreseeability of a privacy breach (intentional or
accidental) occurring in the context of current threats to or weaknesses in existing
information security measures and the severity and extent of the foreseeable harm that
could result from a privacy breach.”213 What is reasonable will also depend upon the
sensitivity of the personal information at issue.214 The B.C. Privacy Commissioner has
also suggested that in some circumstances reasonable security measures must include
encryption of information held in electronic form.215
206 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #289 (3 February 2005),
<www.privcom.gc.ca/cf-dc/2006/289_050203_e.asp>.
207 Ibid.
208 PIPEDA Case Summary #335,supra note 202.
209 PIPEDA Case Summary #337,supra note 202.
210 [2006] B.C.I.PC.D. No. 7, <www.oipc.bc.ca/investigations/reports/InvestigationReportF06-01.pdf>.
211 Ibid. The Report notes that it addresses the responsibilities of public bodies under the Freedom of
Information and Protection of Privacy Act, but it is also intended to assist private sector organizations in
meeting their obligations under the similarly worded security provision in the Personal Information
Protection Act (see p.2. and footnote 1).
212 Ibid. at p. 14.
213 Ibid. at p.15.
214 Ibid.
215 Ibid. at page 16.
36
The Ontario Privacy Commissioner recently made it clear that s.12(1) of the
Personal Health Information Protection Act, 2004216 requires that where identifiable
personal information must be stored on portable electronic devices (a) only the minimal
amount of information should be stored, for the minimum time required to complete the
work, (b) the information must be encrypted using up-to-date encryption techniques, and
(c) password protection on a laptop is insufficient.217 Given the relative simplicity of
these requirements, it is likely that they would be reasonable requirements in the context
of information much less sensitive than health information, and so ought to be required
under similar provisions in other Canadian data protection statutes and in a negligence
claim.
It will also be useful for Canadians to consider the U.S. experience in assessing
the appropriate standard of care. The U.S. Federal Trade Commission has brought more
than a dozen cases relating to the privacy of consumer information since 1999 under
section 5 of the Federal Trade Commission Act.218 In the beginning, the FTC brought
actions where there was a discrepancy between a stated privacy policy and a business’s
data security practices.219 More recently, it has used its authority with respect to “unfair”
(rather than “deceptive”) practices to bring cases against businesses which fail to take
reasonable security measures to protect sensitive customer data.220 It has also brought
cases to enforce the Gramm-Leach-Bliley Safeguards Rule,221 which requires financial
institutions to adopt appropriate physical, technical and procedural safeguards to protect
216 S.O. 2004 c.3, Sched. A, Section 12(1) provides as follows: “A health information custodian
shall take steps that are reasonable in the circumstances to ensure that personal health information
in the custodian’s custody or control is protected against theft, loss and unauthorized use or
disclosure and to ensure that the records containing the information are protected against
unauthorized copying, modification or disposal.”
217 “Stolen laptop sparks Order by Commissioner Cavoukian requiring encryption of identifiable data:
Identity Must be Protected,” News Release (8 March 2007), <http://www.ipc.on.ca/images/Resources/up-
2007_03_08_ho_004.pdf>; Ontario Information and Privacy Commissioner, Order HO-004, (March 2007),
at p. 6-9 available at <http://www.ipc.on.ca/images/Findings/up-3ho_004.pdf>.
218 Links to the FTC enforcement actions can be found on its website “Privacy Initiatives” at
<http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html >. For a recent overview of FTC action,
see Federal Trade Commission, “Prepared Statement of the Federal Trade Commission before the
Subcommittee on Regulatory Reform and Oversight, Committee on Small Business, U.S. House of
Representatives hearing on the State of Small Business Security in a Cyber Economy,” (16 March 2006),
<http://www.ftc.gov/os/2006/03/P034101CommissionTestimonyConcerningSmallBusinessSecurity.pdf#se
arch=%22prepared%20statement%20%20of%20the%20federal%20trade%20commission%20the%20state
%20of%20small%20business%20security%22> [“FTC, Prepared Statement”].
219 See e.g., In the Matter of Petco Animal Supplies, Inc., FTC Docket No. C-4133 (Mar. 4, 2005); In the
Matter of MTS Inc., d/b/a Tower Records/Books/Video, FTC Docket No. C-4110 (May 28, 2004); In the
Matter of Guess?, Inc., FTC Docket No. C-4091 (July 30, 2003); In the Matter of Microsoft Corp., FTC
Docket No. C-4069 (Dec. 20, 2002); In the Matter of Eli Lilly & Co., FTC Docket No. C-4047 (May 8,
2002).
220 See e.g., In the Matter of DSW, Inc., FTC File No. 052-3096 (Decision and Order, 7 March 2006); In the
Matter of CardSystems Solutions, Inc., FTC Docket No. 052-3148 (Decision and Order, 5 September
2006); United States v. ChoicePoint, Inc., No. 106-CV0198 (N.D. Ga. Feb. 15, 2006); In the Matter of BJ’s
Wholesale Club, Inc., FTC Docket No. C-4148 (Decision and Order, 20 September 2005).
221 15 U.S.C. §6801(b); Standards for Safeguarding Customer Information, 16 C.F.R. Part 314,
<www.ftc.gov/os/2002/05/67fr36585.pdf>.
37
customer information.222 The FTC has recently indicated that it believes several
principles should govern any information security program.223 First, security procedures
must be appropriate for the level of sensitivity of the information collected and
maintained. Second, where a company has taken reasonable and appropriate measures in
light of the circumstances, the breach will not violate the laws that the FTC enforces.
Third, the laws may be violated even without a breach of security. Companies have a
legal obligation to implement reasonable security measures. Fourth, risks to data security
will change over time. Therefore, companies must assess risks and adjust their security
measures on an ongoing basis.
The FTC’s consent orders in the actions against ChoicePoint, B.J.’s Wholesale
Club, CardSystems and DSW Inc. illustrate the context-dependence of the required
security standards. ChoicePoint, a major U.S. data broker, carelessly approved a ring of
identity thieves as subscribers to its databases of personal consumer information.224
Under the settlement with the FTC, ChoicePoint must pay $15 million and maintain
reasonable procedures to ensure consumer reports aren’t given to those without a
legitimate purpose. This includes verifying the identity of applicants by visiting business
premises in certain cases, and auditing subscribers’ use of the data.
After hackers broke into B.J.’s Wholesale Club Inc.’s networks and used the
personal information stored there to manufacture counterfeit credit and debit cards, the
FTC charged B.J.’s with inadequate security protections.225 The FTC pointed to the
failure to encrypt financial information, the storage of financial data longer than
necessary contrary to bank security rules, the storage of data in files that could be
accessed using commonly known default IDs and passwords, the failure to use readily
available security measure to prevent unauthorized wireless connections to its networks,
and the failure to use measures to detect unauthorized access or to conduct security
investigations.
CardSystems (a provider of payment processing services to credit card firms
including Visa and MasterCard) also failed to protect its systems against hackers,
resulting in the compromise of millions of credit card files and large volume of fraudulent
purchases.226 The FTC pointed to the following failings: storing information in a
222 See, e.g. In the Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M.
Likens FTC Docket No. C-4161 (June 19, 2006); In the Matter of Superior Mortgage Corp., FTC
Docket No. C-4153 (Dec. 14, 2005); Nationwide Mortgage Group, Inc., FTC Docket No. 9319 (April
12, 2005); In the Matter of Sunbelt Lending Services, FTC Docket No. C-4129 (Jan. 3, 2005).
223 U.S. Federal Trade Commission, “Prepared Statement” supra note 218 at p.12.
224 U.S. Federal Trade Commission, “ChoicePoint settles data security breach charges; to pay $10 million
in civil penalties, $5 million for consumer redress,” (26 January 2006),
<www.ftc.gov/opa/2006/01/choicepoint.htm>.
225 U.S. Federal Trade Commission, “BJ’s Wholesale club settles FTC Charges – agency says lax security
compromised thousands of credit and debit cards,” (16 June 2005)
<www.ftc.gov/opa/2005/06/bjswholesale.htm>.
226 Jonathan Krim and Michael Barbaro, “40 Million Credit Card Numbers Hacked” Washington Post (18
June 2005), p. A01, <http://www.washingtonpost.com/wp-
dyn/content/article/2005/06/17/AR2005061701031.html>; U.S. Federal Trade Commission, “Cardsystems
solutions settles FTC charges,” (23 February 2006), <www.ftc.gov/opa/2006/cardsystems_r.htm>.
38
vulnerable format, failing to assess the vulnerability of the system to commonly known or
reasonably foreseeable attacks such as “SQL injection attacks,” failing to implement
simple, cheap and readily available defenses to these attacks, failing to use strong
passwords, failing to use readily available security measures to limit communications
between computers on its network and between its network and the internet, and failing
to employ sufficient measures to detect unauthorized access or to conduct security
investigations.
DSW Inc. was also a hacking case.227 The FTC claimed that DSW (a U.S. shoe
retailer) created unnecessary risks by storing financial information in multiple files when
it no longer had a need to keep it, failing to use readily available security measures to
limit access to its networks through wireless access points, storing the information in
unencrypted files that could be accessed easily by using a commonly known user identity
and password, failing properly to limit the extent to which computers in one in-store
network could connect to computers on other in-store and corporate networks, and failing
to use adequate measures to detect unauthorized access
CONCLUSION
The recent proliferation of civil lawsuits against the custodians of personal
information for damages arising from breaches of data security suggests that businesses
ought to consider their potential liability exposure. Canadian businesses are already
aware of their obligations to secure personal information under federal and provincial
legislation applying to privacy protection in the private sector. However, the
development of class action lawsuits for data security breaches suggests that there may be
more serious financial repercussions for the careless handling of data.
Several class actions have already been filed in Canada, although we do not yet
have any decided cases. The case law (dating mostly from 2005-2007) in the United
States suggests that plaintiffs will face significant hurdles in establishing a negligence
cause of action. The key obstacles are in establishing compensable damages where
identity fraud has not yet occurred, or in establishing causation where identity fraud has
occurred. I have discussed two additional concerns in the Canadian context. First, the
availability of parallel civil remedies may be directly or indirectly limited by provincial
privacy legislation where it exists. Where there is no applicable provincial legislation, it
is possible that a court would view PIPEDA as a comprehensive statutory regime that
forecloses common law development in the area. Second, the losses that arise from
breaches of data security are usually pure economic loss, the recovery of which is subject
to special rules in Canada.
Whether or not businesses are exposed to negligence liability, it would be
advisable in order to protect customers and goodwill, to consider limiting the collection
and storage of sensitive personal data and taking seriously the obligation to secure it
where it absolutely must be collected.
227 U.S. Federal Trade Commission, “DSW Inc. settles FTC charges,” (1 December 2005),
<www.ftc.gov/opa/2005/12/dsw.htm>.
39
There is evidence that existing regulatory and market sanctions are insufficient to
deter careless behaviour in many cases. A recent Ponemon Institute survey reports that
81% of companies and governmental entities report having lost or misplaced one or more
electronic storage devices such as laptops containing sensitive information within the last
year.228 Another 9% did not know if they had lost any such devices. The survey
respondents also indicated that they would be frequently unable to determine what actual
sensitive data was on a lost or stolen device.229 One of the functions of tort law is to deter
risky behaviour. The recognition of potential liability in negligence might assist by
forcing careless custodians of personal information to internalize the very real costs of
their carelessness whether or not identity fraud can be shown to have occurred.
228 Ponemon Institute, “U.S. Survey: Confidential Data at Risk,” (15 August 2006), sponsored by Vontu
Inc., <http://www.vontu.com/uploadedFiles/global/Ponemon-Vontu_US_Survey-Data_at-
Risk.pdf#search=%22ponemon%20vontu%22>; Eric J. Sinrod, “Confidential data really is at risk,” CNET
News.com (24 August 2006) <http://news.com.com/Confidential+data+really+is+at+risk/2010-1029_3-
6108603.html>.
229 Ponemon survey, ibid at p.8.
