Privacy Breaches: My Personal Information has been Accessed, Shared, or Stolen. Do I have a Claim?
Chances are you are reading this on a smartphone, or your phone is within arm’s reach. We live in a world of ever-increasing sharing and storing electronic information. We are warned not to click suspicious links, share passwords and be on the lookout for phishing. Bad actors will try to steal your data to commit identity theft, bank and credit card fraud or install malware on your devices and demand a ransom.
In some situations, we have no choice but to give up our personal data. Your employer no doubt has your social insurance number in order to issue you a paycheque and make the appropriate withholdings for Canada Revenue Agency. What happens when your data is not safeguarded and is accessed, shared or stolen while in your employer’s custody? This is the question on the minds of potentially 100,000 Nova Scotians because of a massive privacy breach in which the personal information of many employees of Nova Scotia Health, IWK Health Centre and the public service was stolen along with the information of some members of the public. The compromised information includes social insurance numbers, addresses and banking information. You can read the NS Government’s Release here.
So, what next?
The law surrounding privacy breaches is still developing in Canada. In the decision in Jones v. Tsige, 2012 ONCA 32 , the Ontario Court of Appeal recognized a new tort called “Intrusion upon seclusion.” This meant someone could now sue for breach of privacy when another person intentionally “intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns.” That is if the invasion would be considered highly offensive to a reasonable person. This could include such things as someone accessing your private bank account or medical records or opening of your personal mail. The Jones decision changed the law in Ontario.
In Trout Point Lodge Ltd v. Handshoe, 2012 NSSC 245 the Nova Scotia Supreme Court confirmed it may award damages in an appropriate case of intrusion upon seclusion. This was confirmed again in Doucette v. Nova Scotia, 2016 NSSC 25 Doucette v. Nova Scotia, 2016 NSSC 25. It is possible to bring a civil action (lawsuit) against another person who breached your privacy. Trout Point Lodge and Doucette meant there was now footing to bring a claim for privacy breach in Nova Scotia.
Intrusion upon seclusion involves a person who intentionally breaches another’s privacy. For example, a nurse accesses a person’s medical records in the hospital computer system for a reason unrelated to that person’s healthcare.
The current security breach impacting NS government employees is different as it did not involve an intentional breach of privacy. The question will be: did the government meet the standard of care and its obligations under various statutes when it comes to being the custodian of its employees’ personal information? We anticipate litigation will result from the current breach impacting IWK, Nova Scotia Health and public sector employees.
If you believe that your privacy has been breached, please contact Carter Simpson at 902-444-7227 or info@cartersimpson.ca to discuss whether you have a claim and what we can do to help.
Carter Simpson has prepared this document for information only. It is not legal advice. You should consult Carter Simpson about your unique circumstances before acting on this information. Carter Simpson excludes all liability for anything contained in this document and any use you make of it.