Fiona, Dan, and Laura have been included in the 2020 Edition of The Best Lawyers in Canada. Since it was first published in 1983, Best Lawyers has become universally regarded as the definitive guide to legal excellence.
Lawyers on The Best Lawyers in Canada list are divided by geographic region and practice areas. They are reviewed by their peers on the basis of professional expertise, and undergo an authentication process to make sure they are in current practice and in good standing. For 2020, our SBA lawyers are ranked, as follows:
In the recent Motion Order of LAT File No. 18-011887/AABS, the LAT concluded that an insurer canresist the unilateral withdrawal of a LAT Application when it included a live issue in the proceeding that has yet to be decided. Further, administrative action and file closure letters are notorders and can be challenged.
On this note, it is important for the insurer to include all potential issues, such as the repayment of benefits or costs, in its Response to an Application. This inclusion gives the insurer the right to have these issues decided by the LAT, even if the applicant chooses to withdraw.
In its LAT Response, the insurer requested repayment of benefits paid to the applicant during the course of his accident benefits claim. After a series of case conferences, and the parties being notified that the LAT would be issuing a Reconsideration decision in favour of the insurer, the applicant withdrew his Application. The insurer advised the LAT in writing that it intended to maintain its claim for repayment. However, the filed was later closed administratively by the LAT, with both parties receiving an administrative closure letter.
The insurer brought a motion for an Order that that LAT Application remain open, as it did not consent to the closure of the file.
The insurer’s motion was granted and an Order was made that the LAT Application remained open. Vice Chair Hunter noted that it is LAT practice that where a file has been administratively closed, it only requires a request by a party to re-open it. The case management officer who administratively closed the LAT Application did not appreciate that the insurer alsohad a claim in the Application.
Unilateral Withdrawals and Costs
The issue of unilateral withdrawals and administrative closure letters often arises in the context of a party seeking costs. One party will withdraw its Application, and the other will argue the file must remain open in order to deal with the costs issue.
Reconsideration in 16-000474 v Aviva 2016 CanLII 105250 (ON LAT)
The applicant submitted a LAT Application. The insurer made a request for a dismissal with costs, as the applicant failed to produce required documents. Two months later, the applicant submitted a Notice of Withdrawal. After the withdrawal, the insurer further asserted its claim for costs, which the LAT does not appear to have considered initially. The parties were sent an administrative closure letter. The insurer requested Reconsideration, which was allowed. The Vice Chair held that the failure of the LAT to respond to the request for costs, which had been filed priorto the withdrawal, was a breach of procedural fairness. The matter was sent back to an adjudicator for a determination regarding costs; ultimately, the adjudicator hearing the motion ordered no costs.
Reconsideration in 18-000935 v Aviva, 2019 CanLII 58159 (ON LAT)
This matter proceeded to a hearing in writing. After the insurer filed its responding submissions, the applicant withdrew his Application. The LAT subsequently issued an administrative closure letter to the parties. The insurer had requested costs in connection with the proceedings priorto the withdrawal. The insurer requested Reconsideration, which was allowed by the Vice Chair, who held thatthe Tribunal’s decision to close the file without adjudicating the costs issue violated the rules of natural justice and procedural fairness. However, in the end, the Vice Chair found that the insurer had not met the high onus and did not award any costs.
These decisions highlight that the unilateral withdrawal of a LAT Application and the administrative closure of a case does not dispose of an issue raised by an opposing party. Based on the principles of procedural fairness and natural justice, an insurer is still able to have the LAT decide issues that were raised in the Response or the proceeding. Administrative closures can be reversed on request. One key element appears to be that the party must raise the issue prior to closure. Failure to raise or include an issue may result in the insurer being barred from having it heard by the LAT.
In a recent Ontario Small Claims Court decision, a deputy judge was faced with a situation where a business e-mail compromise resulted in settlement funds being redirected to a fraudster rather than the intended recipient.
The case raised the following novel question:
Where a fraudster assumes control of Victim A’s e-mail account and then, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?
The underlying claim was simple and traditional. The plaintiff was seeking an unpaid balance for environmental assessment services in the total amount of $15,670.54. The defendant acknowledged the debt but claimed insolvency. The plaintiff issued a small claims action on April 27, 2018. The parties reached a settlement agreement on August 1, 2018.
The relevant terms of settlement were:
Mark Schokking on behalf of the Corporate Shareholders shall pay to [the Plaintiff] the sum of $7,000 as follow as full and final settlement of the claim.
Mark Schokking and/or the Corporate Shareholders will deposit $7,000.00 into the Trust account of McDonald, Duncan LLP, account number XXXXX-773, Bank of Montreal no layer than August 8, 2018….
Between August 1, 2018 and August 8, 2018, a fraudster struck. The fraudster gained access to the workplace e-mail of the paralegal representing the plaintiff. Her e-mail credentials were obtained either via a “phishing” attack or possibly a “brute strength" attack. The fraudster changed the e-mail “rules” for the paralegal’s account that had the following consequences:
Specific incoming e-mails would be forwarded to an external Gmail account and the original incoming e-mail would automatically be deleted.
The fraudster was then able to send e-mails from the paralegal’s account to the specific accounts. If the recipient e-mailed back, it would be re-directed.
The paralegal would have no way of knowing the correspondence was taking place.
With these redirections in place, the fraudster sent revised instructions to Mr. Schokking on August 1, 2018. The e-mail requested Mr. Schokking deposit the money to a Credit Union account in Medicine Hat, Alberta. Mr. Schokking replied by e-mail asking for the physical address. The fraudster, still masquerading as the paralegal, provided the information. Ultimately, Mr. Schokking sent the money to the Medicine Hat account. The fraud was subsequently discovered but the money was never recovered.
The plaintiff brought a motion to enforce the settlement, arguing that the defendant had failed to comply with the settlement terms. The defendant took the position he had satisfied the terms of settlement.
After noting a lack of jurisprudence and the need for legislative intervention in this specific area, the deputy judge concluded that as a default rule, the subject of a fraud (Victim A) that results in another entity (Victim B) diverting funds properly meant for Victim A will not be liable for the loss unless:
Victim A and B had a contract which authorized B to rely on e-mail instructions from A, and the contract shifts liability for a loss resulting from fraudulent payment instructions to A; or,
There is evidence of willful misconduct or dishonesty by Victim A; or,
There is negligence on the part of Victim A.
In the present case, the deputy judge found none of these exceptions applied. There was no contract between the two parties beyond the initial terms of settlement, and there was no evidence of misconduct, dishonesty, or negligence by the paralegal or her firm.
The deputy judge accordingly found that by sending the settlement funds to the Medicine Hat account as opposed to the trust account, the defendant failed to follow the terms of the settlement. The deputy judge ordered the Defendant to pay $7,000 in settlement of the claim.
The old adage of “an ounce of prevention is worth a pound of cure” still holds true in the world of e-mail fraud. Proactive risk management practices like employee training, responsive procedures and properly enforced office policies can be an inexpensive and effective way to manage the continued risk of business e-mail compromise and similar cyber breaches.
This case is a prime example of how it takes multiple errors from multiple parties to result in a loss. In an era where the human element continues to make up the bulk of cyber claims managerial controls and employee training are essential in addressing these risk exposures. In this specific case, there were two ways the likelihood and the severity of this breach could have been modified.
The first is the need for organizations to proactively train their employees on the ongoing risk of cyber breaches. The firm’s IT professional noted that the paralegal’s e-mail password was considered “strong” and therefore likely resistant to a brute force attack. This suggests that her credentials were obtained via a “phishing” scam. Frequent password changes and a scrutiny of e-mails with the hallmarks of a “phishing scam” could had avoided an e-mail compromise in the first place.
The second take-away is that in the age of convenient e-transfers, organizations must have policies and procedures in place to verify any changes in deposit instructions. This is especially true when those new instructions include a transfer to an extra-provincial account with no apparent connection to the parties. In the present case, had the defendant made a phone call after receiving the e-mail, they could have reduced the impact of the paralegal’s e-mail compromise and avoided having to pay out twice on a claim they thought settled.
Facebook has been under heavy fire for the better part of the past year. Last week, the US Court of Appeals for the Ninth Circuit added to the fray in Patel v Facebook Inc. This class action lawsuit was brought in 2015 in California by Facebook users living in Illinois. The basis of the lawsuit was that Facebook’s facial-recognition technology violated the Illinois Biometric Information Privacy Act (BIPA).
By way of background, in June 2016, Facebook brought a motion to dismiss the action while the plaintiffs moved to certify the class of plaintiffs. Much to Facebook’s dismay, the US District Court for the Northern District of California denied Facebook’s motion to dismiss and certified the class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011”. This decision was appealed to the Ninth Circuit appeal court where there lower Court’s decision was upheld.
Facebook’s Facial Recognition Software
The basis of the lawsuit starts with Facebook’s facial recognition technology that was used in a new feature launched in 2010: Tag Suggestions. Every time a user posted a picture on Facebook and “tagged” a friend, the facial recognition software assessed the face using various geometric data points that made a face unique (i.e. distance between the eyes, nose, and ears) to create a face signature/map. Facebook would then store that signature/map in their database. Going forward, if a user posted a new picture, the technology would identify faces in the picture and cross-reference them with their database (i.e. a face signature that has already been created in the past) to suggest tagging the person in the photo.
It is important to note that Facebook’s face template were stored on their servers, which were located in nine data centers, six of which are located in the US: Oregon, California, Iowa, Texas, and North Carolina.
Biometric Data and the Law
Across the globe, biometric data is being used more commonly by businesses as a security screening tool. For instance, smartphones use facial recognition and fingerprints as a security feature to unlock the phone, mobile financial applications are beginning to implement facial recognition to sign into your account, and NEXUS uses iris scans to identify individuals for cross border travel. The complication with biometric data is that it is unlike other unique identifiers. While a social insurance number can be changed if compromised, an individual’s biometric data is biologically unique to that individual. If a database with biometric data is compromised, the individuals affected have no recourse – unless they want to attempt a John Travolta and Nicolas Cage Face/Off scenario. If biometric data is compromised, the individual has a significantly increased risk for identify theft and is likely to completely withdraw from biometric-facilitated transactions.
Recognizing the severity of a potential breach involving biometric data, the Illinois General Assembly passed the BIPA in 2008 to regulate the collection and storing of biometric information. BIPA imposes various obligations on an organization that collects biometric data of their users. The organization is required to establish a retention schedule for permanently destroying biometric identifiers and information; advise users of this policy in writing; and, secure a written release before obtaining a biometric identifier. This law applies to organizations doing business in Illinois and allows private individuals to file a lawsuit for damages stemming from a violation of the BIPA.
Similar laws have been enacted in Washington and Texas, although they are not as stringent and do not have the same damages provisions.
In Canada, neither provincial nor federal governments have passed specific laws regulating the collection and use of biometric data. However, biometric data has been identified as “personal information about identifiable individuals”, which is within the purview of (1) the Privacy Act, that regulates how data is used by the Federal government, and (2) the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how data is collected, used, and stored by private-sector organizations.
Back to the case at hand. As noted, the District Court denied Facebook’s attempt to have the case dismissed and certified the class action (identified a group of people that can proceed with the lawsuit).
Injury in Fact - Damages
Facebook argued that the plaintiffs were missing a critical element to be able to proceed with the lawsuit. Specifically, the plaintiffs did not suffer a “concrete injury in fact”. Facebook argued that the by violating BIPA, by not obtaining consent from users and identifying a destruction policy, it simply failed to comply with a procedural requirement. Their non-compliance did not cause a concrete injury to the plaintiffs that resulted in damages.
The Ninth Circuit Court disagreed.
With respect to a concrete injury, the Court concluded that an intangible injury could nevertheless be concrete and establish an injury in fact. BIPA was enacted to protect individuals “biometric privacy” by: (1) imposing specific safeguards to ensure individuals’ data was properly collected and used; and, (2) by subjecting private entities who fail to follow the law to liability. In essence, the legislationwas created to protect individuals against “the risk of real harm” and this was enough to establish an injury.
With respect to damages, the Court observed that in our digital world, privacy protections are particularly crucial. The Court found “[w]hen a private entity fails to adhere to statutory requirements, the right of the individual to maintain his or her biometric privacy vanishes into thin air.” The Court noted that privacy lawsuits are particularly unique because the invasion of someone’s privacy rights is fundamentally offensive to our society. Therefore, privacy lawsuits do not always require additional consequences, like actual damages, for them to be actionable.
Territorial Limits of the Law
Interesting jurisdictional arguments were raised by Facebook as the lawsuit was filed in California on the basis of an Illinois law. Facebook argued that the Illinois law was not intended to have effect in another state. In other words, an individual in Illinois was not allowed to use an Illinois law to sue a company in California. Facebook argued that the relevant events, the collection and storage of the face scans, occurred on its servers that were not located in Illinois. Therefore, Illinois law could not apply.
The Court did not make a decision directly on this issue but noted that the law does not specify where the essential elements of a violation take place. For example, in this case the violation could be argued to have occurred in Illinois because that was where the person whose privacy rights are impacted used Facebook. Alternatively, the violation could be construed to have occurred in California, where Facebook housed its server and where it scanned the photographs as well as stored the scans. Alternatively, it could be a combination of the two. The Court left this decision for the District Court to decide in the course of the lawsuit, but it noted that it is reasonable to infer that the Illinois lawmakers contemplated the law’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.
It is particularly important to note that this is a US case. The laws and legal principles are different in Canada from the US; however, US cases may have an effect on how future cases are decided in Canada.
Although Canada does not have a “concrete injury in fact” element, as was discussed in Patel, it does have a requirement that an individual establish damages in the course of a lawsuit. For instance, Jones v Tsige was the Ontario Court of Appeal decision that established the privacy tort of intrusion upon seclusion. In that case, the Court similarly noted that “proof of actual loss in not an element” of the tort. A finding that someone violated another’s right to privacy is enough to presume damages. However, Canadian courts have been reluctant to award any significant sums of damages (a limit of $20,000.00 was established) in individual cases without additional proof of loss. Although we have not seen a biometric date-based lawsuit in Canada, the Patel case may be informative to Canadian Courts when such a case finally comes around.
Another important consideration is identifying which laws govern an organization’s procedures. We previously addressed the extraterritorial application of the General Data Protection Regulation (GDPR) enacted in Europe to organizations outside the EU. The key takeaway in this regard is that organizations may be impacted by other state or provincial privacy regulations if they, knowingly or unknowingly, cater to that territory’s population.
This is a case definitely worth following. Let’s see what hot water Facebook ends up in next!
Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...
The plaintiffs in Karasik v. Yahoo Inc., a proposed class action, brought a motion for production of Yahoo’s database of its 16.9 million Canadian users prior to the certification motion.
This class action stems from cyber attacks in 2013 and 2014 by Federal Secret Service of the Russian Federation against the defendants, Yahoo Inc. and Yahoo! Canada Co.
In coming to his decision, Justice Perell noted the following established principles regarding pre-certification productions:
There is no automatic right to documentary discovery at the certification stage, and a party seeking such discovery must demonstrate the need for it; for the certification motion, which is a procedural motion that does not go to the merits of the action, there is limited production of documents that are shown to be relevant to the issues on certification.
The onus is on the party seeking documents for the certification motion to explain why the requested documents are relevant to the issues of certification, and bald assertions that the documents may be relevant do not suffice.
At the pre-certification stage, proportionality is of a particular concern, and the production of documents must be proportionate to the needs of the certification motion and what is necessary to inform the certification hearing.
In determining whether a document should be produced, a guiding principle is fairness, and a party should not request production of more than it needs for the purposes of the certification motion nor should a party hold back the production needed by his or her opponent to inform the focused purposes of the certification hearing.
Ultimately, Justice Perell held that the Plaintiffs did not met the onus of explaining how access to the database was relevant to the certification motion and, in any event, held that the request was disproportionate in the case at hand.
Lisa has an insurance law practice that has focused exclusively on insurance defence for 15 years. Her practice focuses on complex insurance-related litigation, including accident benefits and bodily injury. Read more ...
It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that...
It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that the information is collected, stored, and used in an appropriate manner and in compliance with privacy regulations. Recently, an individual took The Queensway Carleton Hospital to Court alleging that their procedure for surgery bookings caused her significant damages.
The facts of this case are straightforward. The Plaintiff was told that she required surgery. While waiting for a date for the surgery, she received a paper surgical booking package that she had to complete. The Plaintiff testified that she dropped off the completed booking package in the Hospital’s drop box. However, about a week later, it was returned to her by Canada Post. Despite the Plaintiff’s complaints, no one from the Hospital accepted responsibility for the misplaced booking records. The Information and Privacy Commissioner of Ontario was unable to make a determination regarding who was responsible for the privacy breach. The Plaintiff commenced a claim for damages for intrusion upon seclusion, breach of confidence, and public disclosure of embarrassing facts. She also sought punitive damages.
The Court found, on a balance of probabilities, that the Hospital received the records and they were misplaced. The Plaintiff relied on three causes of action to support her claim – intrusion upon seclusion; breach of confidence; and, public disclosure of embarrassing facts.
In dealing with intrusion upon seclusion, the Court found that a single act of inadvertence, assuming that was what happened, was not sufficient to prove recklessness. In fact, the Court found that the Hospital’s protocol for handling booking records did not create an obvious or serious risk. The Court found that the system worked quite well despite this one instance. There was not a deliberate and significant invasion of personal privacy as required in order to satisfy the threshold for damages.
Second, to establish the tort of breach of confidence, the Plaintiff had to show that the Hospital made unauthorized use of her booking record and misused it to her detriment. Once again, the Court found that this claim was not satisfied, as there was insufficient evidence that the Hospital misused the booking record.
Third, the Court found that the tort of public disclosure of embarrassing facts was not established. There was no evidence that the Hospital “published” the booking record or that the records were deliberately made publicly available. The evidence showed that the record could only be seen by postal workers in Montreal to determine where the record should be returned to. This was not sufficient to establish damages.
The Court considered the provisions of the Personal Health Information Protection Act. Section 71(1)(b) provides a statutory immunity for health information custodians where there has been an attempt at good faith compliance with the Act. The Court found that the evidence did not establish that the Hospital’s use of surgical booking packages was unreasonable. Additionally, there was no evidence that there had been any issues with other booking records, either before or after this incident.
Finally, the Court considered whether the Claimant was entitled to damages based on her “humiliation, anxiety and distress” arising from the receipt of the envelope for Canada Post which contained the booking records. The Plaintiff did not establish, on a balance of probabilities, that she suffered anxiety or psychological upset that rose to the level of requiring compensation. Similarly, there was no high-handed, arrogant or contumelious behaviour on the Hospital’s part that would warrant a finding of punitive damages.
Hospitals are particularly vulnerable to privacy claims – they are required to gather a significant amount of personal health information in a very short period, store and protect that information, and use it in an appropriate way. Healthcare organizations must implement robust safeguards and procedures to ensure their patients’ information is properly collected, used, and disclosed. Taking these reasonable steps will lower an organization’s financial and litigation risk. A good place to start is creating privacy policies or hiring an experienced counsel to review existing policies and their implementation.