HomeOur Blog › Blog Input

Live Burns and full day of Seminars in Waterloo

 Sep 16, 2019 7:45 PM
by SBA LLP

FIRE LOSS INVESTIGATION – LIVE BURN EVENTS

Date:  October 2nd, 2019
Location: WATERLOO REGION EMERGENCY SERVICES TRAINING AND RESEARCH COMPLEX
1001 Erb’s Road, RR 3, Waterloo, ON, N2J 3Z4 

Time:  9:00 am – 4:00 pm

Strigberger Brown Armstrong LLP, along with CEP Forensic’s Waterloo office and the Insurance Institute, are organizing a full day of seminars including two live burns.

Please join us for this interesting and unique event. Sign up today as there are limited spots available.

COMPLETE DETAILS & REGISTRATION

  

That’s a LOT of (cookie) dough!

 Sep 4, 2019 5:00 PM
by Suzanne Armstrong

The Federal Trade Commission (FTC) and New York Attorney General announced today that YouTube and Google will pay a record setting $170 million dollars to settle allegations of violating the Children’s Online Privacy Protection Act (COPPA) Rules.

The settlement comes after a complaint alleged that YouTube was utilizing cookies, for direct advertising and to track users across the internet from child-directed channels, without first notifying parents and obtaining consent to do so. The COPPA Rules require child-directed websites and online services to provide notice of their information practices and obtain parental consent prior to collecting personal information from children under the age of 13.

The complaint also alleged that channel owners told YouTube that their content was directed to children and in some cases that YouTube’s own content rating system identified the content as directed at children. The FTC and NY Attorney General found that despite this knowledge, You Tube collected information and targeted advertisements on these channels, thereby failing to comply with COPPA.

While YouTube claimed that they were a general audience site, the FTC and NY Attorney General noted that YouTube marketed themselves as a top destination for kids in their presentations to makers of popular children’s products and brands.

In addition to the hefty monetary penalty, the proposed settlement requires Google and YouTube to develop, implement, and maintain a system that permits channel owners to identify their child-directed content on the YouTube platform. As well, the companies must notify channel owners that their child-directed content may be subject to COPPA Rules. They must also provide annual training about complying with COPPA for employees who deal with channel owners.

It is almost impossible these days to surf the internet anonymously, in fact many websites require use of cookie tracking before they will allow access to their website. Interestingly, Google Chrome offers an ‘incognito’ mode for user. Unfortunately, some websites have caught on and are implementing tools to detect when a visitor is in private mode.

Read the Press Release here.


Suzanne has represented clients at arbirations and mediations as well as prepared written submissions for accident benefit disputes In addition she has represented clients at CPP tribunal hearings regarding CPP disability benefit applications and appeals. Read more ...

  

Privacy in Pharmacy – Be Prepared

 Aug 29, 2019 12:30 PM
by Stas Bodrov

Pharmacists have a range of responsibilities including reviewing prescriptions, educating individuals about medication use and side effects, and acting as a last line of defence to ensure that multiple medications do not interact with one another. In order to provide these services, pharmacists collect a significant amount of personal health information and are regulated by the Personal Health Information and Privacy Act (PHIPA) in Ontario and the Health Information Act in PEI. So, when a pharmacy’s systems are breached (for instance by way of a hack, a social engineering scam, or unauthorized access), the pharmacy is required to notify affected individuals and report the breach to the Privacy Commissioner to comply with the legislation. This is exactly what happened in a recent privacy investigation against a pharmacy in Prince Edward Island.

What Happened

A breach notification indicated that in late August 2017, two employees at a pharmacy accessed the personal health information of their former co-worker using the Drug Information System (DIS). The DIS is a provincial database of medication profiles for residents of PEI used by pharmacies to assist with patient care. The Privacy Commissioner conducted an investigation and determined that although one employee had inappropriately accessed the electronic records, the personal health information was not disclosed to other unauthorized individuals.

While the pharmacist did not witness the incident, a staff member reported that in August 2017, two employees accessed the personal health information of the Affected Individual using the DIS and disclosed the information at the work site. In response, the pharmacist spoke to the employees who acknowledged that they had accessed the information without authorization; however, they blamed each other – classic he said she said.

In November 2017, the pharmacist verbally notified the Affected Individual (and former co-worker) of the incident. The pharmacist sent an email to the manager of the pharmacy about this discussion and presumed that the manager was already aware of the incident. The manager advised that they were unaware of the incident. The manager conducted an investigation where one employee admitted the unauthorized access but the other did not. In December 2017, the Pharmacy notified the Commissioner of the incident, four months post-incident.

The Commissioner’s Investigation

When the Commissioner conducted its own investigation, the employees were invited to participate. One employee admitted to the unauthorized access and expressed remorse for the “momentary lapse in judgment.” The second employee denied that they had ever accessed the Affected Individual’s information in the DIS. Neither employee recalled speaking with the pharmacist. The Commissioner attributed the discrepancies to the passage of time and the possibility that the information at issue may have been obtained by other legitimate means.

Based on a DIS audit, the conclusions made by the pharmacy, and the information provided to the Commissioner, it was determined that (1) the first employee inappropriately accessed the personal health information of the Affected Individual; (2) there was insufficient evidence that the second employee accessed the information; and, (3) there was insufficient evidence that either employee disclosed personal health information of the Affected Individual.

Policies, Procedures, and Breach Response

The Commissioner found that at the material time, the pharmacy did not have reasonable information practices in place to identify and prevent privacy breaches. The organization did not have unique User IDs for all those who access the DIS. The organization also did not have staff training and/or educational resources regarding privacy issues. Since the breach, the pharmacy implemented the use of new software and conducted privacy training for employees. They also established reasonable prevention and detection tools.

With respect to the breach response, the Commissioner concluded that the pharmacy took reasonable steps to contain and investigate the breach. However, the pharmacy did not notify the Affected Individual or the Commissioner of the breach within a reasonable time period, as required by law. The late notification appeared to be because of a mistaken belief that the manager was aware of the incident. This demonstrated a lack of procedure by the pharmacy relating to breach notification. Additionally, the pharmacy ought to have followed up with the Affected Individual once the investigation was complete and implemented a clear breach management procedure.

The Commissioner made recommendations for the adoption of privacy breach management procedures, which should include designating a staff member that all employees report to in the event of a suspected privacy breach. The Commissioner also recommended establishing a clear internal process to follow if a privacy breach is discovered. The latter would include reasonable guidelines for notification, containment, investigation and remediation.

Takeaway

If an organization collects, uses, and/or discloses personal health information, it is subject to PHIPA, or an equivalent privacy legislation for the province. This legislation requires a health information custodian to notify all affected individuals of a privacy breach and report same to the Privacy Commissioner. In order to comply with the notification and reporting requirements, the organization must implement policies and procedures to identify such breaches and properly respond.

It is recommended that organizations assign a Privacy Officer to whom other employees can report actual or suspected breaches. Identifying breaches requires the organization to train and educate their employees regarding their obligations related to the proper handling of private health information. Finally, organizations must prepare breach response plans that will be followed in the event of a breach. This would include containment of a breach, timely notification and reporting of a breach, as well as proper follow-up. Not only is this required by law, it is also a great risk management mechanism that aids in lowering investigation costs, fines, and litigation exposure.

Remember, failing to plan is planning to fail. 

See Community pharmacy (Re), 2019 CanLII 71193 (PE IPC)


Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...

  

Surprise (or Not): Patient Records are Confidential

 Aug 29, 2019 12:30 PM
by Laura Emmett

Snooping occurs on a regular basis but few organizations are willing to deal with it. Whenever an individual, such as a doctor, a nurse, or a clinic staff member accesses a patient’s record without a work-related need, this is considered snooping. Unless an employee is within the patient’s circle of care (i.e. delivering direct patient care) the individual has no business accessing the personal health information of that individual and is contravening the use for which that information was gathered.

Many, if not most, of these instances go unnoticed, but with the shift to electronic record storage and file management systems, access to records can be tracked by clinic owners/health information custodians. If properly set up, the electrofnic file management system can help identify individuals who are snooping and allow the organization to reprimand those individuals. Even if the organization has not transitioned to electronic file management systems, that does not excuse an ignorance of this problem.

What Happened

In a recent case, a Complainant requested and obtained an electronic log of access to their personal health information stored in the Health PEI’s Clinical Information System, the agency responsible for delivering publicly funded health services in the province. After reviewing the logs, he noticed that an employee, that the complainant knew, accessed their personal health information multiple times. The log showed that some of the dates when the file was accessed the Complainant was not admitted to a hospital.

The Complainant reported their findings to Health PEI and an investigation ensued. The institution determined that some, but not all of the accesses to the Complainant’s charts were consistent with the performance of the employee’s duties. When consulted about the access, the employee advised that all access to the Complainant’s information was for professional reasons but noted that there was a “long history of a volatile relationship” between the employee and the Complainant. It was suggested that the privacy complaint was made with malicious intent arising from this tenuous relationship.

Ultimately, Health PEI concluded that the employee had accessed the personal health information without authorization. At a minimum, some of the accesses to the Complainant’s records were not authorized based on the determination that in several instances there was no evidence that access to the information was required for the performance of the employee’s duties. Importantly, the employee could not substantiate the claim that all access was for professional reasons.

Aftermath and the Commissioner’s Investigation

As a result of the investigation, Health PEI established a performance management plan for the employee, which included disciplinary measures. The institution was also implementing improvements for privacy awareness and compliance with policies through training and random auditing of access.

During a meeting with the Complainant, Health PEI shared the findings of the investigation and the steps that will be taken. Subsequently, a letter was sent to the Complainant outlining the findings and apologizing for the unauthorized access. In response, the Complainant sought specifics of the disciplinary measures taken, which Health PEI refused to provide.

Health PEI also reported the breach in a timely fashion to the Privacy Commissioner, who conducted its own investigation pursuant to the Health Information Act. The Commissioner concluded that the organization had properly responded to the breach. While the Complainant wanted to know what disciplinary measures were taken, the Commissioner agreed with the refusal but noted that the organization ought to provide assurances that personal health information would be protected in the future. The Commissioner also recommended that Health PEI implement regular auditing of their employee’s access to electronic records.

The Commissioner found that the institution notified the Complainant and the Commissioner at the first reasonable opportunity following the discovery of the breach and that Health PEI established reasonable information practices to protect personal health information from unauthorized access by others. Further, the Commissioner found that Health PEI took reasonable steps to contain the breach and investigate it.  While the Commissioner found that implementing staff training and disciplining the employee were reasonable steps to remediate the incident, further assurances needed to be made to the Complainant. Specifically, the Complainant ought to be reassured that their health information was secure. To address this, the Commissioner recommended that Health PEI introduce regular auditing of employee access to the computer system with particular attention to the Complainant’s records.

Takeaway

Although we may not notice it immediately, unauthorized access to personal records, or snooping, are a frequent occurrence. Organizations must implement policies to minimize the frequency of snooping and reprimand the employees that engage in such behaviour. More importantly, these instances are considered breaches of security safeguards and the organization may be required to report the breach to the Privacy Commissioner and notify the affected individual.

As demonstrated in this case, organizations must have a plan in place to respond to such breaches in a timely fashion. If investigated, an organization’s quick response to a breach and proper follow up (i.e. notification and reporting) will be looked at favourably. Organizations can rest assured that their internal sanctioning policies (i.e. reprimanding of their employees) can largely remain confidential. In other words, organizations do not need to report to an affected customer the sanctions that were made against a staff member. This eases the pressure over the organization and allows it to make more sensible and appropriate decisions. 

More importantly, an organization must train their staff to appropriately handle and use their customers’/patients’ data. This includes the legal requirements concerning the collection, use, and disclosure of health information. Policies must be put in place and enforced on a regular basis to ensure all employees are on the same non-snooping page.

See Health PEI (Re), 2019 CanLII 71194 (PE IPC)


Laura has a diverse practice where she focuses on accident benefits, bodily injury claims, product liability, cyber liability, privacy law and drone liability. Read more ...

  

Fiona, Dan, and Laura Recognised as 2020 Best Lawyers in Canada

 Aug 23, 2019 12:00 AM
by SBA LLP

We are celebrating! 

Fiona, Dan, and Laura have been included in the 2020 Edition of The Best Lawyers in Canada. Since it was first published in 1983, Best Lawyers has become universally regarded as the definitive guide to legal excellence.

Lawyers on The Best Lawyers in Canada list are divided by geographic region and practice areas. They are reviewed by their peers on the basis of professional expertise, and undergo an authentication process to make sure they are in current practice and in good standing. For 2020, our SBA lawyers are ranked, as follows:

Fiona M. Brown - Personal Injury Litigation, Insurance Law

Daniel Strigberger - Insurance Law

Laura Emmett - Personal Injury Litigation

"I am so honoured to be recognized again," says Fiona, who is celebrating her 5th year as a "Best Lawyer".

Laura Emmett says, "There are a lot of brilliant Personal Injury Litigation lawyers on this list in 2020. I am humbled."

Dan Strigberger says, "Great things happen when you work with the best lawyers!"

Best Lawyers Award Badge

Best Lawyers Award Badge Best Lawyers Award Badge

 

  

Not so fast! Insurers get a say in LAT withdrawals

 Aug 20, 2019 5:45 PM
by Kathleen O'Hara

By Kathleen O’Hara and Heather Lindsay

In the recent Motion Order of LAT File No. 18-011887/AABS, the LAT concluded that an insurer can resist the unilateral withdrawal of a LAT Application when it included a live issue in the proceeding that has yet to be decided. Further, administrative action and file closure letters are not orders and can be challenged.

On this note, it is important for the insurer to include all potential issues, such as the repayment of benefits or costs, in its Response to an Application. This inclusion gives the insurer the right to have these issues decided by the LAT, even if the applicant chooses to withdraw.

The Proceedings

In its LAT Response, the insurer requested repayment of benefits paid to the applicant during the course of his accident benefits claim. After a series of case conferences, and the parties being notified that the LAT would be issuing a Reconsideration decision in favour of the insurer, the applicant withdrew his Application. The insurer advised the LAT in writing that it intended to maintain its claim for repayment. However, the filed was later closed administratively by the LAT, with both parties receiving an administrative closure letter.

The insurer brought a motion for an Order that that LAT Application remain open, as it did not consent to the closure of the file.

Motion Order

The insurer’s motion was granted and an Order was made that the LAT Application remained open. Vice Chair Hunter noted that it is LAT practice that where a file has been administratively closed, it only requires a request by a party to re-open it. The case management officer who administratively closed the LAT Application did not appreciate that the insurer also had a claim in the Application.

Unilateral Withdrawals and Costs

The issue of unilateral withdrawals and administrative closure letters often arises in the context of a party seeking costs. One party will withdraw its Application, and the other will argue the file must remain open in order to deal with the costs issue.

Reconsideration in 16-000474 v Aviva 2016 CanLII 105250 (ON LAT)

The applicant submitted a LAT Application. The insurer made a request for a dismissal with costs, as the applicant failed to produce required documents. Two months later, the applicant submitted a Notice of Withdrawal. After the withdrawal, the insurer further asserted its claim for costs, which the LAT does not appear to have considered initially. The parties were sent an administrative closure letter. The insurer requested Reconsideration, which was allowed. The Vice Chair held that the failure of the LAT to respond to the request for costs, which had been filed prior to the withdrawal, was a breach of procedural fairness. The matter was sent back to an adjudicator for a determination regarding costs; ultimately, the adjudicator hearing the motion ordered no costs.

Reconsideration in 18-000935 v Aviva, 2019 CanLII 58159 (ON LAT)

This matter proceeded to a hearing in writing. After the insurer filed its responding submissions, the applicant withdrew his Application. The LAT subsequently issued an administrative closure letter to the parties. The insurer had requested costs in connection with the proceedings prior to the withdrawal. The insurer requested Reconsideration, which was allowed by the Vice Chair, who held that the Tribunal’s decision to close the file without adjudicating the costs issue violated the rules of natural justice and procedural fairness. However, in the end, the Vice Chair found that the insurer had not met the high onus and did not award any costs.

Take Home

These decisions highlight that the unilateral withdrawal of a LAT Application and the administrative closure of a case does not dispose of an issue raised by an opposing party. Based on the principles of procedural fairness and natural justice, an insurer is still able to have the LAT decide issues that were raised in the Response or the proceeding. Administrative closures can be reversed on request. One key element appears to be that the party must raise the issue prior to closure. Failure to raise or include an issue may result in the insurer being barred from having it heard by the LAT.

See Motion Order of LAT File No. 18-011887/AABS.


Kathleen was called to the bar in 2009. Over the years, she has developed an insurance defence practice with a particular focus on fraud. Read more ...

Accident Benefits, LAT  
  

Business E-Mail Fraud: Sometimes You Pay Twice!

 Aug 19, 2019 4:00 PM
by Devan Marr

In a recent Ontario Small Claims Court decision, a deputy judge was faced with a situation where a business e-mail compromise resulted in settlement funds being redirected to a fraudster rather than the intended recipient.

The case raised the following novel question:

Where a fraudster assumes control of Victim A’s e-mail account and then, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?

The Facts

The underlying claim was simple and traditional. The plaintiff was seeking an unpaid balance for environmental assessment services in the total amount of $15,670.54. The defendant acknowledged the debt but claimed insolvency. The plaintiff issued a small claims action on April 27, 2018. The parties reached a settlement agreement on August 1, 2018.

The relevant terms of settlement were:

Mark Schokking on behalf of the Corporate Shareholders shall pay to [the Plaintiff] the sum of $7,000 as follow as full and final settlement of the claim.

Mark Schokking and/or the Corporate Shareholders will deposit $7,000.00 into the Trust account of McDonald, Duncan LLP, account number XXXXX-773, Bank of Montreal no layer than August 8, 2018….

Between August 1, 2018 and August 8, 2018, a fraudster struck. The fraudster gained access to the workplace e-mail of the paralegal representing the plaintiff. Her e-mail credentials were obtained either via a “phishing” attack or possibly a “brute strength" attack. The fraudster changed the e-mail “rules” for the paralegal’s account that had the following consequences:

  • Specific incoming e-mails would be forwarded to an external Gmail account and the original incoming e-mail would automatically be deleted.
  • The fraudster was then able to send e-mails from the paralegal’s account to the specific accounts. If the recipient e-mailed back, it would be re-directed.
  • The paralegal would have no way of knowing the correspondence was taking place.

With these redirections in place, the fraudster sent revised instructions to Mr. Schokking on August 1, 2018. The e-mail requested Mr. Schokking deposit the money to a Credit Union account in Medicine Hat, Alberta. Mr. Schokking replied by e-mail asking for the physical address. The fraudster, still masquerading as the paralegal, provided the information. Ultimately, Mr. Schokking sent the money to the Medicine Hat account. The fraud was subsequently discovered but the money was never recovered.

The plaintiff brought a motion to enforce the settlement, arguing that the defendant had failed to comply with the settlement terms. The defendant took the position he had satisfied the terms of settlement.

After noting a lack of jurisprudence and the need for legislative intervention in this specific area, the deputy judge concluded that as a default rule, the subject of a fraud (Victim A) that results in another entity (Victim B) diverting funds properly meant for Victim A will not be liable for the loss unless:

  • Victim A and B had a contract which authorized B to rely on e-mail instructions from A, and the contract shifts liability for a loss resulting from fraudulent payment instructions to A; or,
  • There is evidence of willful misconduct or dishonesty by Victim A; or,
  • There is negligence on the part of Victim A.

In the present case, the deputy judge found none of these exceptions applied. There was no contract between the two parties beyond the initial terms of settlement, and there was no evidence of misconduct, dishonesty, or negligence by the paralegal or her firm.

The deputy judge accordingly found that by sending the settlement funds to the Medicine Hat account as opposed to the trust account, the defendant failed to follow the terms of the settlement. The deputy judge ordered the Defendant to pay $7,000 in settlement of the claim.

The Take-Aways

The old adage of “an ounce of prevention is worth a pound of cure” still holds true in the world of e-mail fraud. Proactive risk management practices like employee training, responsive procedures and properly enforced office policies can be an inexpensive and effective way to manage the continued risk of business e-mail compromise and similar cyber breaches.

This case is a prime example of how it takes multiple errors from multiple parties to result in a loss. In an era where the human element continues to make up the bulk of cyber claims managerial controls and employee training are essential in addressing these risk exposures. In this specific case, there were two ways the likelihood and the severity of this breach could have been modified.

The first is the need for organizations to proactively train their employees on the ongoing risk of cyber breaches. The firm’s IT professional noted that the paralegal’s e-mail password was considered “strong” and therefore likely resistant to a brute force attack. This suggests that her credentials were obtained via a “phishing” scam. Frequent password changes and a scrutiny of e-mails with the hallmarks of a “phishing scam” could had avoided an e-mail compromise in the first place.

The second take-away is that in the age of convenient e-transfers, organizations must have policies and procedures in place to verify any changes in deposit instructions. This is especially true when those new instructions include a transfer to an extra-provincial account with no apparent connection to the parties. In the present case, had the defendant made a phone call after receiving the e-mail, they could have reduced the impact of the paralegal’s e-mail compromise and avoided having to pay out twice on a claim they thought settled.  

See: St. Lawrence Testing & Inspection Co. Ltd. v Lanark Leeds Distribution Ltd., 2019 CanLII 69697 (ON SCSM)


Devan Marr’s practice has focused on bodily injury, long term disability, statutory accident benefits, and employment claims.

  

Biometric Data – Facebook is in Trouble, Again

 Aug 19, 2019 10:15 AM
by Stas Bodrov

Facebook has been under heavy fire for the better part of the past year. Last week, the US Court of Appeals for the Ninth Circuit added to the fray in Patel v Facebook Inc. This class action lawsuit was brought in 2015 in California by Facebook users living in Illinois. The basis of the lawsuit was that Facebook’s facial-recognition technology violated the Illinois Biometric Information Privacy Act (BIPA).

By way of background, in June 2016, Facebook brought a motion to dismiss the action while the plaintiffs moved to certify the class of plaintiffs. Much to Facebook’s dismay, the US District Court for the Northern District of California denied Facebook’s motion to dismiss and certified the class of “Facebook users located in Illinois for whom Facebook created and stored a face template after June 7, 2011”. This decision was appealed to the Ninth Circuit appeal court where there lower Court’s decision was upheld.

Facebook’s Facial Recognition Software

The basis of the lawsuit starts with Facebook’s facial recognition technology that was used in a new feature launched in 2010: Tag Suggestions. Every time a user posted a picture on Facebook and “tagged” a friend, the facial recognition software assessed the face using various geometric data points that made a face unique (i.e. distance between the eyes, nose, and ears) to create a face signature/map. Facebook would then store that signature/map in their database. Going forward, if a user posted a new picture, the technology would identify faces in the picture and cross-reference them with their database (i.e. a face signature that has already been created in the past) to suggest tagging the person in the photo.

It is important to note that Facebook’s face template were stored on their servers, which were located in nine data centers, six of which are located in the US: Oregon, California, Iowa, Texas, and North Carolina.

Biometric Data and the Law

Across the globe, biometric data is being used more commonly by businesses as a security screening tool. For instance, smartphones use facial recognition and fingerprints as a security feature to unlock the phone, mobile financial applications are beginning to implement facial recognition to sign into your account, and NEXUS uses iris scans to identify individuals for cross border travel. The complication with biometric data is that it is unlike other unique identifiers. While a social insurance number can be changed if compromised, an individual’s biometric data is biologically unique to that individual. If a database with biometric data is compromised, the individuals affected have no recourse – unless they want to attempt a John Travolta and Nicolas Cage Face/Off scenario. If biometric data is compromised, the individual has a significantly increased risk for identify theft and is likely to completely withdraw from biometric-facilitated transactions.

Recognizing the severity of a potential breach involving biometric data, the Illinois General Assembly passed the BIPA in 2008 to regulate the collection and storing of biometric information. BIPA imposes various obligations on an organization that collects biometric data of their users. The organization is required to establish a retention schedule for permanently destroying biometric identifiers and information; advise users of this policy in writing; and, secure a written release before obtaining a biometric identifier. This law applies to organizations doing business in Illinois and allows private individuals to file a lawsuit for damages stemming from a violation of the BIPA.

Similar laws have been enacted in Washington and Texas, although they are not as stringent and do not have the same damages provisions.

In Canada, neither provincial nor federal governments have passed specific laws regulating the collection and use of biometric data. However, biometric data has been identified as “personal information about identifiable individuals”, which is within the purview of (1) the Privacy Act, that regulates how data is used by the Federal government, and (2) the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how data is collected, used, and stored by private-sector organizations.

The Appeal

Back to the case at hand. As noted, the District Court denied Facebook’s attempt to have the case dismissed and certified the class action (identified a group of people that can proceed with the lawsuit).

Injury in Fact - Damages

Facebook argued that the plaintiffs were missing a critical element to be able to proceed with the lawsuit. Specifically, the plaintiffs did not suffer a “concrete injury in fact”. Facebook argued that the by violating BIPA, by not obtaining consent from users and identifying a destruction policy, it simply failed to comply with a procedural requirement. Their non-compliance did not cause a concrete injury to the plaintiffs that resulted in damages.

The Ninth Circuit Court disagreed.

With respect to a concrete injury, the Court concluded that an intangible injury could nevertheless be concrete and establish an injury in fact. BIPA was enacted to protect individuals “biometric privacy” by: (1) imposing specific safeguards to ensure individuals’ data was properly collected and used; and, (2) by subjecting private entities who fail to follow the law to liability. In essence, the legislation was created to protect individuals against “the risk of real harm” and this was enough to establish an injury.

With respect to damages, the Court observed that in our digital world, privacy protections are particularly crucial. The Court found “[w]hen a private entity fails to adhere to statutory requirements, the right of the individual to maintain his or her biometric privacy vanishes into thin air.” The Court noted that privacy lawsuits are particularly unique because the invasion of someone’s privacy rights is fundamentally offensive to our society. Therefore, privacy lawsuits do not always require additional consequences, like actual damages, for them to be actionable.

Territorial Limits of the Law

Interesting jurisdictional arguments were raised by Facebook as the lawsuit was filed in California on the basis of an Illinois law. Facebook argued that the Illinois law was not intended to have effect in another state. In other words, an individual in Illinois was not allowed to use an Illinois law to sue a company in California. Facebook argued that the relevant events, the collection and storage of the face scans, occurred on its servers that were not located in Illinois. Therefore, Illinois law could not apply.

The Court did not make a decision directly on this issue but noted that the law does not specify where the essential elements of a violation take place. For example, in this case the violation could be argued to have occurred in Illinois because that was where the person whose privacy rights are impacted used Facebook. Alternatively, the violation could be construed to have occurred in California, where Facebook housed its server and where it scanned the photographs as well as stored the scans. Alternatively, it could be a combination of the two. The Court left this decision for the District Court to decide in the course of the lawsuit, but it noted that it is reasonable to infer that the Illinois lawmakers contemplated the law’s application to individuals who are located in Illinois, even if some relevant activities occur outside the state.

Takeaway

It is particularly important to note that this is a US case. The laws and legal principles are different in Canada from the US; however, US cases may have an effect on how future cases are decided in Canada.

Although Canada does not have a “concrete injury in fact” element, as was discussed in Patel, it does have a requirement that an individual establish damages in the course of a lawsuit. For instance, Jones v Tsige was the Ontario Court of Appeal decision that established the privacy tort of intrusion upon seclusion. In that case, the Court similarly noted that “proof of actual loss in not an element” of the tort. A finding that someone violated another’s right to privacy is enough to presume damages. However, Canadian courts have been reluctant to award any significant sums of damages (a limit of $20,000.00 was established) in individual cases without additional proof of loss. Although we have not seen a biometric date-based lawsuit in Canada, the Patel case may be informative to Canadian Courts when such a case finally comes around.

Another important consideration is identifying which laws govern an organization’s procedures. We previously addressed the extraterritorial application of the General Data Protection Regulation (GDPR) enacted in Europe to organizations outside the EU[1]. The key takeaway in this regard is that organizations may be impacted by other state or provincial privacy regulations if they, knowingly or unknowingly, cater to that territory’s population.

This is a case definitely worth following. Let’s see what hot water Facebook ends up in next!

See Patel v Facebook Inc., No. 18-15982 (9th Cir. Aug. 8, 2019)


Stas practices in insurance-related litigation. He has a broad range of experience including tort claims, accident benefits, subrogation, priority and loss transfer disputes, WSIB matters, and fraudulent claims. Read more...

  

Push Back on Pre-Certification Production Requests

 Aug 19, 2019 10:00 AM
by Lisa Armstrong

The plaintiffs in Karasik v. Yahoo Inc., a proposed class action, brought a motion for production of Yahoo’s database of its 16.9 million Canadian users prior to the certification motion.  

This class action stems from cyber attacks in 2013 and 2014 by Federal Secret Service of the Russian Federation against the defendants, Yahoo Inc. and Yahoo! Canada Co.

In coming to his decision, Justice Perell noted the following established principles regarding pre-certification productions:

  1. There is no automatic right to documentary discovery at the certification stage, and a party seeking such discovery must demonstrate the need for it; for the certification motion, which is a procedural motion that does not go to the merits of the action, there is limited production of documents that are shown to be relevant to the issues on certification.
  2. The onus is on the party seeking documents for the certification motion to explain why the requested documents are relevant to the issues of certification, and bald assertions that the documents may be relevant do not suffice.
  3. At the pre-certification stage, proportionality is of a particular concern, and the production of documents must be proportionate to the needs of the certification motion and what is necessary to inform the certification hearing.
  4. In determining whether a document should be produced, a guiding principle is fairness, and a party should not request production of more than it needs for the purposes of the certification motion nor should a party hold back the production needed by his or her opponent to inform the focused purposes of the certification hearing.

Ultimately, Justice Perell held that the Plaintiffs did not met the onus of explaining how access to the database was relevant to the certification motion and, in any event, held that the request was disproportionate in the case at hand.

Karasik v. Yahoo Inc., 2019 ONSC 4670 (CanLII)


Lisa has an insurance law practice that has focused exclusively on insurance defence for 15 years. Her practice focuses on complex insurance-related litigation, including accident benefits and bodily injury. Read more ...

  

Inadvertence Does Not Equal Recklessness

 Aug 9, 2019 5:00 PM
by Laura Emmett

It is fair to assume that the personal health information provided to medical professionals is kept confidential. Medical professionals and institutions set up policies and procedures to ensure that the information is collected, stored, and used in an appropriate manner and in compliance with privacy regulations. Recently, an individual took The Queensway Carleton Hospital to Court alleging that their procedure for surgery bookings caused her significant damages.

The facts of this case are straightforward. The Plaintiff was told that she required surgery. While waiting for a date for the surgery, she received a paper surgical booking package that she had to complete. The Plaintiff testified that she dropped off the completed booking package in the Hospital’s drop box. However, about a week later, it was returned to her by Canada Post. Despite the Plaintiff’s complaints, no one from the Hospital accepted responsibility for the misplaced booking records. The Information and Privacy Commissioner of Ontario was unable to make a determination regarding who was responsible for the privacy breach. The Plaintiff commenced a claim for damages for intrusion upon seclusion, breach of confidence, and public disclosure of embarrassing facts. She also sought punitive damages.

The Court found, on a balance of probabilities, that the Hospital received the records and they were misplaced. The Plaintiff relied on three causes of action to support her claim – intrusion upon seclusion; breach of confidence; and, public disclosure of embarrassing facts.

In dealing with intrusion upon seclusion, the Court found that a single act of inadvertence, assuming that was what happened, was not sufficient to prove recklessness. In fact, the Court found that the Hospital’s protocol for handling booking records did not create an obvious or serious risk. The Court found that the system worked quite well despite this one instance. There was not a deliberate and significant invasion of personal privacy as required in order to satisfy the threshold for damages.

Second, to establish the tort of breach of confidence, the Plaintiff had to show that the Hospital made unauthorized use of her booking record and misused it to her detriment. Once again, the Court found that this claim was not satisfied, as there was insufficient evidence that the Hospital misused the booking record.

Third, the Court found that the tort of public disclosure of embarrassing facts was not established. There was no evidence that the Hospital “published” the booking record or that the records were deliberately made publicly available. The evidence showed that the record could only be seen by postal workers in Montreal to determine where the record should be returned to. This was not sufficient to establish damages.

The Court considered the provisions of the Personal Health Information Protection Act. Section 71(1)(b) provides a statutory immunity for health information custodians where there has been an attempt at good faith compliance with the Act. The Court found that the evidence did not establish that the Hospital’s use of surgical booking packages was unreasonable. Additionally, there was no evidence that there had been any issues with other booking records, either before or after this incident.

Finally, the Court considered whether the Claimant was entitled to damages based on her “humiliation, anxiety and distress” arising from the receipt of the envelope for Canada Post which contained the booking records. The Plaintiff did not establish, on a balance of probabilities, that she suffered anxiety or psychological upset that rose to the level of requiring compensation. Similarly, there was no high-handed, arrogant or contumelious behaviour on the Hospital’s part that would warrant a finding of punitive damages.

Hospitals are particularly vulnerable to privacy claims – they are required to gather a significant amount of personal health information in a very short period, store and protect that information, and use it in an appropriate way. Healthcare organizations must implement robust safeguards and procedures to ensure their patients’ information is properly collected, used, and disclosed. Taking these reasonable steps will lower an organization’s financial and litigation risk. A good place to start is creating privacy policies or hiring an experienced counsel to review existing policies and their implementation.

See Wilson-Flewelling v Queensway Carleton Hospital, 2019 CanLII 65155 (ON SCSM)


Laura has a diverse practice where she focuses on accident benefits, bodily injury claims, product liability, cyber liability, privacy law and drone liability. Read more ...

  
1 2 3 4 5 ... 11 12 »
 
Top of page