In Part I of this blog, I canvassed the decision Evans v Bank of Nova Scotia (“Evans”)[1] wherein the Ontario Supreme Court certified a class action proceeding for allegations concerning a breach of privacy rights through the tort of intrusion upon seclusion first set out in Jones v Tsige (“Jones”)[2].

In the wake of recent massive security breaches reported by retailers such as Target and Neiman Marcus, the availability of the tort of intrusion upon seclusion as a class action matter should concern retailers and other consumer facing businesses.

The low threshold for the certification of these privacy breach related class action suits demonstrates the need for retailers to be diligent in guarding against privacy breaches and obtaining consent. Here are some guidelines that may assist businesses in protecting data containing personal information and limiting privacy liability:

  • Develop a breach protocol that is amended periodically to account for improvements in technology.
  • Incorporate a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it may be advisable to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification to Privacy Commissioners or individuals would help mitigate the harm arising from the breach.
  • Ensure that all contracts with third parties include provisions that require the third party contractor to immediately inform your business of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
  • Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information once it is no longer needed or legally required to be retained.
  • Undertake employee training initiatives to ensure familiarity and compliance with all policies and practices.

For businesses that are looking to develop policies and procedures the following guidelines may be of assistance:

  • Build a security program that protects the confidentiality, integrity, and availability of all information, not just personal information.
  • Develop classification standards so that personal and non-personal information, as well as, sensitive and non-sensitive personal information can be easily identified.
  • Ensure that proper security controls are in place and conduct risk assessments of all personal information.