A recent certification of a class action in the case of Evans v. Bank of Nova Scotia highlights the potential liability that Ontario employers can face for privacy breaches by their employees.
Two years ago, the Ontario Court of Appeal (in the case of Jones v. Tsige) recognized the tort of intrusion upon seclusion in the face of an employee’s violation of another employee’s privacy. In the absence of personal privacy rights and legislation in Ontario, that represented a significant legal development.
While the Tsige case was a dispute between two employees of the Bank of Montreal, it was predicted that the tort of intrusion upon seclusion would have an effect on employers if they directly or indirectly allowed for privacy breaches.
This is now the very issue at play in Evans, where the plaintiffs claim that the Bank of Nova Scotia (the “Bank”) is vicariously liable for the privacy breaches of one its employees, Richard Wilson.
Mr. Wilson was a Mortgage Administration Officer with the Bank who, as part of his role, had access to confidential client information. It was discovered by the Bank (and conceded by Mr. Wilson) that he took personal information of 643 clients and disclosed it to his girlfriend, who in turn gave it to third parties for improper and unauthorized purposes. This unauthorized access and use went on from July 1, 2011 until May 18, 2012.
Although the Bank notified and compensated the 643 clients for the privacy breach and the resulting identity theft/ fraud, one of the clients – Mr. Evans – commenced a class action lawsuit claiming that the Bank was also vicariously liable for the tort of intrusion upon seclusion.
The class action claim does not assert that the Bank intentionally invaded the clients’ privacy, but rather that the Bank is vicariously liable because it did not adequately oversee the activities of its employee and did not ensure the integrity and protection of the clients’ confidential information.
Before any class action can proceed, it must clear the hurdle of “certification”—i.e. the Court must determine, on a preliminary basis, whether it is appropriate for the litigation to proceed.
In its analysis of this case, the Court reviewed the three elements of the tort of intrusion upon seclusion, namely:
- the defendant’s conduct must have been intentional or reckless;
- the defendant must have invaded the plaintiff’s private affairs or concerns without lawful justification; and
- a reasonable person would regard the invasion as highly offensive, causing distress, humiliation or anguish.
Upon consideration of those factors, the Court held that (a) the Bank had granted Mr. Wilson access to the clients’ confidential information and did not otherwise safeguard this information from unauthorized use (i.e. through monitoring or random audits), and (b) the Bank’s failure to properly safeguard the information created a risky scenario in which Mr. Wilson’s misconduct was made possible.
Although the Court has yet to make any decision on whether the Bank is indeed vicariously liable for Mr. Wilson’s actions (i.e. as that question will be the subject of the trial), this initial certification decision highlights employers’ vulnerability to claims for “intrusion upon seclusion” where their actions to protect the privacy of confidential information (whether from misuse by their own employees or otherwise) are inadequate.
Employers should be mindful of the information that is under their protection, and should ensure that proper precautions and safeguards are in place to avoid privacy breaches—e.g. strict policies on privacy and confidentiality; training on the use and protection of confidential information; and as routine monitoring and surveillance of employee access of confidential information. In that regard, employees ought to be made aware of such policies and monitoring, and particularly of the consequences that will flow from any breach on their part.