Proactive Monitoring: Lack of Employee Oversight Leads to the Certification of the first Privacy Class Action based on the novel tort of “intrusion upon seclusion”

On June 6, 2014, the Ontario Superior Court certified the first privacy class action based on the novel tort of “intrusion upon seclusion”, recognised in 2012 by the Ontario Court of Appeal in Jones v. Tsige.[1]

In Evans v. Bank of Nova Scotia[2], the plaintiffs sued the Bank and its employee for damages through this new tort. This decision is of interest for any employer who oversee employees that have access to customers’ confidential and financial data.

The Facts

Richard Wilson, Mortgage Administration Officer at the Bank, admitted he had access to highly confidential customer information that his girlfriend disseminated to third parties for fraudulent and improper purposes. The Bank identified 643 customers whose files were accessed by Wilson (the “Notice Group”) and to date 138 of them have advised the Bank that they have been victims of identity theft or fraud affecting their credit rating. The Bank compensated the pecuniary losses they suffered and offered all members of the Notice Group a complimentary subscription to a credit monitoring and identity theft protection service.

The Breach

The plaintiffs allege the Bank is vicariously liable for the conduct of its employee and claim damages for breach of contract, negligence, waiver of tort and the tort of intrusion upon seclusion.

The Court found that the Plaintiff had made out a cause of action against the Bank in both vicarious liability for the employee’s acts and negligence.  The Bank had created the opportunity for the employee to abuse his power by allowing him to have unsupervised access to customers’ private information without any monitoring system, which lack of supervision and monitoring was acknowledged by the Bank. There was a significant connection between the risk created by the Bank and the wrongful conduct of the employee such that a claim for the Bank’s vicarious liability was made out.  A claim in negligence was made out given that the Bank had the ability to monitor the employee’s activities and admitted that it did not.

The tort of intrusion upon seclusion has only recently been recognized by the Ontario Court of Appeal in 2012 in Jones v. Tsige. As mentioned is our previous analysis of this decision, the key features of this new tort are as follows:

1)    the defendant’s conduct must be intentional (or reckless);

2)    the defendant must have invaded the plaintiff’s private affairs or concerns, without lawful justification; and

3)    a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

The judge found that the law in Canada is not settled on this issue. He certified the class action on the grounds that it was not plain and obvious that the plaintiffs’ claim that the Bank was vicariously liable for its employees’ tort of intrusion upon seclusion would be unsuccessful on the merits.

The Takeaways

Given the significant increase of data breaches and the sensitivity of customers’ confidential and financial information, employers may be subject to lawsuits brought by customers seeking damages on the basis of the tort of intrusion upon seclusion. The Evanscase illustrates that a lack of employee oversight may result in large scale breaches of privacy and data theft with substantial legal and reputational risks. The legal risks to employers appear to have increased with the advent of the certification of a case based on intrusion upon seclusion.  Employers should establish internal supervision policies and parameters to monitor the activity of their employees having access to consumers’ confidential  data.

[1] 2012 ONCS 32.

[2] 2014 ONSC 2135.

breach of contract customer's confidential and financial data identity theft intrusion upon seclusion negligence Ontario Court of Appeal Ontario Superior Court of Justice privacy vicarious liability waiver of tort



Stay Connected

Get the latest posts from this blog

Please enter a valid email address