1 Forthcoming in the Banking and Finance Law Review ... - SSRN

9 downloads 2136 Views 484KB Size Report
law and regulatory decisions to suggest some conclusions about what are “reasonable” security measures. Part I Using Liability in Negligence to Address Poor ...
NEGLIGENCE LIABILITY FOR BREACHES OF DATA SECURITY JENNIFER A. CHANDLER* Forthcoming in the Banking and Finance Law Review TABLE OF CONTENTS Introduction..........................................................................................................................2 Part I Using Liability in Negligence to Address Poor Data Security……………..……..3 Part II Review of U.S. Case Law…………………………………………...……...……10 (a) (b)

The problem of establishing that a data security breach caused identity fraud………………………………………………………………….….10 The problem of establishing “actual harm” where identity fraud has not yet occurred……………………………………………………………...13

Part III Liability for Data Security Breaches in the Canadian Context………………….17 (a) (b) (c)

The recovery of pure economic loss……………………………………....……..18 The effect of statutory data safeguard requirements on the negligence claim………………………………………………………….……...22 The effect on liability of the intervening criminal acts of third parties………….29

Part IV Setting the appropriate standard of reasonable security measures………..……..32 Conclusion……………………………………………………………………….………38

* Assistant Professor, Faculty of Law, University of Ottawa. I gratefully acknowledge Borden Ladner Gervais LLP for its support of my research assistant, David Quayat, through the Borden Ladner Gervais Research Fellowship during the research for this paper. I thank David Quayat and Deric Mackenzie-Feder for their excellent research assistance in the preparation of this paper, and I thank the anonymous reviewer for most helpful comments on the paper.

1 Electronic copy available at: http://ssrn.com/abstract=998305

INTRODUCTION Breaches of data security involving the disclosure of sensitive personal information have become high profile news.1 In January, 2007, TJX Companies Inc. announced a security breach affecting millions of customer records in Canada, the United Kingdom, Ireland, the United States and Puerto Rico2 and Talvest Mutual Funds announced the loss of 470,000 Canadian client records.3 Thousands of Canadian credit card holders are reported to have been the victims of fraud as a result of the TJX Companies Inc. breach.4 These data security breaches can occur in many different ways. In the last few years, security breaches have involved website security flaws that exposed customer data,5 misdirected faxes,6 hacking into poorly secured computer networks and databases,7 loss of paper records, loss or theft of electronic records (on laptops or other storage devices),8 employee theft of information, disposal of confidential financial information in open public dumpsters,9 apparent abandonment of confidential customer information in open public places,10 and theft of information by employees at third party service providers.11 One of the key concerns with these data security breaches is that they may lead to identity fraud. This might include an “account takover” in which the thief takes over an 1

A rapidly growing list of major reported security breaches in the United States is maintained at . 2 TJX Companies, Inc. “Frequently Asked Questions,” (28 March 2007), . 3 Privacy Commissioner of Canada, “News Release: Privacy Commissioner Launches Investigation of CIBC breach of Talvest customers’ personal information,” (18 January 2007), . 4 “Winners security breach hits Canadian cardholders,” CTV.ca (25 January 2007), ; Sinclair Stewart, “Winners security breach hits home,” Globe and Mail.com (25 January 2007), . 5 Kevin Poulsen, “Tower records settles charges over hack attacks,” The Register.com (22 April 2004), ; Kevin Poulsen, “Guess leaks credit cards of the fashion conscious,” The Register.com (6 March 2002), ; U.S. Federal Trade Commission, “Petco settles FTC charges – security flaws allowed hackers to access consumers’ credit card information,” (17 November 2004), . 6 Speevak v. Canadian Imperial Bank of Commerce (statement of claim issued February 4, 2005, Ont. Sup. Ct. Justice 05-CV-283484CP)). 7 Thomas C. Greene, “Amazon division hacked, thousands of CCs exposed,” The Register.com (March 6, 2001), ; 8 The Talvest data security breach involved the loss of a hard drive containing client data. Supra note 3. 9 U.S. Federal Trade Commission, “Real estate services company settles privacy and security charge – company tossed consumers’ confidential information in dumpster, company computers were hacked,” (10 May 2006), . 10 Laura Bobak, “Rogers data leak shows need for mandatory customer notification law, expert says,” CBC.ca (9 April 2007), . 11 Andy McCue, “Indian call center staff sold data, TV show says,” CNET News.com (5 October 2006), .

2 Electronic copy available at: http://ssrn.com/abstract=998305

existing account, draining a bank account or making fraudulent credit card purchases, or “true name fraud” in which the thief opens new accounts or obtains new credit using the victim’s name.12 A victim may be unaware of these latter frauds until he or she discovers a ruined credit rating or is approached by collections agencies. Due to the concern over identity fraud, data security issues are now attracting growing attention from legislators, legal scholars, and an increasing number of litigants. This article addresses the possibility of using liability in negligence as a means to deter unreasonably careless data security practices as well as to offer compensation to those harmed by data security breaches. Although additional civil causes of action may be relevant depending upon the facts (e.g. breach of contract, breach of confidence, invasion of privacy, breach of fiduciary duty), the analysis in this article is restricted to negligence claims brought by the people whose data is compromised. Part I of the article will discuss the need for civil liability in order to deter careless data security practices. Part II will review U.S. cases involving negligence liability for breaches of data security, identifying the key problems facing plaintiffs. Part III will address additional legal problems that may face plaintiffs in the Canadian context, and Part IV will draw on case law and regulatory decisions to suggest some conclusions about what are “reasonable” security measures. Part I Using Liability in Negligence to Address Poor Data Security California’s security breach notification legislation came into force in 2003, and placed an obligation on businesses holding unencrypted computerized personal information to notify California residents of breaches in the security of that information.13 Since then, numerous other American states have followed suit14 and the U.S. Congress is considering legislation in the field.15 A similar data security breach notification requirement exists in Ontario’s Personal Health Information Protection Act16 and the Privacy Commissioner of Canada has recommended an amendment to the federal Personal Information Protection and Electronic Documents Act17 (“PIPEDA”) to provide

12

Anthony E. White, “The Recognition of a Negligence Cause of Action for Victims of Identity Theft: Someone Stole My Identity, Now Who is Going to Pay for It?” (2005) 88 Marq. L. Rev. 847 at p. 851-852; Kenneth M. Siegel, “Protecting the Most Valuable Corporate Asset: Electronic Data, Identity Theft, Personal Information, and the Role of Data Security in the Information Age” (2007) 111 Penn St. L. Rev. 779 at p. 784-786 (discussing forms of identity fraud). 13 S.B. 1386, codified in Cal. Civ. Code § 1798.82. 14 A chart of the legislation is available at . 15 Anne Shelby, Davis Wright Tremaine LLP, “Pending Privacy and Data Security Legislation in the 110th Congress,” Privacy and Security Law Blog (30 March 2007), ; Flora J. Garcia, “Data Protection, Breach Notification, and the Interplay between State and Federal Law: The Experiments Need More Time,” (2007) 17 Fordham Intell. Prop. Media & Ent. L.J. 693 (reviewing recent U.S. federal and state legislative initiatives). 16 S.O. 2004, c.3, Sched. A., s.12(2). 17 S.C. 2000, c.5.

3

a duty to notify.18 Even without this legislation, there is a reasonable argument that there is a common law duty to disclose breaches of data security.19 There is growing scholarly interest in the efficacy of these data security breach notification statutes.20 As Schwartz and Janger have pointed out, these statutes are intended to serve two purposes – first, deterring careless data security practices by imposing a reputational sanction, and second, informing individuals of a risk to their data so that they may take steps to protect themselves.21 The reputational sanction might involve loss of market share as customers avoid businesses perceived to have poor security and a reduction in share value in the stock market. In addition, the expense of sending a security breach notification to affected parties may itself be a deterrent apart from the potential reputational sanction.22 However, there are reasons to wonder whether mandatory data security breach notification requirements really deter poor data security. Schwartz and Janger suggest that the public is unlikely to impose a significant market sanction by avoiding companies with a history of poor data security. In some cases, the breach will occur at a “back office” entity with no direct relationship with consumers (e.g. data processors, couriers or data brokers).23 Consumers are unlikely to know which “back office” service providers are used by which retailers and so will find it difficult to avoid those with poor data security. With other types of businesses, such as banks, customers will incur high switching costs and so the market penalty for poor data security may be dampened. Furthermore, with the growing number of data security breaches, consumers may develop the impression that all or many banks have suffered security breaches so there is little to be gained from switching.24 In a more general way, as data security breaches continue to be disclosed across various market sectors, the public will gradually come to perceive data insecurity as normal and will be even less likely to punish businesses by avoiding

18

Canada, Office of the Privacy Commissioner, “The Privacy Commissioner of Canada’s Position at the Conclusion of the Hearings on the Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA),” (22 February 2007), at section 12. 19 See e.g., Ethan Preston and Paul Turner, “The global rise of a duty to disclose information security breaches,” (2004) 22 J. Marshall J. Computer & Info. L. 457 (suggesting that the common law doctrine of negligent misprepresentation may require notification of data security breaches where a company has represented that data will be kept private); Vincent Johnson, “Cybersecurity, Identity Theft, and the Limits of Tort Liability, (2005) 57 S.C. L. Rev. 255 at p. 282. As noted below, plaintiffs often claim that the failure to disclose a breach promptly is a breach of the duty of care in negligence lawsuits. 20 See e.g., Paul Schwartz and Edward Janger, “Notification of Data Security Breaches,” (2007) 105 Mich. L. Rev. 913; Kathryn E. Picanso, “Protecting Information Security Under a Uniform Data Breach Notification Law,” (2006) 75 Fordham L. Rev. 355 at p. 373. 21 Schwartz and Janger, supra note 20 at p. 917. 22 Ibid. at p. 957. 23 Ibid. at p. 946-947, pointing to the Cardsystems and Choicepoint cases as examples where retail consumer defection would not be a realistic result of notifying affected individuals of the breaches of data security. 24 Ibid. at p. 948.

4

them.25 Presumably the stock market will react less and less as it learns that the punishment from consumers is mild and decreasing. These predictions may be supported by evidence of market behaviour. The public relations sanction that data security breach notification rules were intended to impose seem not to be effective. The price of TJX Companies Inc. shares dipped only slightly with the announcement in January, 2007 of an enormous security breach.26 On the other hand, the stock prices fell twice as much when the first class action lawsuit was filed a couple of weeks later. Despite this, TJX Companies Inc. reported increasing sales throughout the months after the security breach.27 Furthermore, the comments of some TJX customers suggested a growing desensitization to data security breaches. “Customers leaving a T.J. Maxx store Thursday in Boston's Downtown Crossing shopping hub said the retailer's cut-rate prices on clothing and home goods are a big enough draw to offset any worries about lax data security. They said they didn't see TJX as any more susceptible to such theft than any other retailer.”28 The fact that many consumers do not appear to be greatly put off by data security breaches does not necessarily mean that there is no problem to be solved. A recent U.S. estimate of the volume of identity fraud in the U.S. in 2006 was nearly $60 billion.29 Consumer reaction is perhaps dampened by the fact that cardholder agreements insulate customers from significant losses resulting from credit card fraud.30 These costs are nonetheless an economic drain and are transmitted indirectly back to consumers by financial institutions and merchants in the form of higher fees and prices.31 Furthermore, information other than credit card numbers may be compromised, exposing affected persons to greater risks. Identity thieves may open new credit accounts, loans or service 25

Ibid. at p. 916, referring to critics of data security breach notification statutes: “A major objection is that the current requirement for customer notice generates too many breach disclosure letters. Critics focus on the disclosure trigger in the California statute and related legislation which requires the sending of notification letters whenever there is a reasonable likelihood that an unauthorized party has "acquired" personal information. These critics point to Aesop's fable, "The Boy who Cried Wolf." As Fred Cate writes, ‘if the California law were adopted nationally, like the boy who cried wolf, the flood of notices would soon teach consumers to ignore them. When real danger threatened, who would listen?’ The Washington Post has joined this chorus in editorializing against these laws as creating ‘tedious warnings’ that will cause people to ‘ignore the whole lot.’” 26 Elaine Wiltshire, “Cyber-Enemy at the Gates,” (2007) 23:7 The Bottom Line, , reporting that the price before the breach was just under $30, and dropped to $29.50 on the day of the breach. Two weeks later, with the filing of the first class action, the price dropped a further 3.7%. 27 Mark Jewell, “Data Theft Doesn’t Slow Sales for TJX,” Yahoo! Finance (12 April 2007), . 28 Ibid. 29 Better Business Bureau and Javelin Strategy and Research, “New Research Shows Identity Fraud Growth is Contained and Consumers Have More Control Than They Think,” (31 January 2006), . 30 Evan Schuman, “The Credit Card Unintended Consequence,” Storefront Backtalk Blog (21 February 2007), . 31 Penelope N. Lazarou, “Small Businesses and Identity Theft: Reallocating the Risk of Loss,” (2006) 10 N.C. Banking Inst. 305 at p.321.

5

contracts in the victim’s name, damaging the victim’s credit report.32 An identity thief may also impersonate a victim during interactions with police so that the victim obtains a criminal record. The task of repairing one’s credit and clearing one’s name can be considerable. For example, the U.S. Federal Trade Commission recommends that victims obtain official “Identity Theft Reports” to ensure that fraudulent transactions do not reappear on their credit reports, as well as to prevent collection agencies from continuing to attempt to collect the debts.33 However, the FTC acknowledges that the police in some places may be unwilling to take the reports, recommends that identity fraud victims “be persistent” and offers victims various documents with which to try to convince the police of the importance of taking the report. If this fails to convince the local authorities, the FTC suggests that victims should try county and state police. Clearly, recovering from identity theft can be an arduous and frustrating task. Even if there are reasons to doubt the deterrent impact of a requirement that businesses disclose data security breaches, it may still be quite useful in permitting individuals to mitigate the harm of identity theft. Armed with the knowledge of a data security breach, individuals are in a slightly better position to dispute fraudulent charges and other such harms. While mandatory disclosure rules may thus be useful in mitigating harm, they may not offer much deterrence. In fact, far from disciplining careless datahandlers by shunning them in the market, consumers may instead punish those who implement security measures if those security measures lead to higher prices.34 As a result it is worthwhile to consider other possible deterrents. One such possibility is civil liability for harms arising from breaches of data security. Some commentators have expressed reservations about the possibility of civil liability in this context. Johnson cautions that care should be taken in imposing liability for breaches of data security given that the potentially considerable losses might be ruinous, and there is a possibility that overly onerous requirements would also discourage the use of computer technology in handling data.35 Picanso suggests that an increased threat of liability might diminish the reporting of data security breaches.36 LoPucki suggests that our attempts to secure data are futile. In his view, identity theft would be better addressed by abandoning our attempt to secure the data, and creating alternate systems of identification that do not rely on secret data.37

32

Federal Trade Commission, “About Identity Theft,” (visited 5 June 2007). 33 Federal Trade Commission, “Defend: Recover from Identity Fraud,” (visited 5 June 2007). 34 Lazarou, supra note 31 at p. 321, suggesting that customers who have not felt the effects of identity theft may be unwilling to pay the higher costs associated with security measures, which would discourage businesses from implementing such measures. 35 Johnson, supra note 19 at p. 260: “Obviously, courts must strike a balance that adequately protects the interests of individuals without discouraging the use of computer technology or driving important institutions out of existence.” 36 Picanso, supra note 20 at p. 388-389. 37 Lynn M. LoPucki, “Did Privacy Cause Identity Theft?” (2003) 54 Hastings L.J. 1277 and Lynn M. LoPucki, “Human Identification Theory and the Identity Theft Problem” (2001) 80 Tex. L. Rev. 89. For a

6

Others endorse civil liability in this context. Citron recommends not a negligence but a strict liability standard in relation to harms caused by breaches of data security.38 She suggests that security breaches are inevitable even with reasonable security measures. In her view, strict liability would cause database custodians to internalize the full costs of the inevitable data security breaches and so discourage the maintenance of databases except where the benefits of doing so outweigh the entire costs of doing so.39 In fact, plaintiffs are increasingly resorting to the courts to sue commercial organizations following data security breaches, and there is a growing body of U.S. case law on civil liability for these breaches.40 Three groups of plaintiffs are represented in these U.S. lawsuits: the people whose data is compromised, the merchants who suffer charge backs due to the fraudulent purchases made using compromised payment card information,41 and the banks, which are forced to absorb costs such as the mass cancellation and reissuing of credit cards.42 Multiple class actions on behalf of persons whose data has been compromised have also been launched in Canada to recover damages related to data security breaches.43 critique of LoPucki’s proposals see Daniel J. Solove, “Identity Theft, Privacy, and the Architecture of Vulnerability,” (2003) 54 Hastings L.J. 1227. 38 Danielle Keats Citron, “Reservoirs of Danger: The Evolution of Public and Private Law at the Dawn of the Information Age,” (2007) 80 S. Cal. L. Rev. 241 at p. 264. 39 Ibid. at p. 268. 40 Randolph et al. v. ING Life Insurance and Annuity Co. 2007 U.S. Dist. LEXIS 11523 (D.C.); Bell v. Acxiom Corp. 2006 U.S. Dist. LEXIS 72477 (E.D. Arkansas); Richardson v. DSW, Inc. 2005 U.S. Dist. LEXIS 26750 (N.D. Ill.), 2006 U.S. Dist. LEXIS 1840 (N.D. Ill.); Giordano v. Wachovia Securities LLC et al 2006 U.S. Dist. LEXIS 52266 (Dist. N.J.); Stollenwerk et al v. Tri-West Healthcare Alliance 2005 U.S. Dist. LEXIS 41054 (Dist. Ariz.); Tracy L. Key v. DSW, Inc. 2006 U.S. Dist. LEXIS 69887 (S.D. Ohio); Hendricks v. DSW Shoe Warehouse Inc. 2006 U.S. Dist. LEXIS 51235 (W.D. Mich.); Kuhn v. Capital One Financial Corp. Inc. 18 Mass L. Rep. 524 (Supt. Ct. Mass); Guin v. Brazos Higher Education Service Corp. Inc. 2006 U.S. Dist. LEXIS 4846 (Dist. Minn.); Forbes v. Wells Fargo Bank 420 F. Supp. 2d 1018 (Dist. Minn, 2006); Jones v. Commerce Bancorp, Inc. et al 2006 U.S. Dist. LEXIS 32067 (S.D. N.Y.); 2006 U.S. Dist. LEXIS 65630 (S.D.N.Y); 2007 U.S. Dist. LEXIS 15343 (S.D.N.Y.); Bell v. Michigan Council 25, 2005 Mich. App. LEXIS 353 (Mich. C.A.); Daly v. Metropolitan Life Insurance Co., 782 N.Y.S. 2d 530 (N.Y. Sup. Ct. 2004); Huggins v. Citibank N.A. et al. 2003 S.C. LEXIS 180 (S. Cal. Sup. Ct.); Major pending U.S. lawsuits include Parke v. Cardsystems Solutions Inc. et al. (filed July 5, 2005, Cal. Sup. Ct. No. CGC-05-442624) and Goldberg v. Choicepoint (filed Feb. 18, 2005, Cal Sup. Ct. Case No. 8C329115), and multiple class actions against TJX Companies Inc. filed in 2007. The TJX Companies Inc. Annual Report for the fiscal year ending January 27, 2007 states that there were eighteen class action lawsuits filed between January 19 and March 23, 2007 in the U.S., Canada and Puerto Rico (see ). 41 See e.g., the claim filed in Parke v. Cardsystems Solutions Inc. et al. (filed July 5, 2005, Cal. Sup. Ct. No. CGC-05-442624) 42 See e.g., AmeriFirst Bank v. TJX Companies, Inc., et al., (filed January 31, 2007, Mass. Dist. Ct. No. 07cv-10169); Sovereign Bank v. BJ’s Wholesale Club Inc and Fifth Third Bankcorp. 427 F. Supp. 2d (M.D. Pa. 2006); Banknorth, N.A. v. B.J.’s Wholesale Club, Inc. 442 F. Supp. 2d 206 (M.D. Pa. 2006); Pennysylvania State Employees’ Credit Union v. Fifth Third Bank and BJ’s Wholesale Club, Inc. 2006 U.S. Dist. LEXIS 40066 (M.D. Pa. 2006); CUMIS Insurance Society Inc. v. BJ's Wholesale Club Inc., No. 051158-J, (Sup. Ct. Mass, Apr. 4, 2005). 43 Taylor et al. v. Queen in Right of Saskatchewan (Worker’s Compensation Board) et al.(filed February 3, 2003, Saskatchewan Q.B. No. 243); Speevak v. Canadian Imperial Bank of Commerce (supra note 10); Churchman et al. v. TJX Companies et al. (filed January 31, 2007, Man. Q.B. No. CI-07-01-50449); Ryley

7

With few exceptions, the U.S. lawsuits have been unsuccessful because of several key problems. First, the courts have held that until identity fraud occurs, there is no “actual harm.” The courts hold that claims for the costs of protective measures such as credit monitoring services do not relate to “actual harm” but to the fear of a potential future harm and so they are not recoverable. Second, where identity fraud has occurred, the courts may find that there is no evidence of a causal connection between the disclosure of the personal data and the subsequent identity fraud. This is a problem, for example, where the personal data at issue has been provided to other organizations and so could have been lost or misused elsewhere. Despite this difficulty, at least one plaintiff has been able to establish the necessary causal connection.44 In addition to the foregoing problems reflected in the U.S. cases, two other difficulties might also face plaintiffs in data security breach negligence claims in Canada. One of these problems is that the damages claimed by plaintiffs in this context are usually “pure economic loss,” the recovery of which is restricted in negligence claims. It is, therefore, necessary to explore whether the claims fit within currently recognized categories of recoverable pure economic loss. If not, it is necessary to determine whether the recognition of a novel category of recoverable pure economic loss is justified. Another problem flows from the observation that Canadian courts sometimes refuse to acknowledge a civil cause of action when a comprehensive statutory regime has been created to cover the same matter.45 As a result, it is necessary to consider the effect of legislation such as PIPEDA. In addition, certain provincial privacy statutes directly address civil liability.46 The picture that emerges from this discussion is discouraging to plaintiffs. There are many hurdles to be overcome in claiming damages for breaches of data security both in the U.S. and in Canada. Negligence law deals awkwardly with this problem as it does

v. TJX Companies Inc. et al (filed January 19, 2007, B.C. Sup. Ct. No. 07-0278); Howick v. TJX Companies Inc. et al (filed January 19, 2007, Que. No. 500-06-000382-073); Churchman et al. v. TJX Companies Inc. et al. (filed January 19, 2007), Alta. Q.B. No. 0701-00964); Copithorn v. TJX Companies Inc. et al. (filed January 22, 2007, Sask. Q.B. No. 100); Deyannis et al. v. TJX Companies Inc. et al. (filed January 26, 2007, Que. No. 500-06-000385-076); Wong et al. v. TJX Companies Inc. et al. (filed January 26, 2007, Ont. Sup. Ct. No. CV-070-272-00); Bordoff v. CIBC Asset Management Inc. (filed January 23, 2007, Que. No. 500-06-000383-071); 44 Bell v.Michigan Council 25, 2005 Mich. App. LEXIS 353 (Mich. C.A.) [“Bell”] 45 In Board of Governors of Seneca College of Applied Arts & Technology v. Bhadauria [1981] 2 S.C.R. 181, reversing (1979), 105 D.L.R. (3d) 707 (Ont. C.A.), the Supreme Court refused to contemplate a new tort of discrimination on the basis that the Ontario Human Rights Code provided a comprehensive statutory regime that foreclosed the development of a common law remedy. 46 Personal Information Protection Act, S.A. 2003, P-6.5, ss.57, 60; Personal Information Protection Act, S.B.C. 2003, c.63, s.57; Health Information Act, R.S.A. 2000, c. H-5, s.105; Personal Health Information Act, C.C.S.M. c.P33.5, s.62; Health Information Protection Act, S.S. 1999, c. H-0.021, s.61; Personal Health Information Protection Act, 2004, S.O. 2004, c.3, Sched. A, s.71. Section 71 of Ontario’s PHIPA is peculiar, as it purports to prohibit civil actions for damage due to neglect that was “reasonable in the circumstances.” Given that negligence by definition involves unreasonable behaviour, the immunity provided by s.71 appears ineffective. Plaintiffs will argue that they are not suing for damages arising out of reasonable actions, but for unreasonable actions and so their lawsuits fall outside s.71.

8

with other problems of the “information age.” Rustad and Koenig argue that tort law has not kept pace with the need to protect consumers in cyberspace. 47 “Today, the information industry is insulated from paying the true cost of their wrongdoing much like the railroads, canals, utilities, and assembly-line factory industries of nineteenth-century America. Cybertort remedies must expand in order to perform their traditional function of social control in the information age, an era in which the nature of injuries is being transformed. Even in cyberspace, tort law exists to vindicate, not veto, consumer protection. Outmoded immunities, no-duty rules, and defenses should be consigned to the ashbin of history.”48 Although Rustad and Koenig were speaking specifically of internet-based harms, the problem of identity theft is another ill of the information age. The modern explosion of identity theft is a function of the technologies of data storage and processing, which permit the retention of large amounts of data.49 It also flows from the fact that modern life involves a multitude of transactions with strangers and so creates a pervasive need for individual authentication.50 The pattern of tort law’s awkward and uneasy response to the harms of the information age is reflected not just in cyberspace and with respect to identity theft but is also seen in the slow emergence of civil remedies for privacy violations in Canada. Given all of the difficulties facing the plaintiff in seeking damages under common law negligence principles, it may be necessary for the legislature to act to create a statutory right of action. Should courts not manage to craft solutions, the legislatures may do so. For example, a new law in Minnesota requires entities that retain payment card data beyond certain limits to reimburse financial institutions for their costs in the event of a breach in the security of that data.51 Other U.S. states are also considering similar legislation. Bill No. 21352 was filed in the Massachusetts legislature in early 2007.53 Bill No. 213 includes a provision holding “a commercial entity” liable to banks for the costs of reasonable actions taken in response to actual breaches of data security at 47

Michael L. Rustad and Thomas H. Koenig, “Cybertorts and Legal Lag: An Empirical Analysis,” (2003) 13 S. Cal. Interdis. L.J. 77 at p. 87-88. 48 Ibid. at p.140. 49 Citron, supra note 38 at p.246-247. 50 Solove, supra note 50. 51 An Act An act relating to commerce; regulating access devices; establishing liability for security breaches; providing enforcement powers; proposing coding for new law in Minnesota Statutes, chapter 325E, Minnesota Statutes, Chapter 108-H.F. No. 1758, available at . 52 An Act relative to enhancing the confidentiality and protection of certain consumer information, Massachusetts House Bill No. 213 (2007), available at . 53 Peter J. Howe, “Bill targets retailers for costs to fix data thefts: They say plan would fatten bank profits, not protect public,” Boston Globe (20 February 2007) ; Anne Broache, “Mass. Bill wants stores to pay more in data breaches,” C/NET News.com (23 February 2007), .

9

the commercial entity. It would also hold the commercial entity liable to the banks for the costs of certain enumerated actions taken by the banks as a result of potential breaches of data security (e.g. cancellation or reissuing of credit cards, and refunds or credits to customers for unauthorized transactions).54 This liability cannot be avoided by contract, as it applies “notwithstanding any other provision of law or contract and in addition to any other liability of a commercial entity to a bank…”55 Interestingly, “commercial entity” is defined to include governmental bodies.56 To the extent that governments hold data relevant to the banks, this liability could be considerable given the numbers of citizens interacting with governments. Financial institutions represent a more powerful lobby than consumers, and it is unclear whether legislatures will also create a more general statutory right of action that is available to consumers. In the absence of a statutory right of action available to consumers, this article will assess the strengths and weaknesses of the common law of negligence in providing a cause of action for those harmed by breaches of data security. Part II Review of U.S. Case Law The body of U.S. cases dealing with liability in negligence for breaches of data security has grown fairly rapidly, and cases continue to be brought despite a low rate of success by plaintiffs.57 This low rate is due mostly to several recurrent difficulties facing plaintiffs. The following section will review these difficulties, assessing the arguments in the Canadian context. The main problems faced by plaintiffs vary according to whether they have suffered identity fraud or not. Where the plaintiff has not yet suffered identity fraud but is concerned about the risk of identity fraud following a data security breach and seeks compensation for monitoring costs, the U.S. courts have tended to consider that no actual harm has yet been suffered. If the plaintiff has suffered identity fraud, the plaintiffs often (but not always) fail because they cannot prove that the security breach caused the identity fraud. In both cases, courts may also characterize the harms as pure economic losses, the recovery of which is restricted in negligence. (a)

The problem of establishing that a data security breach caused identity fraud.

Dealing first with cases in which the plaintiffs have suffered identity fraud following a data security breach, several cases illustrate the difficulty of establishing causation.58 In Stollenwerk,59 one of the plaintiffs suffered identity fraud six weeks after computer hard drives were stolen from the defendant’s office. Several accounts were opened in his name and $7,000 was charged to the accounts. The judge noted that the 54

Supra note 52 at s.4. Ibid. 56 Ibid. at s.1(2). 57 Supra note 40. 58 The plaintiffs in Jones and Kuhn (supra note 40) failed, in part due to inadequate evidence of causation even though they had suffered identity fraud. 59 Stollenwerk, supra note 40. 55

10

fact that the identity theft occurred after the theft of the hard drives was not enough to establish causation. She noted that the plaintiff had provided the same information that was used to commit the identity fraud to organizations other than the defendant. As a result, an inference of causation would be unreasonably speculative on the evidence provided. She stated, “The mere use of such information in the course of acts of identity fraud, therefore, does not permit a finder of fact to draw the reasonable inference that the unidentified identity thieves obtained it from Defendant.”60 Jones also illustrates how difficult it will be for plaintiffs to establish causation even where identity fraud has occurred. In that case, the plaintiff suffered extensive identity fraud.61 Identity thieves had taken money from her account, attempted to deposit and cash fraudulent cheques in a fraudulent bank account opened in her name, opened a fraudulent utility account, filed and received a “rapid refund” with a fraudulent tax return in her name, falsified her social security record and ruined her credit rating. The plaintiff struggled to establish causation, suggesting that the information used to obtain a fraudulent cheque from her insurance company was only possessed by the defendant bank. As a result, she argued, the defendant “must have committed a negligent breach of duty.”62 The Court rejected this argument, which it characterized as an invocation of the doctrine of res ipsa loquitur. The plaintiff appears to have lost this argument for two reasons. First, the court doubted that the information in question was solely in the control of the defendant. However, it appears that she would have lost the argument even if the information had been solely in the control of the defendant as she could not point to any act of negligence on the defendant’s part and the Court was unwilling to accept that identity fraud is a kind of event that would ordinarily occur only if there had been negligence on the defendant’s part.63 “Plaintiff avers, in essence, that Commerce must have committed a negligent breach of duty because the combination of personal information used to fraudulently attain a check from Plaintiff’s insurance company was only possessed by Commerce, and no other institutions or entities. However, it cannot be said that the identity theft here is an event that “ordinarily does not occur in the absence of someone’s negligence,” just as it cannot be generally said that criminal activity requires some prior negligence to succeed. The thieves might well have stolen Plaintiff’s information without any negligence on the part of Commerce.”64

60

Ibid. Jones, supra note 40. 62 Ibid. at 5-6. The judgment quotes the plaintiff as follows: “The key pieces of information used to create the fraudulent [State Farm Insurance] check(s) could have only come from Commerce, thereby linking Commerce to unauthorized access, theft and/or unlawful disclosure of my confidential information.” 63 Ibid. at 12. 64 Ibid. at 12. 61

11

Not all plaintiffs have been unsuccessful. In Bell v. Michigan Council 2565 the plaintiffs were members of the defendant union. The treasurer of the union took the plaintiffs’ personal information home. The treasurer’s daughter was later convicted of identity fraud after a notebook was found in her possession listing the names, social security numbers and drivers’ license numbers of the plaintiffs as well as the fraudulent purchases made in their names. The plaintiffs succeeded in their arguments that the union owed them a duty to protect their personal data against misuse by third parties, that the union had been careless in failing to protect their personal data, and that this negligence had facilitated the identity theft. The Bell case involved unusually good evidence of causation. In many cases, the causation element will create a considerable difficulty for plaintiffs. The personal information used for identity theft is often provided to more than one organization. It can also be stolen using spyware,66 phishing websites, or unpublicized breaches of security at other organizations. It will be difficult for a plaintiff to obtain the necessary evidence of how the criminal who defrauded him or her obtained the relevant personal information. Nevertheless, the Bell case does indicate that where good evidence of causation exists, plaintiffs may be able to recover for negligent handling of personal data that later results in identity fraud. Furthermore, it appears that banks may provide some assistance to plaintiffs, at least with respect to breaches in the security of payment card data at retailers. Very quickly after the public announcement of the TJX Companies Inc. security breach, a banking association began to announce publicly that its members had linked fraudulent credit card purchases to the security breach.67 This willingness to make public statements may reflect the banks’ growing unhappiness over having to bear the costs of preventive measures such as canceling compromised payment cards.68 Public announcements of this type might provide some assistance to individual plaintiffs who are seeking to establish causation. However, the utility of this information to plaintiffs may be limited. Individual credit card holders are unlikely to suffer significant losses resulting from credit card fraud due to contractual limitations of liability favouring the card holders. With respect to identity fraud relating to bank accounts or debit cards, the banks’ interest in publicly announcing that they have traced the fraud to a third party’s security breach may vary somewhat according to the terms of their contracts with their banking customers. Should the contracts leave some responsibility for the relevant transactions to customers, some banks may find it worthwhile to keep quiet.

65

Bell v. Michigan Council 25, supra note 40. Graeme Wearden and Tom Espiner, “Thousands of Brits fall victim to data theft,” CNET news.com (10 October 2006), describing the discovery of a computer holding the personal information gathered using a “backdoor” program on the computers of 2300 Britons. 67 Allan Holmes, “The TJX security breach. This one’s different. Way different,” CIO Blogs (1 February 2007), Sinclair Stewart, “Winners security breach hits home,” Globe and Mail.com (25 January 2007), . 68 Holmes, ibid. 66

12

(b)

The problem of showing “actual harm” where identity fraud has not yet occurred.

The situation for plaintiffs whose data has been negligently exposed, but who have not yet suffered identity fraud is different. Their challenge is not in establishing causation, as they are not attempting to link the data security breach to subsequent identity fraud by an unknown third party. Instead, they run into trouble because courts question whether the exposure to increased risk of identity fraud is “actual harm.” Since a showing of actual or imminent harm is an essential element of a negligence cause of action, the courts have rejected their claims.69 Of course, plaintiffs dispute the suggestion that the disclosure of their personal information is not a present injury. They point to the immediate monetary and emotional costs, and suggest that the injury can be valued economically as the cost of reasonable protective measures. They often seek damages for mental distress as well as compensation for the time lost in closing accounts, contacting credit bureaus and reviewing credit reports, and the financial cost of protective services such as credit monitoring services or identity theft insurance. Nevertheless, courts have been generally unreceptive. The court in Forbes put it this way: “[T]he plaintiffs’ injuries are solely the result of a perceived risk of future harm. Plaintiffs have shown no present injury or reasonably certain future injury to support damages for any alleged increased risk of harm. For these reasons, plaintiffs have failed to establish the essential element of damages.”70 Some courts express the concern that, in many cases, it is not known whether the data that has been carelessly exposed has actually fallen into criminal hands or will be used to commit identity fraud. For example, in cases where laptops are stolen, the courts’ expectation seems to be that the thieves are interested in the hardware and that the hard drives are more likely to have been simply wiped clean.71 In Randolph, which involved a stolen laptop, the Court stated that, “Plaintiffs clearly allege that their Information was stolen by a burglar, but they do not allege that the burglar who stole the laptop did so in order to access their Information, or that their Information has actually been accessed since the laptop was stolen. Plaintiffs’ allegations therefore amount to mere speculation that at some unspecified point in the indefinite future they will be the victims of identity theft.”72 In another case, a court was unwilling to conclude that identity fraudsters had acquired personal information contained in a UPS package that was lost in transit.73 The package could simply have been lost or destroyed. The court in Stollenwerk addressed this type of uncertainty by indicating that,

69

See e.g., Giordano, supra note 40, Forbes, supra note 40, Randolph, supra note 40. Forbes, supra note 40. 71 Stollenwerk, supra note 40; Guin, supra note 40. 72 Randolph, supra note 40 at p.19. 73 Giordano, supra note 40. 70

13

“[a]bsent evidence that the data was targeted or actually accessed, there is no basis for a reasonable jury to determine that sensitive personal information was significantly exposed.”74 It appears that the Randolph and Stollenwerk courts would have treated the matter differently if there had been evidence that the data had clearly been targeted or accessed. One assumes that this would include cases in which hackers break into databases of personal information, or in which criminals pose as legitimate subscribers to a data broker’s database of personal consumer information (as in the Choicepoint security breach). In these cases, the likelihood of harm is less speculative because data has clearly been targeted and accessed. However, other courts have refused to permit recovery even where there was evidence that data was deliberately targeted by hackers. The DSW Inc. cases arose when hackers broke into DSW’s computerized payment systems, in which the retailer maintained the credit and debit card numbers, chequing account numbers and driver’s licenses of about 1.5 million customers. In the Key v. DSW Inc. case, the judge stated that the plaintiff had failed to show that a third party intended to make fraudulent use of her identity. “Plaintiff’s claims are based on nothing more than a speculation that she will be a victim of wrongdoing at some unidentified point in the indefinite future.”75 In Hendricks v. DSW Inc., the court characterized the plaintiff’s claim as an entitlement to damages “to buy peace of mind, or to help her determine if and when a claim accrues through actual loss.”76 The plaintiffs have tried to respond in another way. They point to the so-called “medical monitoring” cases in which some courts have permitted plaintiffs to recover the costs of medical monitoring after exposure to toxic chemicals (e.g. PCBs, asbestos, and drugs found to have harmful but latent side effects). The data security breach plaintiffs argue that their situation is analogous. The U.S. courts have so far been unreceptive to this argument. They have stated that in the medical monitoring cases, there is evidence of actual exposure to the toxin (even though the subsequent development of disease is uncertain), whereas in the data security breach cases, there may not be evidence that the data has even been “exposed” to thieves77 or that a third party intends to make unauthorized use of the information.78 Defendants have also argued that the policy concerns at issue in medical monitoring cases are different from those in data security breach cases. They argue that 74

Stollenwerk, supra note 40 at p.12. Ke, supra note 40 at p.17. 76 Hendricks, supra note 40, at p.11. 77 Giordano, supra note 40; Stollenwerk, supra note 40; Forbes, supra note 40. 78 Key, supra note 40. 75

14

the interest in data security is not as compelling as the interest in preserving public health.79 Furthermore, they argue, any injury from identity theft can be fully compensated with money once it arises, whereas harm to health cannot be fully compensated monetarily.80 There are two key distinctions being drawn between the medical monitoring cases and the data security breach cases. First, they differ in how certain we are that the present exposure will result in future harm. In the medical context, we know that there is a present significant exposure to a toxin that is known to produce disease in a certain number of cases. In the data security breach context, we do not necessarily know if the data has been taken or just destroyed. However, where we do know that data has been targeted or, even more compelling, a proportion of the data has been used in identity fraud, the analogy between medical monitoring and data security breach cases is more persuasive. Second, the two contexts are said to differ in relation to the public policy interests at issue. The court in Stollenwerk found that human health is more compelling an interest than financial health, and that the harm caused by a data security breach could be completely remedied once it occurs with money damages while harm to health cannot. However, given the harmful effects of financial insecurity and fraudulent impersonation on human health and psychological well-being, these apparently self-evident conclusions are questionable. The policy reasons for which some courts have permitted the recovery of medical monitoring expenses would seem to apply in the data security breach context. In the U.S. Supreme Court’s decision in Metro-North Commuter Railroad Co. v. Buckley,81 the court expressed a concern that the recognition of medical monitoring claims might lead to a flood of awards that might deplete the funds available to compensate those suffering actual harm. As a result, the court expressed approval of the limitations and cautions built into certain judicial decisions that recognized damages for medical monitoring (e.g. court-supervised funds to administer medical monitoring costs). Despite its concerns regarding medical monitoring awards, it acknowledged the policy considerations that had led some state courts to provide a remedy, including the unfairness of requiring the negligently-exposed plaintiff to bear the cost of monitoring. To this, one could add the importance of deterring and discouraging behaviour that puts others at risk. The Court in the case of In re Paoli Railroad Yard PCB Litigation raised the importance of deterrence as a function of the tort system. “The policy reasons for recognizing this tort are obvious. Medical monitoring claims acknowledge that, in a toxic age, significant harm can be done to an individual by a tortfeasor, notwithstanding latent manifestation of that harm. 79

Stollenwerk, supra note 40: The court found this to be a persuasive argument, noting that “[i]t is, in large part, this public health interest that justifies departure from the general rule that enhanced future risk of injury cannot form the sole basis for a negligence action.” 80 Ibid. 81 521 U.S. 424 (1997).

15

Moreover, as we have explained, recognizing this tort does not require courts to speculate about the probability of future injury. It merely requires courts to ascertain the probability that the far less costly remedy of medical supervision is appropriate. Allowing plaintiffs to recover the cost of this care deters irresponsible discharge of toxic chemicals by defendants and encourages plaintiffs to detect and treat their injuries as soon as possible. These are conventional goals of the tort system as it has long existed in Pennsylvania.”82 [emphasis added] These policy arguments in favour of the recovery of monitoring expenses apply in the context of data security breaches. The early detection of identity fraud reduces the harm to the plaintiff as well as the harm that ramifies throughout the economy through credit card charge backs. It is also likely that liability for monitoring expenses might help to deter unreasonable carelessness and lead organizations to take better care of sensitive information. The U.S. Supreme Court’s concern about a flood of awards seems less acute in the data security breach context than in the case of the discharge of a toxin into the environment. The group of plaintiffs in a data security breach case is circumscribed rather than indeterminate and unlimited. A defendant is able to constrain its exposure by limiting the amount of information it retains. There has been some discussion of medical monitoring claims in Canadian cases. In Wilson v. Servier Canada Inc.83 the court considered a class certification application dealing with weight loss drugs that were withdrawn from the market due to concern over life-threatening side effects. The plaintiff sought to recover damages for the costs of medical screening and diagnosis, including any subrogated claims by provincial and private health benefit insurers.84 The defendants objected that Canadian tort law does not permit plaintiffs to recover medical expenses to detect a possible injury, and further that merely creating a risk of injury is not actionable.85 The court noted that U.S. cases on the recovery of medical monitoring costs were conflicting, but that plaintiffs have been successful where they have proved their exposure to a toxic substance that causes a significantly increased risk of contracting a serious latent disease.86 The court ruled that the recoverability of medical monitoring costs was a suitable common issue for the purpose of the class certification hearing.87 The court commented further that it was arguable that plaintiffs ought to be compensated for the medical screening made necessary by the exposure. “If it is proven that exposure to a toxic substance significantly increases the risk of contracting a serious disease it is arguable that persons exposed to that toxic substance – even if medical screening ultimately determines that they have not 82

In re Paoli Railroad Yard PCB Litigation 916 F.2d 829 (3rd Cir. 1990) at p. 852. [2000] O.J. No. 3392 (Ont. S.C.J.) 84 Ibid. at para 127. 85 Ibid. at paras. 129-130. 86 Ibid. at para. 132. 87 Ibid. at para. 133. 83

16

contracted the associated disease – should be compensated for the cost of medical screening made necessary by their exposure. (It has been noted that Health Canada’s advisory issued September 15, 1997 recommended that persons who had taken either drug should consult their physician immediately.)”88 The certification of the class action was upheld by the Divisional Court,89 but eventually culminated in a settlement.90 The plaintiffs in data security breach cases are in a very difficult position. They are instructed by the defendants (as well as by government bodies91) to take certain measures to protect themselves against identity fraud following a data security breach. This suggests that the measures are reasonable. Should identity fraud occur, they will be expected to have taken reasonable steps to mitigate their damages, likely including the recommended self-protective measures. In other words, the plaintiffs must incur this expense without a very strong likelihood of being able to recover it if they succeed in preventing identity fraud, or of being able to recoup it later once identity fraud occurs since causation is so difficult to establish. Meanwhile, the negligent defendant transfers the cost of the data security breach to the innocent plaintiffs. Although U.S. case law to date suggests that plaintiffs face a steep uphill battle in attempting to obtain damages to cover the cost of selfprotection measures such as credit monitoring services or identity theft insurance, it is to be hoped that Canadian courts will note the advisability of causing careless organizations to internalize the costs of their own carelessness. In this way, the organizations will hopefully be encouraged to adopt reasonable safeguards to protect sensitive data in their care or to limit the amount of data that they retain. Part III Liability for Data Security Breaches in the Canadian Context It is likely that the problems facing U.S. plaintiffs that were outlined above will also arise in Canada. Another problem that is mentioned from time to time in the U.S. cases is the “pure economic loss” rule, which restricts the recovery of pure economic losses in negligence.92 This issue will also arise in Canada, as will be discussed below. In addition, another interesting issue that arises in Canada is the question of whether plaintiffs are obliged individually to follow the procedure set out in legislation such as PIPEDA rather than resorting to a class action before the courts. These procedural restrictions may arise by virtue of the decision in Board of Governors of Seneca College

88

Ibid. Wilson v. Servier Canada Inc. (2000), 52 O.R. (3d) 20 (Ont. Div. Ct.) 90 Wilson v. Servier Canada Inc. (2005), 252 D.L.R. (4th) 742 (Settlement Order). The settlement agreement is available at . 91 Privacy Commissioner of Canada, “Identity Theft – a Primer,” (March 2007), ; Federal Trade Commission, “What to do if your personal information has been compromised,” (March 2005) . 92 See Johnson, supra note 19 at p. 296, for a discussion of this issue under the different rules applicable in the United States. 89

17

v. Bhadauria93 in which the Supreme Court of Canada rejected a novel common law tort claim where the legislature had created a comprehensive statutory scheme to deal with the matter at issue. If plaintiffs are forced to use the PIPEDA procedure this would greatly reduce the deterrent impact of civil liability on careless data security. Finally, it is worthwhile addressing the suggestion that defendants should not be responsible for the intervening criminal acts of third parties who steal data or commit identity fraud. This section will address these issues in turn. (a) The Recovery of Pure Economic Loss A “pure economic loss” is a loss that is not associated with physical injury to the plaintiff’s own person or property.94 Canadian tort law has developed special rules regarding the recoverability of pure economic loss in negligence cases. It would seem that the harm associated with data security breaches and identity fraud is most often pure economic loss. This might include the cost in time and money of preventing or restoring damage to credit and the cost of defending against collection attempts.95 In some cases, the breach of data security has been associated with subsequent personal physical injury, including murder.96 This is fortunately rare. Most plaintiffs allege mental distress as a result of the breach, which would count as physical injury rather than pure economic loss. However, the mental distress rarely rises to the level that seems to be required to provide a basis for a negligence action (i.e., mental distress manifesting itself in a diagnosable illness). Nevertheless, mental distress to the requisite degree may occur in some cases. The plaintiff in Jones alleged that she had suffered the aggravation of a psychiatric condition as a result of the identity theft, which forced her to close her business.97 The Jones court did not address whether this loss was compensable since the plaintiff’s claim failed for lack of evidence of causation, the bank having replaced the funds taken from the plaintiff’s account and there being no evidence linking the extensive identity theft to a security breach at the defendant bank. Randolph et al v. ING Life Insurance and Annuity Co.98 suggests that other forms of personal injury claims might be possible in appropriate cases. The plaintiffs in Randolph argued, inter alia, that the personal safety of police personnel was at risk following the theft of the plaintiffs’ personal information (including names and addresses). Personal injury claims might also arise where personal information is used by stalkers to locate their victims.99 Johnson also proposes a

93

Supra note 45. Bruce Feldthusen, Economic Negligence, 4th ed., (Scarborough: Carswell, 2000), at p.1. 95 Johnson, supra note 19 at p.299, footnote 296, suggesting that victims might also have to bear opportunity costs resulting from bad credit, such as higher interest and lower credit limits. 96 Remsburg v. Docusearch, Inc. 816 A.2d 100 (N.H. 2003), which dealt with the sale of personal information about a woman to a stalker who used it to locate and murder her. 97 Jones v. Commerce Bank. N.A. et al. 2006 U.S. Dist. LEXIS 65630 (S.D.N.Y. 2006) at p. 4-8. 98 Supra note 40. 99 Supra note 96. 94

18

hypothetical property damage claim where a newspaper’s records are hacked to permit burglars to determine who is away on vacation.100 However, in most cases the losses resulting from a data security breach relate to the costs in time and money of preventing identity fraud (e.g. closing accounts, monitoring credit reports, purchasing insurance or identity theft prevention services) or remedying the consequences of identity fraud (e.g. the considerable amounts of time and effort required to restore damaged credit, or the purchase of services to assist with this effort). These appear to be pure economic losses. A plaintiff might attempt to avoid the characterization of the harm as “pure economic loss” by arguing that personal information is a form of property which can be “damaged” by being disclosed. This seems unlikely to succeed given that Canadian precedent suggests that data loss is pure economic loss that is not recoverable. In Seabord Life Insurance Co. v. Babich [1995] B.C.J. No. 1868 (B.C.S.C.), the defendant knocked over a wooden hydro pole causing a power outage that interrupted the plaintiff’s computer system and caused the loss of some data, which had to be re-entered into the system. The court held that the data loss was a pure economic loss rather than property damage. The court further declined to award damages for pure economic loss due to the policy concern that such an award would expose the defendant to indeterminate liability as any number of potential plaintiffs might have been affected by the power outage, and because the court felt that the proximity between the defendant and plaintiff was insufficient. The question then remains: If the damages at issue in breaches of data security are “pure economic loss,” are they recoverable? Common law courts have historically been reluctant to grant recovery of pure economic losses in negligence. The policy concerns underlying this reluctance are the fear of imposing ruinous and indeterminate liability on defendants out of proportion with their degree of fault,101 the fear that lawsuits will proliferate and absorb excessive amounts of scarce judicial resources,102 the need to respect and protect contractual allocations of loss, and the desire to preserve the vigorous free market competition that might be discouraged by the prospect of liability for the negligently-inflicted pure economic loss of a competitor.103 In addition, pure economic losses are viewed as “less compelling of protection than bodily security or proprietary interests.”104 100

Johnson, supra note 19 at p. 294. This concern was expressed by Justice Cardozo in Ultramares Corp. v. Touche (1931), 174 N.E. 441, 255 N.Y. 170 (C.A.), where he noted the risk of ruinous and open-ended liability “…in an indeterminate amount for an indeterminate time to an indeterminate class.” The Supreme Court of Canada considers the “spectre of unlimited liability to an unlimited class” when deciding whether to recognize a novel duty of care in negligence (Cooper v. Hobart (2001), 206 D.L.R. (4th) 193 (S.C.C.)), and when deciding whether to permit the recovery of pure economic loss in a novel context (“the scope of indeterminate liability remains a significant concern underlying any analysis of whether to extend the sphere of recovery for economic loss” (Martel Building Ltd. v. Canada (2000), 193 D.L.R. (4th) 1 (S.C.C.)). 102 Supra note 94 at p.11. 103 John G. Fleming, The Law of Torts, 9th ed., (Sydney: Law Book Co. Ltd., 1998) at p.193. 104 Martel Building Ltd. v. Canada (2000), 193 D.L.R. (4th) 1 (S.C.C.) [“Martel”]. 101

19

Nevertheless, Canadian law now recognizes various categories of recoverable pure economic loss, including those resulting from negligent misrepresentation, negligent performance of a service, negligent supply of shoddy goods or structures, relational economic loss and the liability of statutory authorities.105 Several of the established categories of recoverable pure economic loss may be relevant in the data security breach context, namely liability for negligent misrepresentations and liability for negligent performance of a service. In order to establish a claim in negligent misrepresentation, the plaintiff must establish (1) that there is a duty of care based on a "special relationship" between the representor and the representee; (2) that the representation in question was untrue, inaccurate, or misleading; (3) that the representor acted negligently in making the misrepresentation; (4) that the representee relied, in a reasonable manner, on the negligent misrepresentation; and (5) that the reliance was detrimental to the representee in the sense that damages resulted.106 The duty of care mentioned in element (1) is established by showing a prima facie duty of care, and that the prima facie duty of care is not negatived or limited by policy considerations.107 In order to establish the prima facie duty of care, the plaintiff must show that the defendant ought reasonably to have foreseen that the plaintiff would rely on his or her representation and that the plaintiff’s reliance was reasonable in the circumstances of the case.108 At the second stage, the court will address policy considerations, of which the major concern in negligent misrepresentation cases is indeterminate liability.109 Liability for negligent misrepresentation seems appropriate for certain data security breaches, particularly those in which a defendant has claimed through its privacy policy or otherwise that it uses reasonable measures to protect personal information. A plaintiff will need to show that he or she was aware of the representation and provided personal information in reliance on the representation. The concern over indeterminate liability is certainly less persuasive in this context than in the auditor liability context at issue in cases such as Hercules Management.110 Liability in the data security breach context may be large but it is determinate in certain ways. The breach will affect a bounded number of persons (although it may be less clearly bounded in time or with respect to the value of the individual losses). In addition, a defendant in the data security breach context has much greater control over potential liability than an auditor who cannot control who will choose to rely on audited financial statements that are made public. Organizations that hold data can restrict the amount and type of data they hold in order to limit their liability in the event of a security breach. The possibility of indeterminate and disproportionate liability might also be addressed by restricting the recovery to certain types of damages. Johnson would restrict recoverable damages to the 105

Ibid., at para. 38. Queen v. Cognos, [1993] S.C.J. No. 3, at para. 33. 107 Hercules Management Ltd. v. Ernst & Young, [1997] S.C.J. No. 51. 108 Ibid. at para. 24. 109 Ibid. at para. 31. 110 Ibid. 106

20

out-of-pocket expenses involved with preventing or remedying identity fraud, denying recovery for lost time and opportunities lost due to bad credit.111 In his view, the danger of indeterminate and disproportionate liability is too great particularly with respect to opportunity costs.112 Liability for the negligent performance of services is also recognized as giving rise to recoverable pure economic loss, and may offer another basis upon which to argue that pure economic losses are recoverable for negligently-caused data security breaches. If neither of these established categories seems well-suited to the data security breach situation, this is not the end of the inquiry as the Supreme Court has stated that new categories of recoverable pure economic loss can be recognized in appropriate cases. It has set out a framework for doing so in Martel Building Ltd. v. Canada.113 The approach used is the familiar two-stage Anns test, as more recently developed and clarified in Cooper v. Hobart.114 The first stage focuses on the question of whether there is a prima facie duty of care because the harm to the plaintiff was reasonably foreseeable and a relationship of proximity existed between plaintiff and defendant. Cooper v. Hobart offered some guidance on the meaning of proximity. “Defining the relationship may involve looking at expectations, representations, reliance, and the property or other interests involved. Essentially, these are factors that allow us to evaluate the closeness of the relationship between the plaintiff and the defendant and to determine whether it is just and fair having regard to that relationship to impose a duty of care in law upon the defendant.”115 At the second stage of the inquiry, the court determines whether there are remaining policy reasons to refuse to recognize a duty of care. These residual policy considerations “are not concerned with the relationship between the parties, but with the effect of recognizing a duty of care on other legal obligations, the legal system and society more generally. Does the law already provide a remedy? Would recognition of the duty of care create the specter of unlimited liability to an unlimited class? Are there other reasons of broad policy that suggest that the duty of care should not be recognized?”116 In my view, the case for the recovery of pure economic loss in the context of data security breaches is fairly strong. Even if the categories for negligent misrepresentation or the negligent performance of a service are unsuitable, a case can be made for a new category of recoverable pure economic loss.

111

Johnson, supra note 19 at p. 301-302. Ibid. at p. 302: “To say that a negligent database possessor should be liable to a broad class of persons for all of their lost opportunities - as well as out-of-pocket and perhaps other damages - would quickly pose a serious risk of liability disproportionate to fault.” 113 Martel, supra note 104 at para 39 et seq. 114 Cooper v. Hobart, [2001] 3 S.C.R. 537. 115 Ibid. at para. 34. 116 Ibid. at para. 37. 112

21

It is eminently foreseeable that lax security standards might result in the compromise of personal data that is in the care and control of an organization, and that this would expose the data subjects to the risk of identity theft. With respect to whether there is a relationship of proximity, such that it is “just and fair” to impose a duty of care, a plaintiff relies on the custodian of his or her personal information to use reasonable safeguards to protect it. Furthermore, a plaintiff is also entitled to expect that reasonable safeguards will be employed given that data custodians are obliged to do so under statutes such as PIPEDA. To this one might add that the custodian of the information normally voluntarily assumes this responsibility – it need not take and store another person’s personal information. In the business context, it does so presumably because it is economically advantageous to it to do so. As a result, a prima facie case can be made based on foreseeability of harm as well as a relationship of proximity founded on reliance and reasonable expectations. With respect to the existence of policy reasons to negative or limit the prima facie duty of care, it is true that other remedies are available such as those available under PIPEDA. However, the enforcement regime offered by PIPEDA may be inadequate to deter the careless handling of data.117 The deterrence of unreasonably careless conduct is also a policy reason favouring imposition of liability in this context.118 Johnson makes the point that liability in this case ought not to catch holders of data by surprise given they are already obliged under statute to adopt reasonable data safeguards.119 With respect to the specter of indeterminate liability (a key policy concern underlying judicial reluctance to permit the recovery of pure economic loss), as discussed above, recovery for data security breaches does not create uncontrollable and indeterminate liability. (b)

The Effect of Statutory Data Safeguard Requirements on the Negligence Claim

The plaintiff in a negligence claim must establish that the defendant owed him or her a duty of care. The question in this context, then, is whether holders of personal data owe a duty of care to the data subjects to take reasonable measures to protect that data from disclosure. A duty of care may be created by statute or by judges through the application of common law principles. In California, a statutory cause of action has been enacted in the Civil Code. Section 1798.81.5(b) provides that a business must “implement and maintain reasonable security procedures and practices appropriate to the nature of the [personal] information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”120 Section 1798.84 makes the statutory protection nonwaivable, and provides that a customer injured by a violation of the statute may bring a 117

The efficacy of the ombudsman model contained in PIPEDA has been raised in the current statutorilymandated review of the Act. Privacy Commissioner of Canada “PIPEDA Review Discussion Document” (July 2006) < http://www.privcom.gc.ca/information/pub/pipeda_review_060718_e.asp#008>. 118 See the discussion of policy issues from the American perspective in Johnson, supra note 19 at p. 276277. 119 Ibid. at p. 277. 120 California Civil Code, § 1798.81.5(b). Note that certain institutions are excepted from this provision by §1798.81.5(e).

22

civil action for damages.121 Although an explicit statutory cause of action helps to settle the question of whether there is a duty of care, the California Civil Code provisions have been criticized for not providing direction on what security practices and procedures are required and for not making it clear what forms of damages may be recovered.122 In particular, there is uncertainty over whether damages for emotional distress and pure economic loss are recoverable under the statute.123 Where there is no explicit civil cause of action within the statute, a duty of care may still be found according to common law negligence principles. Any applicable statutes will be relevant to this inquiry even if they don’t explicitly mention a civil cause of action. In Canada, a statutory requirement may provide evidence of a duty of care in negligence.124 On the other hand, the Supreme Court of Canada has held that where the legislature has created a complete code to deal with a particular problem, the common law courts may not create a parallel set of common law remedies that would undermine the legislature’s attempt to address the problem.125 It is accordingly necessary to consider Canadian laws that impose requirements to safeguard personal data in order to determine their effect on a possible negligence cause of action. A number of statutes are relevant to data security breaches in Canada. The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) creates obligations relating to the handling of personal information, including an obligation to use reasonable safeguards to protect the information.126 PIPEDA applies in all provinces except Alberta, British Columbia and Quebec, which have enacted their own “substantially similar” legislation. Ontario has enacted “substantially similar” legislation applicable only to personal health information. These provincial acts also impose obligations to use reasonable safeguards to protect data.127 The question arises about the effect of this legislation on the common law action in negligence. As the Supreme Court of Canada has indicated, “[t]o determine what interaction there is between the common law and statute law, it is necessary to begin by analyzing, identifying and setting out the 121

Cal. Civ. Code, §1798.84(a) and (b). Johnson, supra note 19 at p.265-266. 123 Ibid. 124 R. v. Saskatchewan Wheat Pool [1983] 1 S.C.R. 205. 125 Supra note 45. 126 Supra note 17. Principle 7 provides that “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” The security safeguards must protect against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. Section 4.7.3 indicates that the methods of protection should include (a) physical measures (e.g. locked cabinets and limiting physical access), (b) organizational measures (e.g. security clearance, and limiting access on a “need to know” basis, and (c) technological measures (e.g. encryption and passwords). Organizations must make their employees aware of the importance of maintaining confidentiality (4.7.4) and must take care in the disposal or destruction of information to prevent access by unauthorized parties (4.7.5). 127 Personal Information Protection Act, S.A. 2003, c. P-6.5, s.34; Personal Information Protection Act, S.B.C. 2003, c.63, s.34; An act respecting the protection of personal information in the private sector, R.S.Q. c. P-39.1, s.10; Personal Health Information Protection Act, S.O. 2004, c.3, s. 12. 122

23

applicable common law, after which the statute law's effect on the common law must be specified by determining what common law rule the statute law codifies, replaces or repeals, whether the statute law leaves gaps that the common law must fill and whether the statute law is a complete code that excludes or supplants all of the common law in the specific area of law involved.”128 Setting aside the provincial legislation for the purpose of the analysis in this article, PIPEDA creates a fairly comprehensive scheme for the protection of personal information in the private sector. It describes obligations and provides a scheme to enforce the obligations. The Supreme Court has indicated that when the legislature creates a comprehensive scheme to govern a particular matter, the courts are foreclosed from developing common law remedies in tort.129 If this precedent applies in the case of PIPEDA, those affected by a data security breach may be required to go through the PIPEDA process, including a complaint to the Privacy Commissioner followed by an application to the Federal Court for damages, rather than being able to proceed directly with a civil lawsuit outside the PIPEDA scheme. The significance of this is that PIPEDA appears to not permit a class action on behalf of those affected by a breach of data security. First, s.14(1) of PIPEDA specifies that a complainant may bring an application, rather than an action before the Federal Court. Second, the current interpretation of PIPEDA appears to prevent a representative of a group from proceeding before the Federal Court on behalf of the group. In Turner v. Telus Communications Inc.,130 the Federal Court considered the standing of a union to apply for a hearing before the Federal Court under s.14(1) of PIPEDA. Section 14(1) provides that “a complainant” may apply to the Court for a hearing after receiving the Privacy Commissioner’s report. The Court first noted that s.11(1) of PIPEDA provides that “an individual” may file a written complaint with the Privacy Commissioner.131 Both Telus and the Privacy Commissioner argued that the union was not entitled to file a complaint since it was not “an individual.”132 The Court accepted that this union was not “an individual” although it left open the question of whether a union could be “an individual” where a collective agreement between the union and employer authorized it to represent its members for the purposes of PIPEDA.133 However, in this case, the union was not “an individual” and had not made a complaint under s.11(1). As a result, it was not a “complainant” under s.14(1) and was not entitled to apply to the Federal Court for a hearing. Although Turner is not strictly on point, this case suggests that an individual complainant would not be entitled to represent others in a hearing before the Federal Court or in a complaint to the Privacy Commissioner. If those affected by a data security breach must proceed individually through the PIPEDA process before individually attempting a claim for damages before the Federal 128

2747-3174 Québec Inc. v. Quebec (Régie des permis d'alcool) [1996] S.C.J. No. 112, at para. 97. Supra note 45. 130 Turner v. Telus Communications Inc. [2005] F.C.J. No. 1981. 131 Ibid. at para. 34. 132 Ibid. 133 Ibid. at para. 37. 129

24

Court, the legal repercussions for negligent data custodians are likely to be significantly lessened. In those cases where plaintiffs have not yet suffered identity fraud and are seeking only the costs of credit monitoring, it is less likely that they will be willing to incur the expense of proceeding alone in Federal Court. This type of loss is the kind of small but widespread loss that is economically suited to the class action mechanism. Therefore, the consequence of forcing plaintiffs into the PIPEDA process may be to remove the deterrent impact of civil liability for unreasonably insecure data handling practices. Returning then to the question of whether the enactment of PIPEDA forecloses the availability of a parallel common law remedy before the courts, it is necessary to consider the Supreme Court’s decision in Board of Governors of Seneca College of Applied Arts & Technology v. Bhadauria.134 In Bhadauria, the Supreme Court overturned the Court of Appeal’s recognition of a new intentional tort of discrimination because the Ontario Human Rights Code had established a comprehensive procedure for the vindication of the rights affected and the public policy at issue. As noted above, PIPEDA too creates a reasonably comprehensive set of obligations and an enforcement mechanism. The Supreme Court applied the Bhadauria rule in a different context in Frame v. Smith.135 In that case, the Supreme Court considered the claim by a father for damages resulting from his estranged wife’s alleged frustration of his right of access to his children. The Court stated that courts have been reluctant to recognize a tort to govern this situation, and that, in any event, this claim had been overtaken by legislation that dealt in a comprehensive manner with the issues arising from the custody of children. The statutory scheme provided courts with a range of powers to enforce custody arrangements and to impose fines and imprisonment for the obstruction of court orders relating to custody or access. The Court found the situation in Frame to be analogous to that in Bhadauria, as both involved a comprehensive statute that had been enacted to deal with the problem “in the face of rudimentary common law development.”136 There was no need to supplement the comprehensive statutory scheme with “common law accretions” which might undermine the statutory scheme.137 Does PIPEDA foreclose the recognition of liability in negligence for data security breaches because PIPEDA already imposes an obligation to protect data security and a system for enforcing that obligation? Despite Bhadauria, there are two reasonable arguments to suggest that PIPEDA does not foreclose civil liability in this context. First, a claim in negligence for damages resulting from data security breaches does not seek to have the court recognize a new tort, nor is this a situation of “rudimentary common law development.” Instead, the claim is based on the wellestablished tort of negligence. In Bhadauria, Laskin C.J.C. appeared to distinguish 134

Supra note 45. (1987), 42 D.L.R. (4th) 81 (S.C.C.). 136 Ibid. at para. 13. 137 Ibid at para. 15. 135

25

negligence from the claim raised by the plaintiff, which he characterized as novel and unrelated to existing legal duties. “It is one thing to apply a common law duty of care to standards of behaviour under a statute; that is simply to apply the law of negligence in the recognition of so-called statutory torts. It is quite a different thing to create by judicial fiat an obligation--one in no sense analogous to a duty of care in the law of negligence-to confer an economic benefit upon certain persons, with whom the alleged obligor has no connection, and solely on the basis of a breach of a statute which itself provides comprehensively for remedies for its breach.”138 Negligence is a well-established tort even if it is applied from time to time in novel contexts. Nevertheless, a difficulty may arise if the damages sought in this case are a form of pure economic loss the recovery of which is not yet acknowledged by Canadian negligence law. If it is necessary to craft another category of recoverable pure economic loss, the argument that plaintiffs in data security breach cases are not asking for the recognition of a new tort may be vulnerable. Second, in both Bhadauria and Frame, the Supreme Court concluded that provincial statutory regimes foreclosed the development of a common law remedy in tort. The argument that a federal statutory scheme (such as PIPEDA) should do so could be argued to violate the constitutional division of powers, which assigns responsibility for “property and civil rights” to the provinces under s.92(13) of the Constitution Act, 1867.139 Nevertheless, federal laws establishing comprehensive schemes to address certain matters have also been held to foreclose private civil claims relating to the same matters, although any potential constitutional question does not seem to have been raised.140 Where there are valid (i.e., intra vires) but inconsistent federal and provincial laws, Canadian constitutional law applies the “doctrine of federal paramountcy” to resolve conflicts in favour of the federal law.141 This would be the case where one law expressly contradicts another,142 or where the provincial law would frustrate the purpose of the federal law,143 but a provincial law that merely duplicates or supplements a federal law is not inconsistent with the federal law.144 In the present case, however, we are considering whether a federal legislative scheme (presumably validly enacted by Parliament) may supplant a common law remedy. The issue from the traditional paramountcy perspective is whether there are conflicting statutes. A useful thought experiment is to ask whether a provincial law creating a statutory cause of action for negligence in the handling of personal data would be inconsistent with the scheme 138

Ibid. at p. 189. R.S.C. 1985, Appendix II, No. 5. 140 See, e.g. Allen v. C.F.P.L. Broadcasting Ltd. [1995] O.J. 497 (Ont. Gen. Div.); Conrad v. Imperial Oil (1999), 173 D.L.R. (4th) 286 (N.S.C.A.). 141 Peter Hogg, Constitutional Law of Canada (Scarborough: Carswell, 2007-) at p.16-2. 142 Ibid at p.16-4. 143 Ibid at p. 16-5. 144 Ibid at p. 16-8. 139

26

created by PIPEDA. To the extent that PIPEDA aims to create an administrative and initially non-litigious system for the resolution of disputes there may be some inconsistency. PIPEDA provides a scheme whereby complaints are investigated by the Privacy Commissioner of Canada, and applications to the Federal Court for binding orders or damages awards may only take place following the Privacy Commissioner’s report in the matter.145 Several provincial laws have been recognized by the Governor in Council as substantially similar to PIPEDA, and therefore applicable in lieu of PIPEDA.146 It is noteworthy that these laws also provide for administrative complaints and investigation processes, albeit with stronger administrative remedial powers than PIPEDA, and in some cases a subsequent cause of action for damages.147 The previous thought experiment involved a provincial statutory cause of action for damages arising from a breach of data security. In the current context, however, the potential conflict is between PIPEDA and a common law claim in negligence. It seems fairly clear that the federal government may create statutory causes of action, as long as they are sufficiently related to a legislative scheme that falls within the enumerated federal heads of power.148 The current problem is whether the federal government may oust or limit civil liability by enacting a comprehensive administrative scheme to address a particular problem. Hogg cites several cases in which the constitutional validity of federal statutory limits on civil causes of action have been considered.149 In Clark v. Canadian National Railway Co.,150 the Supreme Court considered a negligence claim against the railway brought by a child who had been struck by the train. The claim was brought after the two-year limitation period set by the Railway Act but before the expiry of the applicable provincial limitation period. The Court characterized the problem as follows: “Rights of action for damages for personal injury and the procedure relating thereto is a matter which, for constitutional purposes, falls within exclusive provincial legislative competence in relation to “Property and Civil Rights” (Constitution Act, 1867, s.92(13)) and “Procedure in Civil Matters” (s.92(14)). Parliament has exclusive legislative jurisdiction in relation to railways and works declared to be for the general advantage of Canada (ss. 91(29), 92(10)). Under which head of power does the prescription of the respondent’s action fall? The case law does not present a crystal clear answer.”151

145

Supra note 17 at ss.14 and 16. Supra note 17 at s. 26(2). The Governor-in-Council has in fact recognized the legislation of four provinces as substantially similar. 147 Supra note 127. 148 Hogg, supra note 141 at p. 18-21 to 18-23. See also Kirkbi AG v. Ritvik Holdings Inc. [2005] S.C.J. No. 65. 149 Hogg, supra note 141 at p. 18-23. 150 [1988] 2 S.C.R. 680. 151 Ibid. at para. 27. 146

27

Various courts had previously held that the federal limitation provision was incidental to the federal power over railways, and was therefore intra vires.152 However, in Clark the Supreme Court held that a limitation provision was not an “integral part” of the federal jurisdiction in relation to railways, which had to do with planning, establishing, supervising and maintaining the construction and operation of railways.153 Rather, the limitation provision was “an attempt to reframe for the benefit of railway undertakings the general legal environment of property and civil rights in which these undertakings function in common with other individuals and enterprises.”154 As a result, it was constitutionally invalid on the facts in Clark. The Supreme Court held that the Railway Act’s limitation period would apply only to breaches of statutory causes of action validly created under the Railway Act.155 In another case, however, a federal limitation on civil liability was held to be applicable. In Whitbread v. Walley156 the Supreme Court considered the constitutionality of two provisions in the Canada Shipping Act, R.S.C. 1985 c. S-9 limiting liability for damages resulting from injury to person or property in a case involving a pleasure craft. The Supreme Court held that tortious liability arising in the maritime context is governed by maritime law, which falls within the exclusive jurisdiction of the federal Parliament. The Court went on to note that, “if a right of action comes within provincial legislative jurisdiction, so too must a limitation of that right. The same reasoning must surely apply in respect of rights of action that come within the legislative jurisdiction of the federal government.”157 It was essential in Whitbread that “maritime law” existed as a body of federal law which, the Supreme Court had previously held, encompassed the common law of tort, contract and bailment.158 This law fell within federal jurisdiction by virtue of Parliament’s power to legislate with respect to “navigation and shipping” per s.91(10) of the Constitution Act, 1867. The Supreme Court distinguished Whitbread from Clark.159 It suggested that Clark involved a purported federal limitation to an action for damages arising under provincial law, while Whitbread concerned tortious liability arising under federal maritime law. “Little more need be said to show that Clark and the present case are completely distinguishable. There is in Parliament's jurisdiction over railways (and other federal works and undertakings) nothing even remotely comparable to the body of maritime law that is a central feature of its jurisdiction over navigation and shipping. The tortious liability of those who own and operate railways, unlike that 152

Ibid. at paras. 28-39. Ibid. at para. 52. 154 Ibid. quoting La Forest J.A. in Clark v. CNR, (1985) 17 D.L.R. (4th) 58. 155 Ibid. at para. 53. 156 [1990] 3 S.C.R. 437. 157 Ibid. at para.19. 158 Ibid., at paras. 18-22, 26. 159 Ibid. at para. 33. 153

28

of those engaged in navigation and shipping generally, falls to be determined according to the ordinary and generally applicable law of negligence -- that is, according to "provincial law".”160 It would seem, based on these cases, that the validity of federal limits on common law tort actions depends upon the context, and is more likely where there is a comprehensive body of federal law that can be said to have incorporated tortious liability. It does not seem entirely obvious when this will be the case, although the long-standing and distinctive nature of maritime law may make this clearer in the context of boating accidents. In the context of data protection legislation, it seems unlikely that the federal government could point to a sufficiently well-developed and distinctive body of law that could validly oust or limit a negligence claim brought under the ordinary rules of tort. It is perhaps worth noting that the Ontario Superior Court of Justice has recently moved forward with the recognition of the common law tort of invasion of privacy notwithstanding the existence of PIPEDA. Unfortunately, this is not entirely solid evidence that tort law can develop in parallel with PIPEDA to deal with privacy protection because PIPEDA would not have applied to the facts in Somwar v. McDonald’s Restaurants of Canada Ltd.161 in any event. Somwar involved a claim against an employer who was not subject to the requirements of PIPEDA in relation to information collected about employees.162 As a result, the question of whether PIPEDA foreclosed the availability of a common law remedy in that case was not relevant since PIPEDA was inapplicable. A complete constitutional analysis is beyond the scope of this article, but the issue seemed sufficiently interesting to be raised for the consideration of the reader. As noted above, there may be a reasonable policy argument based on Bhadauria that the parallel availability of common law remedies in negligence might undermine a constitutionallyvalid federal attempt to create an administrative system to resolve disputes over data privacy. On the other hand, the fact that Bhadauria foreclosed the recognition of novel torts rather than the application of negligence law, as well as the argument based on the constitutional division of powers, suggest that it may be inappropriate to interpret PIPEDA as having the effect of ousting claims in negligence. (c)

The effect on liability of the intervening criminal acts of third parties.

Defendants in data security breach cases sometimes argue that they should not be responsible for the intervening criminal acts of third parties who steal personal information or those who use the information to commit identity fraud. This issue is sometimes approached as a question of duty: Does the defendant owe a duty of care to 160

Ibid. at para. 33. Somwar v. McDonald’s Restaurants of Canada Ltd. (2006) CANLII 202 (Ont. S. C. J.). 162 By virtue of s.4(1)(b), PIPEDA applies to employee information collected by organizations that are engaged in federal works, undertakings or businesses. See Privacy Commissioner of Canada, “Fact Sheet: Application of the Personal Information Protection and Electronic Documents Act to Employee Records,” . 161

29

protect the plaintiff from injuries caused by third parties? It is also examined as a question of remoteness: Does the criminal act fall within the scope of the risk created by the defendant, and so remain the defendant’s responsibility, or does it sever the causal connection?163 There is some analytical confusion in the cases, but it is probably enough to note that Canadian courts have held defendants responsible for the harm resulting from the intervening criminal acts of third parties in a variety of contexts. For example, a car dealership was 20% liable for leaving keys in the cars on its lot when a thief speeding away with one of the cars struck and killed a pedestrian.164 Canadian courts have also held landlords responsible where their inadequate security measures expose tenants and entrants to attack by unknown third parties.165 In the U.S., a similar approach is taken. Johnson cites Kline v. 1500 Mass. Ave. Apartment Corp.166 in which the court held that a landlord was not required to act as an insurer of its tenants’ safety, nor was it expected to provide protection akin to a municipal police service, but it was expected to those protective measures that were within its power and capacity to take.167 The court emphasized that the landlord was the only one with the ability to take the measures required to protect the tenants. As Johnson notes, this is also the situation in the case of data protection. “Individual data subjects are in a poor position to protect database information from intruders. The database possessor, in contrast, is the only one with the ability to mitigate the risk that intruders may cause harm. As in Kline, the database possessor can spread the cost of providing database security to a broader class of data subjects, at least in cases where there is customer relationship between the plaintiff and defendant. Kline, like Palsgraf, suggests that, at least in some circumstances, database possessors should owe data subjects a duty to exercise reasonable care to protect data from intruders.”168 Apart from the fact that the holders of personal data are best-placed to protect the data in their care, other familiar strands of common law thinking are relevant to determining whether there should be a duty of care. The courts are more likely to recognize a duty of care where a defendant has a relationship with the plaintiff169 and where the defendant can be said to have voluntarily assumed an obligation of care and induced the plaintiff to rely on him or her.170 In the cases under consideration in this article, the holders of data are often in a commercial relationship with the plaintiffs. In addition, whether or not the defendants 163

Lewis Klar, Tort Law, 3rd ed., (Toronto: Carswell, 2003), at p. 439. Cairns v. General Accident Assurance Co. of Canada [1992] O.J. NO. 1432 (Ont. Gen. Div.) Note that courts have ruled against the plaintiffs in most cases involving keys left in cars. 165 Allison v. Rank City Wall Can. Ltd. (1984), 29 C.C.L.T. 50 (Ont. H.C.). 166 439 F.2d 477 (D.C. Cir. 1970). 167 Johnson, supra note 19 at p. 273. 168 Johnson, supra note 19 at p. 274. 169 The requirement of a “proximate relationship” in finding a new duty of care is discussed in cases such as Cooper v. Hobart (supra note 114). 170 Klar, supra note 163 at p. 196. 164

30

have privacy policies in which they agree to use reasonable measures to safeguard data, customers are entitled to rely on the assumption that reasonable safeguards are in place since this obligation is already imposed by statute. Presumably a business could expressly notify customers that it will not take reasonable steps to safeguard their data, and thus avoid the implicit assumption of a duty of care.171 Short of such notification, businesses that choose to take and hold the personal data of the plaintiffs could be said to have voluntarily assumed a duty of care by inducing the plaintiffs’ reasonable reliance.172 As Johnson points out, the lack of a commercial relationship can undermine the plaintiff’s claim.173 In Huggins v. Citibank N.A.,174 the Court rejected the plaintiff’s claim for “negligent enablement of imposter fraud,” because there was too weak a relationship between the plaintiff and the defendant bank which had issued credit cards to an imposter in the plaintiff’s name. In that case, the banks argued that they owed no duty to the plaintiff since he was not their customer. In the context under discussion in this article, however, there is a relationship between the defendant business and the plaintiff. The plaintiff’s personal information has generally been provided to the business in the course of a commercial transaction. In the case of data security breaches, the whole purpose of security safeguards is to protect sensitive data from accidental disclosure as well as from deliberate attempts by third parties to access sensitive data. The duty (whether based on statutory obligations in PIPEDA or on the voluntary assumption of responsibility when an organization takes and holds the personal information of another) itself thus contains an implicit objective to defend against deliberate criminal attack. To suggest that a defendant cannot be responsible if such an attack occurs means that the duty is rather empty. Furthermore, the reason why sensitive data is protected is precisely because it may be used for criminal identity fraud. This is the foreseeable harm arising from the compromise of sensitive data. To argue that this harm is too remote (i.e., that it does not fall within the scope of the risk created by the defendant) once again makes little sense. This is exactly the risk that is created when an organization fails to protect sensitive information in its care and control from improper disclosure. This reasoning receives support from the recent statements by the B.C. Privacy Commissioner on the meaning of “reasonable security measures.” The Commissioner recently indicated that the statutory requirement for the implementation of reasonable

171

PIPEDA is predicated on the consent of the data subject to the collection, use and disclosure of personal information. There is nothing in PIPEDA to suggest that the data safeguard requirement cannot be waived, although there is equally nothing to suggest that the safeguard obligation is subject to negotiation with data subjects. See PIPEDA, supra note 17. 172 For a discussion of this argument under U.S. law, see Johnson, supra note 19 at p. 278-280. 173 Johnson, ibid at p. 274-275. 174 355 S.C. 329, 585 S.E.2d 275 (2003).

31

security measures will be satisfied only if the risks of criminal activity and other intentional wrongdoing are considered in establishing security arrangements.175 Part IV Setting the appropriate standard of reasonable security measures Assuming that a plaintiff can navigate around the problems mentioned above, he or she must also establish that the defendant breached its duty of care by falling below the applicable standard of care. Custodians of personal information may wish to further protect themselves from liability by adopting as a minimum the expected standard of care for the protection of data security. This is a new application of negligence law, with most of the U.S. cases having been decided very recently, and we have no Canadian decisions to guide us. Nevertheless, some clues to the reasonable standard of care in Canada can be gleaned from a number of different types of sources.176 These include the body of U.S. cases dealing with liability for data security breaches, Canadian statutory data safeguard requirements (e.g. PIPEDA), the orders of the federal and provincial Privacy Commissioners relating to breaches of the statutory data safeguard requirements, the U.S. Federal Trade Commission consent orders relating to actions against businesses for inadequate data security precautions, U.S. statutes that impose data protection requirements, such as the Gramm-Leach-Bliley Financial Modernization Act177 (and guidelines promulgated under that Act) and the Health Insurance Portability and Accountability Act of 1996,178 and various industry standards for information security management, such as ISO/IEC 17799:2005 “Code of Practice for Information Security Management.” It is likely that reasonable care in relation to data security will be very contextdependent. In addition, some aspects of the standard are likely to change rapidly as the nature of attacks and counter-measures shifts. This is particularly the case with cyber security. Other aspects of the standard, such as physical security measures (e.g. locked doors and cabinets) are less likely to change as quickly. As noted earlier, the plaintiffs in most of the cases decided so far have been unsuccessful for various reasons other than a failure to show a breach of the applicable standard of care.179 Nevertheless, the claims made by the plaintiffs in the decided and 175

B.C. Information & Privacy Commissioner, Investigation Report F06-01 “Sale of Provincial Government Computer Tapes Containing Personal Information” [2006] B.C.I.PC.D. No. 7, at p.17. 176 See Picanso, supra note 20 at p. 378 (discussing the standard of care in the U.S. context). 177 Pub. L. No. 106-102, 113 Stat. 1338 (1999), (codified in various sections of 12 and 15 U.S.C.A.). 178 Pub. L. No. 104-191, 110 Stat. 1936 (1996), (codified in various sections of 18, 26, 29 and 42 U.S.C.A.) 179 The courts do not often reach an inquiry into standard of care because they reject the claims for failure to state recoverable damages, or for other reasons unrelated to standard of care. Nevertheless, the court in Guin (supra note 40) suggested that the defendant had not been unreasonable in permitting an employee to take data home on a laptop, where the employee lived in a relatively safe neighbourhood and had taken reasonable precautions to protect his house from intruders. The court in Bel lv. Michigan Council 25 (supra note 40), on the other hand, found the defendant union was negligent in permitting the treasurer to take the data home, where it was stolen by the treasurer’s daughter.

32

pending cases offer some insight into what plaintiffs will urge as the appropriate standard of care. Plaintiffs have complained of the failure to protect physical premises against theft of data, the failure to protect physical property such as laptops on which data resides,180 carelessness in permitting employees to take unencrypted sensitive information home where it was subsequently stolen or misused by third parties,181 the failure to use proper computer security measures (including encryption, firewalls, anti-virus and antispyware software, monitoring network access, controlling communications to and from the network, security testing and vulnerability scanning),182 the retention of information without authorization,183 the failure to follow the Payment Card Industry Data Security Standards,184 the violation of Visa and MasterCard data security rules,185 the failure to inform affected individuals promptly of the breach in data security,186 carelessness in selecting and supervising third parties who were hired by the defendants to provide data processing services,187 carelessness in using the fax machine resulting in repeatedly sending sensitive information of customers to the wrong fax number,188 the failure to train and supervise employees regarding privacy,189 the failure to use encryption and secure communication lines,190 and the failure to implement appropriate governance processes to ensure that senior management is informed of breaches of customer privacy and violations of PIPEDA.191 It is noteworthy that the claim that it was negligent not to notify promptly those affected by a security breach has been made in Canadian jurisdictions where there is no applicable statutory data breach notification requirement.192 Prompt notification may, in the future, be recognized as an element of the required standard of care in negligence. Statutory standards are also relevant to common law negligence as they provide useful (although non-dispositive) evidence of the reasonable standard of care in negligence.193 As a result, PIPEDA and the provincial personal information protection

180

Stollenwerk, supra note 40; Daly, supra note 40. Guin, supra note 40; Bell v. Michigan Council 25, supra note 40, Randolph, supra note 40. 182 Parke v. Cardsystems Solutions Inc. et al., supra note 40. 183 Ibid. 184 Ibid. 185 Ibid. 186 Randolph, supra note 40. 187 Taylor, supra note 43; Forbes, supra note 40; Parke, supra note 40. 188 Speevak, supra note 43. 189 Ibid.. 190 Ibid.. 191 Ibid.. 192 This claim has been made not just in California where there is a statutory notification requirement (Parke et al. Cardsystems Solutions Inc. et al, (supra note 40) but also in the Saskatchewan class action filing in Taylor (supra note 43). It has also been raised in Speevak, (supra note 43), and many of the Canadian class actions filed against TJX Companies Inc. (see citations, supra note 43). The statements of claim are available from the CBA class action database at . 193 Saskatchewan Wheat Pool, supra note 124; Klar, supra note 163 at p. 325-327; G.H.L. Fridman, The Law of Torts in Canada, 2nd ed. (Toronto: Carswell, 2002), p. 631-633. 181

33

legislation that operates in lieu of PIPEDA in certain provinces will be relevant to the standard of care in a negligence lawsuit.194 Section 4.7 of Schedule 1 of PIPEDA provides that “personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” The subparts provide further detail on this obligation. The security safeguards must protect against “loss or theft, as well as unauthorized access, disclosure, copying, use or modification.”195 The nature of the required safeguards will vary according to the sensitivity of the information, as well as the amount, distribution, format and method of storage of the information.196 The methods of protection adopted ought to include (a) physical measures (e.g. locked cabinets and limited physical access), (b) organizational measures (e.g. security clearance, and limiting access on a “need to know” basis), and (c) technological measures (e.g. encryption and passwords).197 Organizations must make their employees aware of the importance of maintaining confidentiality.198 Organizations also must take care in the disposal or destruction of information to prevent access by unauthorized parties.199 The statutory provisions use terms such as “reasonable” or “appropriate” security measures. Decisions of the Privacy Commissioners under these statutes shed some light on what this means in practice. Among the findings of the Privacy Commissioner of Canada that consider principle 4.7 and its subsections are contraventions relating to misdirected email,200 faxes,201 and mail,202 personal information placed in a publiclyaccessible recycling bin rather than being shredded,203 disposal of poor quality photocopies in the garbage rather than by shredding,204 internal use of paper containing personal information as scrap paper,205 and the theft of a laptop stolen from a locked 194

Section 34 of Alberta’s Personal Information Protection Act S.A. 2003, P-6.5 provides that organizations must protect personal information in their custody or control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction. Section 34 of British Columbia’s Personal Information Protection Act S.B.C. 2003 c. 63 contains a similar requirement as does Quebec’s Act respecting the protection of personal information in the private sector R.S.Q., c.P-39.1, s.10 and Ontario’s Personal Health Information Protection Act, 2004, S.O. 2004, c.3, Sched. A, ss. 12-14. 195 Supra note 17. 196 Ibid. at section 4.7.2, Schedule 1. 197 Ibid. at section 4.7.3, Schedule 1. 198 Ibid. at section 4.7.4, Schedule 1. 199 Ibid. at section 4.7.5, Schedule 1. 200 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #360 (14 November 2006), . 201 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #332 (12 April 2006), . 202 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #337 (9 June 2006), ; Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #335 (27 June 2006), . 203 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #356 (23 October 2006), . 204 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #128 (4 March 2003), . 205 Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #72 (7 October 2002), .

34

car.206 In all of these situations, the data custodian was found not to have been employing reasonable security measures. In addition, the findings make it clear that where an organization has in place appropriate policies and procedures, the organization will be found to be in contravention if an employee does not follow the policies or procedures.207 It is noteworthy that the Privacy Commissioner has approved in appropriate cases various corrective steps including notifying affected individuals,208 and obtaining credit monitoring services for affected individuals.209 This further supports the view that the failure to take steps after a breach to mitigate damage (including notifying affected persons) falls below the standard of reasonableness, and so would constitute negligence. The Privacy Commissioner announced in January 2007 that she is currently investigating the data security breaches at Winner’s/HomeSense and Talvest Mutual Funds. These decisions will clarify how these forms of security breach (hacking and a lost hard drive) are to be assessed under PIPEDA. The decisions of the provincial Privacy Commissioners can also be extremely useful in shedding light on the meaning of reasonable security measures. For example, the B.C Privacy Commissioner’s Investigation Report F06-01 “Sale of Provincial Government Computer Tapes Containing Personal Information”210 contains eight pages of useful discussion of the topic even though it applies to a breach of security by the government.211 Among the points made by the B.C. Privacy Commissioner is that even if the relevant legislation does not require that security measures be documented, it is a diligent and prudent practice to define and document security measures and to implement training and oversight to ensure that the measures are understood and applied.212 Furthermore, reasonable security measures can only be defined following “a methodical assessment of risk that assesses both the foreseeability of a privacy breach (intentional or accidental) occurring in the context of current threats to or weaknesses in existing information security measures and the severity and extent of the foreseeable harm that could result from a privacy breach.”213 What is reasonable will also depend upon the sensitivity of the personal information at issue.214 The B.C. Privacy Commissioner has also suggested that in some circumstances reasonable security measures must include encryption of information held in electronic form.215

206

Office of the Privacy Commissioner of Canada, PIPEDA Case Summary #289 (3 February 2005), . 207 Ibid. 208 PIPEDA Case Summary #335, supra note 202. 209 PIPEDA Case Summary #337, supra note 202. 210 [2006] B.C.I.PC.D. No. 7, . 211 Ibid. The Report notes that it addresses the responsibilities of public bodies under the Freedom of Information and Protection of Privacy Act, but it is also intended to assist private sector organizations in meeting their obligations under the similarly worded security provision in the Personal Information Protection Act (see p.2. and footnote 1). 212 Ibid. at p. 14. 213 Ibid. at p.15. 214 Ibid. 215 Ibid. at page 16.

35

The Ontario Privacy Commissioner recently made it clear that s.12(1) of the Personal Health Information Protection Act, 2004216 requires that where identifiable personal information must be stored on portable electronic devices (a) only the minimal amount of information should be stored, for the minimum time required to complete the work, (b) the information must be encrypted using up-to-date encryption techniques, and (c) password protection on a laptop is insufficient.217 Given the relative simplicity of these requirements, it is likely that they would be reasonable requirements in the context of information much less sensitive than health information, and so ought to be required under similar provisions in other Canadian data protection statutes and in a negligence claim. It will also be useful for Canadians to consider the U.S. experience in assessing the appropriate standard of care. The U.S. Federal Trade Commission has brought more than a dozen cases relating to the privacy of consumer information since 1999 under section 5 of the Federal Trade Commission Act.218 In the beginning, the FTC brought actions where there was a discrepancy between a stated privacy policy and a business’s data security practices.219 More recently, it has used its authority with respect to “unfair” (rather than “deceptive”) practices to bring cases against businesses which fail to take reasonable security measures to protect sensitive customer data.220 It has also brought cases to enforce the Gramm-Leach-Bliley Safeguards Rule,221 which requires financial institutions to adopt appropriate physical, technical and procedural safeguards to protect

216

S.O. 2004 c.3, Sched. A, Section 12(1) provides as follows: “A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.” 217 “Stolen laptop sparks Order by Commissioner Cavoukian requiring encryption of identifiable data: Identity Must be Protected,” News Release (8 March 2007), ; Ontario Information and Privacy Commissioner, Order HO-004, (March 2007), at p. 6-9 available at . 218 Links to the FTC enforcement actions can be found on its website “Privacy Initiatives” at . For a recent overview of FTC action, see Federal Trade Commission, “Prepared Statement of the Federal Trade Commission before the Subcommittee on Regulatory Reform and Oversight, Committee on Small Business, U.S. House of Representatives hearing on the State of Small Business Security in a Cyber Economy,” (16 March 2006), [“FTC, Prepared Statement”]. 219 See e.g., In the Matter of Petco Animal Supplies, Inc., FTC Docket No. C-4133 (Mar. 4, 2005); In the Matter of MTS Inc., d/b/a Tower Records/Books/Video, FTC Docket No. C-4110 (May 28, 2004); In the Matter of Guess?, Inc., FTC Docket No. C-4091 (July 30, 2003); In the Matter of Microsoft Corp., FTC Docket No. C-4069 (Dec. 20, 2002); In the Matter of Eli Lilly & Co., FTC Docket No. C-4047 (May 8, 2002). 220 See e.g., In the Matter of DSW, Inc., FTC File No. 052-3096 (Decision and Order, 7 March 2006); In the Matter of CardSystems Solutions, Inc., FTC Docket No. 052-3148 (Decision and Order, 5 September 2006); United States v. ChoicePoint, Inc., No. 106-CV0198 (N.D. Ga. Feb. 15, 2006); In the Matter of BJ’s Wholesale Club, Inc., FTC Docket No. C-4148 (Decision and Order, 20 September 2005). 221 15 U.S.C. §6801(b); Standards for Safeguarding Customer Information, 16 C.F.R. Part 314, .

36

customer information.222 The FTC has recently indicated that it believes several principles should govern any information security program.223 First, security procedures must be appropriate for the level of sensitivity of the information collected and maintained. Second, where a company has taken reasonable and appropriate measures in light of the circumstances, the breach will not violate the laws that the FTC enforces. Third, the laws may be violated even without a breach of security. Companies have a legal obligation to implement reasonable security measures. Fourth, risks to data security will change over time. Therefore, companies must assess risks and adjust their security measures on an ongoing basis. The FTC’s consent orders in the actions against ChoicePoint, B.J.’s Wholesale Club, CardSystems and DSW Inc. illustrate the context-dependence of the required security standards. ChoicePoint, a major U.S. data broker, carelessly approved a ring of identity thieves as subscribers to its databases of personal consumer information.224 Under the settlement with the FTC, ChoicePoint must pay $15 million and maintain reasonable procedures to ensure consumer reports aren’t given to those without a legitimate purpose. This includes verifying the identity of applicants by visiting business premises in certain cases, and auditing subscribers’ use of the data. After hackers broke into B.J.’s Wholesale Club Inc.’s networks and used the personal information stored there to manufacture counterfeit credit and debit cards, the FTC charged B.J.’s with inadequate security protections.225 The FTC pointed to the failure to encrypt financial information, the storage of financial data longer than necessary contrary to bank security rules, the storage of data in files that could be accessed using commonly known default IDs and passwords, the failure to use readily available security measure to prevent unauthorized wireless connections to its networks, and the failure to use measures to detect unauthorized access or to conduct security investigations. CardSystems (a provider of payment processing services to credit card firms including Visa and MasterCard) also failed to protect its systems against hackers, resulting in the compromise of millions of credit card files and large volume of fraudulent purchases.226 The FTC pointed to the following failings: storing information in a 222 See, e.g. In the Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens FTC Docket No. C-4161 (June 19, 2006); In the Matter of Superior Mortgage Corp., FTC Docket No. C-4153 (Dec. 14, 2005); Nationwide Mortgage Group, Inc., FTC Docket No. 9319 (April 12, 2005); In the Matter of Sunbelt Lending Services, FTC Docket No. C-4129 (Jan. 3, 2005). 223 U.S. Federal Trade Commission, “Prepared Statement” supra note 218 at p.12. 224 U.S. Federal Trade Commission, “ChoicePoint settles data security breach charges; to pay $10 million in civil penalties, $5 million for consumer redress,” (26 January 2006), . 225 U.S. Federal Trade Commission, “BJ’s Wholesale club settles FTC Charges – agency says lax security compromised thousands of credit and debit cards,” (16 June 2005) . 226 Jonathan Krim and Michael Barbaro, “40 Million Credit Card Numbers Hacked” Washington Post (18 June 2005), p. A01, ; U.S. Federal Trade Commission, “Cardsystems solutions settles FTC charges,” (23 February 2006), .

37

vulnerable format, failing to assess the vulnerability of the system to commonly known or reasonably foreseeable attacks such as “SQL injection attacks,” failing to implement simple, cheap and readily available defenses to these attacks, failing to use strong passwords, failing to use readily available security measures to limit communications between computers on its network and between its network and the internet, and failing to employ sufficient measures to detect unauthorized access or to conduct security investigations. DSW Inc. was also a hacking case.227 The FTC claimed that DSW (a U.S. shoe retailer) created unnecessary risks by storing financial information in multiple files when it no longer had a need to keep it, failing to use readily available security measures to limit access to its networks through wireless access points, storing the information in unencrypted files that could be accessed easily by using a commonly known user identity and password, failing properly to limit the extent to which computers in one in-store network could connect to computers on other in-store and corporate networks, and failing to use adequate measures to detect unauthorized access CONCLUSION The recent proliferation of civil lawsuits against the custodians of personal information for damages arising from breaches of data security suggests that businesses ought to consider their potential liability exposure. Canadian businesses are already aware of their obligations to secure personal information under federal and provincial legislation applying to privacy protection in the private sector. However, the development of class action lawsuits for data security breaches suggests that there may be more serious financial repercussions for the careless handling of data. Several class actions have already been filed in Canada, although we do not yet have any decided cases. The case law (dating mostly from 2005-2007) in the United States suggests that plaintiffs will face significant hurdles in establishing a negligence cause of action. The key obstacles are in establishing compensable damages where identity fraud has not yet occurred, or in establishing causation where identity fraud has occurred. I have discussed two additional concerns in the Canadian context. First, the availability of parallel civil remedies may be directly or indirectly limited by provincial privacy legislation where it exists. Where there is no applicable provincial legislation, it is possible that a court would view PIPEDA as a comprehensive statutory regime that forecloses common law development in the area. Second, the losses that arise from breaches of data security are usually pure economic loss, the recovery of which is subject to special rules in Canada. Whether or not businesses are exposed to negligence liability, it would be advisable in order to protect customers and goodwill, to consider limiting the collection and storage of sensitive personal data and taking seriously the obligation to secure it where it absolutely must be collected. 227

U.S. Federal Trade Commission, “DSW Inc. settles FTC charges,” (1 December 2005), .

38

There is evidence that existing regulatory and market sanctions are insufficient to deter careless behaviour in many cases. A recent Ponemon Institute survey reports that 81% of companies and governmental entities report having lost or misplaced one or more electronic storage devices such as laptops containing sensitive information within the last year.228 Another 9% did not know if they had lost any such devices. The survey respondents also indicated that they would be frequently unable to determine what actual sensitive data was on a lost or stolen device.229 One of the functions of tort law is to deter risky behaviour. The recognition of potential liability in negligence might assist by forcing careless custodians of personal information to internalize the very real costs of their carelessness whether or not identity fraud can be shown to have occurred.

228

Ponemon Institute, “U.S. Survey: Confidential Data at Risk,” (15 August 2006), sponsored by Vontu Inc., ; Eric J. Sinrod, “Confidential data really is at risk,” CNET News.com (24 August 2006) . 229 Ponemon survey, ibid at p.8.

39