Data breaches like Indigo’s are hitting employees, not customers. Can you sue? – National

A big knowledge breach at Indigo affecting each present and former staff is elevating questions on what rights Canadian employees have if their private info was presumably uncovered in a leak.

However attorneys and privateness consultants who spoke to International Information say there may be little laws in Canada overlaying what obligations an employer has with its staff’ knowledge, and few paths for compensation open to those that might need been affected.

Indigo stated this week it might not pay the ransom to hackers concerned in its breach and that affected worker knowledge might begin to seem on the “darkish internet” as early as Thursday. Amongst doubtlessly compromised knowledge have been employees’ names, electronic mail addresses, social insurance coverage numbers and banking info, the bookseller stated in an earlier letter to affected people seen by International Information.

Learn extra:


Telus says it’s investigating claims worker info was posted on ‘darkish internet’

Story continues under commercial

Indigo is not the one excessive-profile firm just lately dealing with a breach presumably affecting worker knowledge.

Telus instructed International Information final week that it was investigating claims that worker knowledge was leaked and posted on the “darkish internet,” however has not responded to followup inquiries in regards to the sort of info which may have been uncovered.

Sobeys dad or mum firm Empire Co., the Liquor Management Board of Ontario (LCBO) and Toronto’s Hospital for Sick Kids are among the many different company and public organizations which have just lately been hit with cybersecurity incidents.

Click to play video: 'Empire remains silent about IT problems that impacted Sobeys, other stores'

Empire stays silent about IT issues that impacted Sobeys, different shops

Attorneys at McCarthy Tétrault LLP have been getting a rising variety of calls about knowledge breaches in latest months, says Barry Sookman, senior counsel on the Toronto-primarily based agency.

These sorts of circumstances have been as soon as uncommon occurrences, he tells International Information, however are now “rampant.”

Story continues under commercial

“With knowledge breach circumstances, it’s nearly like we get a brand new one day-after-day,” he says. “It’s simply so, so prevalent.”

Can staff sue their employer after their knowledge is leaked?


What separates circumstances like Indigo and the attainable leak at Telus is that, normally, it’s buyer knowledge being breached — not staff’ — Sookman says. He spoke typically about comparable conditions however did not remark straight on both case to International Information.

There isn’t loads of case legislation to attract on for incidents the place worker knowledge is compromised, he provides, however a latest ruling on the Ontario Courtroom of Enchantment places a damper on the prospect of a category-motion lawsuit in such circumstances.

Attorneys at McCarthy Tétrault wrote that a series of decisions late final yr, together with circumstances involving knowledge breaches at Equifax Canada and Marriott Worldwide, “firmly shuts the door” on having the ability to launch class-motion lawsuits towards firms hit by knowledge breaches.

Story continues under commercial

Learn extra:

Quebec court docket approves $200.9M settlement towards Desjardins over knowledge breach

Sookman explains that it may be troublesome to carry firms liable after they themselves have been hit by a breach. It might be totally different if the corporate itself had performed a job within the misconduct, he says.

There are arguments to be made that an employer might have an obligation of confidence with respect to a employee’s delicate info, Sookman says, however he provides that these are additionally troublesome grounds to ascertain legal responsibility.

“The query is, if there’s a 3rd-celebration hack, has the employer breached the obligation of confidence? It’s a tricky argument,” he says.

The federal Private Data Safety and Digital Paperwork Act (PIPEDA) does present some safeguards for worker info. However Sookman notes this solely applies to federally regulated industries reminiscent of banking or transportation, not to non-public business.

Trending Now

gettyimages 599076618

Trudeau briefed ‘a number of’ instances since 2019 on election interference, adviser testifies

vlcsnap 2022 12 29 17h57m03s063

1 killed, extra feared useless and injured after avalanche close to Invermere, B.C.

When a knowledge breach occurs that falls underneath PIPEDA, complaints will be made to the Workplace of the Privateness Commissioner. If the commissioner investigates and finds a reason for motion, that may open the door to searching for damages — however Sookman says this quantity is not normally “vital.”

Click to play video: 'Cybersecurity controls applied ‘inconsistently’: AG report'

Cybersecurity controls utilized ‘inconsistently’: AG report

The Workplace of the Privateness Commissioner confirmed to International Information in a press release final week that it had obtained discover of a breach from Indigo and are in communication with the corporate about subsequent steps.

Story continues under commercial

A spokesperson for the privateness commissioner confirmed once more on Wednesday that the workplace had not obtained any complaints in regards to the matter.

Privateness laws in Canada overlaying the office tends to range from province to provinces, so it’s arduous to make common statements about what’s allowed and what’s not underneath the legislation.

Talking for Alberta, Calgary-primarily based employment lawyer Karen Tereposky with Samfiru Tumarkin LLP says privateness laws tends to guard firms towards violations that are in “good religion.”

“Until it’s in dangerous religion, then they’re shielded from authorized motion. It’s arduous to know the place that customary is. It’s fairly subjective,” she says. “However normally, the privateness laws in Alberta protects organizations from some of these incidents.”

The panorama is totally different south of the border, Tereposky says, the place firms are extra usually opened as much as lawsuits after they compromise somebody’s knowledge.

She suspects that if there have been a push to reform laws to handle latest breaches, it might be to manage and standardize compensation for affected events, relatively than open firms as much as extra authorized motion.

“In Canada, we are likely to need to regulate issues greater than to only have litigation flowing,” she says.

What choices do you have after your knowledge is leaked?

Indigo supplied credit score monitoring providers to presumably affected staff within the wake of the breach.

Story continues under commercial

Sookman says that, until the provide got here with particular language waiving rights to sue for damages after accepting these providers or some other compensation, accepting providers like that may not have an effect on a person’s proper to take part in a possible future authorized motion.

Ann Cavoukian, the previous Ontario privateness commissioner, says that, along with typical cybersecurity hygiene like altering account passwords, affected people ought to monitor their on-line areas for suspicious actions like phishing makes an attempt.

Learn extra:

‘Grandparent scams’ value seniors over $9.2M final yr. Right here’s how one can defend your self

There’s little staff can do to be proactive about safeguarding their knowledge when it’s of their employer’s palms, Cavoukian tells International Information, as few employment contracts have these sorts of protections baked into their phrases.

However that doesn’t imply you can’t attempt to maintain them to account on how they deal with that knowledge.

“I’d urge them to speak to their boss and to the pinnacle of Indigo, and simply say, ‘What are you doing to guard my knowledge? What are you doing to make sure that my knowledge isn’t misused or inappropriately accessed?’” she says.

Tereposky says there’s no set time restrict for a way lengthy an employer can maintain your info on file after you’re gone — like loads of privateness legislation, it comes all the way down to a “reasonableness” customary.

Story continues under commercial

If you have been to request your knowledge be deleted, after which it have been topic to a hack, that would assist show your declare in a future case, she provides.

In an analogous vein, if you do discover an account was compromised or your identification was stolen following a knowledge breach, Cavoukian says it’s vital to inform the police to doc the prevalence and lay the groundwork for future claims.

“That’s what individuals should be very conscious of. You need to … show not directly that what you’re claiming is actual,” she says.

Whereas many firms have taken loads of time to safeguard buyer knowledge, circumstances like Indigo may present the identical degree of care is not usually taken for workers, Sookman says.

Click to play video: 'Consumer Matters: How to spot and avoid tax scams'

Client Issues: The way to spot and keep away from tax scams

“Corporations ought to be their insurance policies and processes and ensure they ponder there might truly be mischief that impacts worker knowledge and that they need to be taking the identical at the very least the identical measures for worker knowledge as they take for different knowledge,” he says.

Story continues under commercial

Cavoukian hopes the latest breaches are a wake-up name to firms who must shore up their inner cybersecurity practices. Having robust processes in place up entrance can deter hackers from ever trying to breach an organization’s defences, she argues, in the identical manner safety firms depart a sticker in your window after they’ve secured your house.

“Be certain your organization is one the place the hackers need to simply transfer on as a result of the protections are too robust,” she says.

“Do you have a powerful privateness coverage mixed with safety? If you don’t, get on it. Drop every part else. Create a really robust privateness coverage that protects your knowledge, your staff’ knowledge, your clients’ knowledge. All of this must be protected.”

— with recordsdata from International Information’s Sean Boynton

Show More

Related Articles

Back to top button