Staying clear of the enforcers

“Snooping is a big problem,” says Timothy Banks, privacy lawyer at Dentons LLP in Toronto. “It’s one of the issues that employers in all sectors have to pay attention to. You [would] be naive to think employees are not going to snoop if they have the opportunity.”

Indeed, a long-term employee in the IT department of a credit union was fired for cause after she breached her employer’s privacy policies and accessed the personal folder of a manager without permission. The reason for her curiosity? The folder contained information about the employee’s priority on an internal list of available parking spaces. This past spring, the Court of Appeal for British Columbia confirmed the findings of the trial judge in Steel v. Coast Capital Credit Union: the trial judge had concluded that the curious employee “occupied a position of great trust in an industry in which trust is of central importance.” The appeal court upheld her dismissal for cause.

And last June, the Ontario Securities Commission (OSC)indicated how seriously it plans to take privacy breaches by laying a series of criminal and quasi-criminal charges involving a marketing scheme to sell registered education savings plans to new parents. The scheme involved privacy breaches affecting as many as 14,000 maternity patients at two Ontario hospitals.

Former Knowledge First Financial Inc. branch manager Poly Edry, former C.S.T. Consultants Inc. assistant branch manager Subramaniam Sulur and former Global RESP Corp. (Global) sales representative Nellie Acar were charged with various offences involving the misuse of confidential patient information.

The OSC alleges that Edry and Sulur “purchased confidential maternity information” from a hospital clerk and provided that information to sales representatives at their firms, while Acar allegedly “purchased stolen maternity patient labels” from a registered nurse.

Edry and Sulur were charged under the Ontario Securities Act with one count of failing to act fairly, honestly and in good faith with clients, and one count of participating in an unlawful referral arrangement with another person.

Acar faces a number of Criminal Code charges, including two counts of secret commissions and two counts of possession of property obtained by crime under $5,000. The clerk and nurse were charged for securities offences; the clerk, who admitted to creating and selling investor lists from unauthorized access to data, pleaded guilty to unregistered trading.

Peter Murphy, business lawyer at Gowlings LLP in Toronto, who co-leads his firm’s anti-spam group, says: “It’s very serious for financial advisors to have these sorts of privacy-related offences being brought by the OSC.”

The incidents have also spawned a $400-million class action (not certified), which includes the investment firms and advisors, Murphy said. “It’s interesting for [advisors] that they may now be sued for their activity if it is not privacy compliant.”

But keeping up with the rules isn’t easy. Privacy law and liability are changing rapidly, fuelled by a mixture of court cases and legislative change. Earlier this year, the Digital Privacy Act came into force, modifying the consent provisions of the Personal Information Protection and Electronic Document Act, introducing a requirement that organizations log breaches and eventually requiring those firms to notify clients whose information is breached.

One of the biggest legal developments in privacy law was a 2012 Ontario Court of Appeal case, known as Jones v. Tsige, involving Bank of Montreal.

Winnie Tsige, a financial planner at the bank, viewed the private banking records of Sandra Jones, a project manager for the bank, 174 times over a four-year period. Tsige was in a financial dispute with her common-law spouse, who was Jones’ former husband. According to the judgment, Tsige told her employer she knew her actions were wrong, but she wanted to confirm that the man was paying Jones child support.

Jones sued Tsige, with the case making it to the Ontario Court of Appeal. That court held that “the right of action for intrusion upon seclusion should be recognized in Ontario” and awarded Jones $10,000 in damages. “That was a landmark case,” Murphy says. “Before that, [people] had to go to the privacy commissioner and make a complaint.”

Before Tsige, there were few damage awards and they tended to be low. Now, the ceiling for damages is $20,000, according to the Tsige ruling, and the case has been cited in 56 other lawsuits.

The problem, Murphy says, “is that [damages] can add up really quickly when you’ve got a class” – for example, a data breach involving your entire client list.

While snooping is an issue, sloppiness within an organization is equally problematic. Barry Sookman, a privacy lawyer at McCarthy Tétrault LLP in Toronto, cites the case of Condon v. The Queen, involving an unencrypted hard-drive containing student loan data that went missing. The drive had been stored amid papers in a desk. The court said a class action for a privacy breach could go forward even though there was no proof of financial harm – usually a key element in a lawsuit.

Even an erroneous change of address has led to liability. Bank of Montreal was ordered to pay a client $2,000 after the bank sent credit bureaus wrong information about a woman’s address.

Marketing also faces greater scrutiny in today’s privacy- focused world. A firm could find itself offside even though it created and followed a good process and obtained consents. That’s what happened to Bell Canada.

Bell engaged in a behavioural advertising campaign, in which the utility announced it would use its clients’ information about network usage, such as web page visits, along with demographic information to provide those clients with more targeted advertising. While clients were given the opportunity to opt out of the campaign, it still generated 170 complaints to the federal privacy commissioner.

The federal privacy commissioner said the opt-out consent model wasn’t proper. Rather, Bell should have used an opt-in consent model in this case.

“Sometimes you need to step back and think about privacy from a general perspective,” Murphy says. “[Bell] did what seemed to be enough at the time,” but still fell short.

Even simply using photos in marketing materials could be too much, he noted, citing a Quebec privacy case in which a women successfully sued Google Inc. for $2,250 over its streets view photos showing her on her porch with an exposed breast. While her face was blurred, her car’s licence plate and house number were not. As Sookman says: “Using a photo of people for marketing, even if they take the photo in a public place, could violate privacy rights in Quebec.”

How can advisors protect themselves? Notes Banks: “You need to develop a compliance program where you log important things, train employees and have policies about how you are going to use [information].” Just putting it down on paper and expecting people to follow the rules is not enough, he adds. “You have to verify and have periodic audits or reviews to make sure employees are complying with the policy and not snooping.”

Banks warns that employers are vicariously liable for the actions of their employees, so advisors need to keep on top of staff.

And Sookman has concerns that privacy obligations are too much for most advisors to cope with: “I think that some of the laws are becoming very, very difficult for the average small business.”

This is the third instalment in a three-part series reviewing the impact of the new privacy rules on your firm, from procedures to penalties

© 2015 Investment Executive. All rights reserved.