Court of Appeal Upholds Damages Against ICBC for “Serious Breach” of Customer Privacy
Reasons for judgement were published this week by the BC Court of Appeal upholding a damages assessment against ICBC in a privacy breach class action lawsuit.
In the case (Insurance Corporation of British Columbia v. Ari) an ICBC employee “accessed the private information of 78 ICBC policy holders for nefarious purposes. She sold the information of at least 45 policy holders to criminals. Between 2011 and 2012, 13 of these 45 policy holders were targeted in arson and shooting attacks.”
Individuals impacted by this serious breach are seeking compensation for their losses. Separate from provable losses the trial court awarded each impacted individual $15,000 in damages for breach of section 1 of BC’s Privacy Act which reads as follows:
It is a tort, actionable without proof of damage, for a person, wilfully and without a claim of right, to violate the privacy of another.
ICBC appealed arguing that absent real harm from the breach only nominal damages could be awarded and $15,000 is not nominal. The Court of Appeal disagreed. The court highlighted this was a serious breach and the Privacy Act does not require proof of damage. Given the intentional and serious breach of privacy the trial judge properly exercised their discretion. In upholding the award the Court provided the following comments:
[65] As noted above, the judge observed that, on ICBC’s proposed approach to assessing damages, proof of significant harm would be required to make an action “financially worth pursuing,” and much of the benefit of a class proceeding would also be negated: RFJ at para. 29. I read these comments as referring to the general purposes of the Privacy Act as reflected in the guidance of this Court and the Supreme Court of Canada. Limiting recovery to nominal damages in the circumstances of this case would, as I have explained, undermine these purposes.
[66] As is evident from the statement of this Court in G.D. quoted above, there is support for the view that deterrence is a legitimate purpose for awarding damages under s. 1 of the Privacy Act. However, this is not to say damages must be larger than they would otherwise be simply to make such claims financially worthwhile. Damages must still be reasonably responsive to the actual harm done to the privacy interests of the plaintiff. I do not accept, however, that the judge based his assessment of damages, even in part, on the need to ensure such claims were “financially worth pursuing”. That was simply his reason for rejecting the general rule proposed by ICBC that only nominal damages should be available in the circumstances of the case.
[67] The actual basis for the judge’s assessment of damages is clear. His assessment was grounded in the specific circumstances of the case before him. In the concluding paragraphs of his analysis, he explicitly set out the circumstances of the case that, in his view, weighed in favour of the damage award he ultimately made:
[34] The breach of privacy in this case was more serious than the one in Jones. It was motivated by personal financial gain and resulted in distribution of information to third parties, including criminals. Its impact was not limited to a single individual, and the full extent of the distribution of information and the risks it created at the time will never be known. I find those factors outweigh the mitigating factor that some class members may have been unaware of what occurred.
[35] In the circumstances of this case, based on the severity of the breach, I find an award of $15,000 per class member falls within the category of a modest or nominal award, and I assess damages in that amount.
[Emphasis added.]
[68] Following the guidance of this Court and the Court in Jones, the judge correctly concluded more than nominal damages were available to compensate and vindicate the serious breach of the plaintiff’s privacy rights. The judge relied on two of the factors specifically set out in both Jones and the Manitoba statute, being the nature and seriousness of the breach and the post-breach conduct of the defendant. Because these factors were based on the conduct of the defendant, and the proven circumstances of the breach itself, they were common to all class members and were accordingly an appropriate basis for the assessment of aggregate damages.
[69] Damage awards are entitled to significant deference, and the parties do not take issue with the quantum of the aggregate damages awarded. There is therefore no reason to closely engage with the chambers judge’s quantum assessment. I will only say, while $15,000 is likely towards the upper end of the appropriate range for damages in cases of this sort, the seriousness of the breach supports an elevated baseline award. ICBC is vicariously liable for its employee’s wilful and flagrant disregard of the plaintiff’s privacy. This is not a case where the breach resulted from a hack, or an innocent mistake. It is unnecessary to determine here what kinds of aggregate damages might be appropriate under such circumstances.
[70] The aggregate damages award made by the judge provides compensation for the injury to the class members’ privacy interests and is responsive to the seriousness of the defendant’s misconduct. It provides no compensation for any mental distress, upset, property damage, loss of income, loss of opportunity, or any other kind of consequential harm that may have been suffered by the members of the plaintiff class.
[71] It remains open, at the individual issues phase of the litigation, for any class member who has suffered consequential pecuniary or non-pecuniary harm beyond the simple fact of the breach to prove that loss and have appropriate compensation assessed. Of course, at that stage, the judge must be careful to ensure there is no double compensation.
[72] The only questions left to be addressed are what kinds of purely consequential harms the class members have suffered, and what damages are required to make them whole.