Data breaches like Indigo’s are hitting employees, not customers. Can you sue? – National

A major data breach at Indigo affecting both current and former employees raises questions about what rights Canadian employees have if personal information may have been compromised. is occurring.

But lawyers and privacy experts interviewed by Global News said Canada has few laws regulating what employers have to do with employee data, which has affected them. It states that there are few avenues of compensation open to those who could.

Indigo said this week it would not pay a ransom to the hackers involved in the breach, and that the data of affected employees could appear on the “dark web” as early as Thursday. Among the data retrieved included the employee’s name, email address, social insurance number and banking information, the bookstore said in an earlier letter to affected individuals seen by Global News.

Indigo isn’t the only high-profile company to recently face a breach that could affect employee data.

Telus told Global News last week it was investigating allegations that employee data was leaked and posted on the “dark web,” but additional inquiries about the type of information that may have been exposed have included: haven’t answered.

Sobey’s parent company, Empire Co., the Liquor Control Board of Ontario (LCBO), and Toronto’s Children’s Hospital are among other companies and public institutions recently hit by cybersecurity incidents.

Lawyers at McCarthy Tétrault LLP have been receiving more calls about data breaches in recent months, said Barry Sookman, a senior attorney at the Toronto-based law firm.

Cases of this sort, once rare, are now “endemic,” he told Global News.

“With data breach cases, it’s like there’s a new case every day,” he says. “It’s very, very prevalent.”

What separates cases like Indigo from potential leaks at Telus is that it’s usually the customer data that’s compromised, not the employees, Sookman says. He generally spoke of similar situations, but did not directly comment to Global News on either case.

He adds that there aren’t many precedents that can be applied when employee data is compromised, but a recent ruling in the Ontario Court of Appeals has put a damper on the potential for class action lawsuits in such cases. I’m here.

Lawyers at McCarthy Tétrault wrote a series of decisions Late last year, lawsuits involving data breaches at Equifax Canada and Marriott International “slammed the door” on the ability to initiate class action lawsuits against companies hit by data breaches.

Sookman explains that it can be difficult to hold a company accountable after the company itself has been compromised. He says it would be different if the company itself was involved in the wrongdoing.

While there are arguments that employers may be bound by confidentiality obligations regarding workers’ confidential information, Sookman adds that these are also difficult grounds for establishing liability.

“The question is whether the employer breached confidentiality if there was a third-party hack. It’s a tough debate,” he said.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) provides measures to protect employee information. But Sookman points out that this only applies to federally regulated industries such as banking and transportation, not private companies.

trendy now

• CSIS official fired for publicly complaining about authorities’ lack of COVID-19 masking

• Can an epi-pen be used in space? NASA Didn’t Know, But Canadian Students Did

If you experience a data breach that falls under PIPEDA, you can file a complaint with the Office of the Privacy Commissioner. If the commissioner investigates and finds a cause for action, it could open the way for damages, but the amount is usually not “significant,” Sukman said.

The Privacy Commissioner’s office confirmed in a statement to Global News last week that it had received a notice of the breach from Indigo and is in communication with the company regarding next steps.

A spokesperson for the Privacy Commissioner reaffirmed Wednesday that the office has not received any complaints about the issue.

Canadian privacy laws covering the workplace tend to vary from province to province, so it’s difficult to make general statements about what the law allows and what isn’t.

Representing Alberta, Calgary-based employment attorney Karen Tereposky of Samfiru Tumarkin LLP said privacy laws tend to protect businesses from “good faith” breaches.

“As long as there is no bad faith, they are protected from legal action. It’s hard to know where that standard is. It’s pretty subjective,” she says. “But generally, Alberta’s privacy laws protect organizations from these types of incidents.”

According to Teleposki, the situation is different south of the border, where companies are often exposed to lawsuits if they compromise someone’s data.

She said any move to amend the law to address recent violations would regulate and standardize compensation for affected parties rather than open companies to more legal action. I believe that it will become

“In Canada, we tend to want to regulate things, not just litigate,” she says.

Indigo provided credit monitoring services to employees who were compromised and may have been affected.

According to Sookman, unless the offer contains specific language waiving the right to seek damages or other indemnification after accepting such services, acceptance of such services does not cover potential future It does not affect an individual’s right to participate in legal action.

Ann Cavoukian, Former Privacy Commissioner of Ontario, said that in addition to typical cybersecurity measures such as changing account passwords, affected individuals should monitor online spaces for suspicious activity such as phishing attempts. said to need to be monitored.

Cavoukian told Global News there is little employees can do proactively to protect their data once it falls into the hands of their employers.

But that doesn’t mean you can’t try to hold them accountable for how they handle that data.

“Speak to your boss or someone at Indigo and ask, ‘What are you doing to protect my data? what are you doing?” she says.

Teleposki says there’s no limit to how long your employer can keep your information on file after you leave the company. Like many privacy laws, it comes down to the standard of “reasonableness.”

If you request that your data be deleted, it may help prove your claim in future cases if it is the subject of a hack.

Similarly, if you find that your account was compromised or your personal information was stolen after a data breach, it’s important to notify law enforcement to document the incident and lay the groundwork for future claims.

“It’s something that people have to be fully aware of. You… have to prove in some way that what you’re claiming is real,” she says.

Many companies have gone to great lengths to protect customer data, but cases like Indigo show that the same level of care is often not given to employees. It’s possible, says Sookman.

“Companies should review their policies and processes to ensure that there is a real possibility of mischief affecting employee data, and that they should take at least the same precautions against employee data as they would any other data. We have to make sure there is,” he says. .

Cavoukian hopes the recent breach will serve as a wake-up call to companies that need to strengthen their internal cybersecurity practices. She argues that having strong processes in place up front can deter hackers from trying to penetrate a company’s defenses. This is similar to putting stickers on your windows when a security company protects your home.

“Make sure your company is one that hackers want to move to because it’s too protected,” she says.

“Do you have a strong privacy policy combined with security? If not, get on with it. Drop everything else. Create a policy, all of which should be protected.”

— Using files from Sean Boynton for Global News