A significant data breach at Indigo affecting both current and former employees is raising questions about what rights Canadian workers have if their personal information was possibly exposed in a leak.
But lawyers and privacy experts who spoke to Global News say there is little legislation in Canada covering what obligations an employer has with its employees’ data, and few paths for compensation open to those who might have been affected.
Indigo said this week it would not pay the ransom to hackers involved in its breach and that affected employee data could start to appear on the “dark web” as early as Thursday. Among potentially compromised data were workers’ names, email addresses, social insurance numbers and banking information, the bookseller said in an earlier letter to affected individuals seen by Global News.
Indigo is not the only high-profile company recently facing a breach possibly affecting employee data.
Telus told Global News last week that it was investigating claims that employee data was leaked and posted on the “dark web,” but has not responded to followup inquiries about the kind of information that might have been exposed.
Sobeys parent company Empire Co., the Liquor Control Board of Ontario (LCBO) and Toronto’s Hospital for Sick Children are among the other corporate and public organizations that have recently been hit with cybersecurity incidents.
Lawyers at McCarthy Tétrault LLP have been getting a growing number of calls about data breaches in recent months, says Barry Sookman, senior counsel at the Toronto-based firm.
These kinds of cases were once rare occurrences, he tells Global News, but are now “rampant.”
“With data breach cases, it’s almost like we get a new one every day,” he says. “It’s just so, so prevalent.”
Can employees sue their employer after their data is leaked?
What separates cases like Indigo and the possible leak at Telus is that, usually, it’s customer data being breached — not employees’ — Sookman says. He spoke generally about similar situations but did not comment directly on either case to Global News.
There isn’t a lot of case law to draw on for incidents where employee data is compromised, he adds, but a recent ruling at the Ontario Court of Appeal puts a damper on the prospect of a class-action lawsuit in such cases.
Lawyers at McCarthy Tétrault wrote that a series of decisions late last year, including cases involving data breaches at Equifax Canada and Marriott International, “firmly shuts the door” on being able to launch class-action lawsuits against companies hit by data breaches.
Sookman explains that it can be difficult to hold companies liable after they themselves have been hit by a breach. It would be different if the company itself had played a role in the misconduct, he says.
There are arguments to be made that an employer could have a duty of confidence with respect to a worker’s sensitive information, Sookman says, but he adds that these are also difficult grounds to establish liability.
“The question is, if there’s a third-party hack, has the employer breached the duty of confidence? It’s a tough argument,” he says.
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) does provide some safeguards for employee information. But Sookman notes this only applies to federally regulated industries such as banking or transportation, not to private industry.
When a data breach happens that falls under PIPEDA, complaints can be made to the Office of the Privacy Commissioner. If the commissioner investigates and finds a cause of action, that can open the door to seeking damages — but Sookman says this amount is not usually “significant.”
The Office of the Privacy Commissioner confirmed to Global News in a statement last week that it had received notice of a breach from Indigo and are in communication with the company about next steps.
A spokesperson for the privacy commissioner confirmed again on Wednesday that the office had not received any complaints about the matter.
Privacy legislation in Canada covering the workplace tends to vary from province to provinces, so it’s hard to make general statements about what’s allowed and what’s not under the law.
Speaking for Alberta, Calgary-based employment lawyer Karen Tereposky with Samfiru Tumarkin LLP says privacy legislation tends to protect companies against violations that are in “good faith.”
“Unless it’s in bad faith, then they’re protected from legal action. It’s hard to know where that standard is. It’s pretty subjective,” she says. “But in general, the privacy legislation in Alberta protects organizations from these types of incidents.”
The landscape is different south of the border, Tereposky says, where companies are more often opened up to lawsuits when they compromise someone’s data.
She suspects that if there were a push to reform legislation to address recent breaches, it would be to regulate and standardize compensation for affected parties, rather than open companies up to more legal action.
“In Canada, we tend to want to regulate things more than to just have litigation flowing,” she says.
What options do you have after your data is leaked?
Indigo offered credit monitoring services to possibly affected employees in the wake of the breach.
Sookman says that, unless the offer came with specific language waiving rights to sue for damages after accepting those services or any other compensation, accepting services like that would not affect an individual’s right to participate in a potential future legal action.
Ann Cavoukian, the former Ontario privacy commissioner, says that, in addition to typical cybersecurity hygiene like changing account passwords, affected individuals should monitor their online spaces for suspicious activities like phishing attempts.
There’s little employees can do to be proactive about safeguarding their data when it’s in their employer’s hands, Cavoukian tells Global News, as few employment contracts have those kinds of protections baked into their terms.
But that doesn’t mean you can’t try to hold them to account on how they handle that data.
“I would urge them to talk to their boss and to the head of Indigo, and just say, ‘What are you doing to protect my data? What are you doing to ensure that my data isn’t misused or inappropriately accessed?’” she says.
Tereposky says there’s no set time limit for how long an employer can keep your information on file after you’re gone — like a lot of privacy law, it comes down to a “reasonableness” standard.
If you were to request your data be deleted, and then it were subject to a hack, that could help prove your claim in a future case, she adds.
In a similar vein, if you do find an account was compromised or your identity was stolen following a data breach, Cavoukian says it’s important to notify the police to document the occurrence and lay the groundwork for future claims.
“That’s what people have to be very aware of. You have to … demonstrate in some way that what you’re claiming is real,” she says.
While many companies have taken plenty of time to safeguard customer data, cases like Indigo might show the same level of care is not often taken for employees, Sookman says.
“Companies should be looking at their policies and processes and make sure they contemplate there could actually be mischief that affects employee data and that they should be taking the same at least the same measures for employee data as they take for other data,” he says.
Cavoukian hopes the recent breaches are a wake-up call to companies who need to shore up their internal cybersecurity practices. Having strong processes in place up front can deter hackers from ever attempting to breach a company’s defences, she argues, in the same way security companies leave a sticker in your window when they’ve secured your home.
“Make sure your company is one where the hackers want to just move on because the protections are too strong,” she says.
“Do you have a strong privacy policy combined with security? If you don’t, get on it. Drop everything else. Create a very strong privacy policy that protects your data, your employees’ data, your customers’ data. All of this has to be protected.”
— with files from Global News’s Sean Boynton
Comments