In Evans v Bank of Nova Scotia, an employee of the Bank of Nova Scotia (“Bank”), Richard Wilson, provided highly confidential information about the Bank’s customers to his girlfriend, who disseminated the information to third parties for fraudulent purposes. On June 6, 2014, the Ontario Superior Court of Justice certified a class action brought on behalf of the affected customers, alleging that they were victims of identity theft and fraud as a result of the intrusion upon seclusion.
This is the province’s first-ever class action involving the new tort of “intrusion upon seclusion”, which allows individuals to advance a civil claim for damages against an intruder who intentionally invades their privacy, without legal justification, in a manner that is highly offensive to the reasonable person.
As a Bank employee, Wilson had access to highly confidential information. During his employment, the Bank noticed a spike in the number of customer files that Wilson accessed. Between July 1, 2011 and May 18, 2012, Wilson accessed 643 of the Bank’s customers files.
In June of 2012, the Bank wrote to those 643 customers (the “Notice Group”) to advise them their documents may have been accessed by an unauthorized party. The Bank has compensated these victims for the monetary losses they have suffered, and the Bank has offered the Notice Group free access to a credit monitoring and identity theft protection service.
To date, 138 members of the Notice Group have advised the Bank that they have been victims of identity theft or fraud in the past year. Despite the Bank’s efforts to compensate its customers, the plaintiffs claim that the Bank and Wilson were (among other things) negligent, in breach of contract, and liable for intrusion upon seclusion.
The Tort of Inclusion upon Seclusion
The tort of inclusion upon seclusion was firmly established in Jones v Tsige, 2012 ONCA 32. In that case, the Court of Appeal confirmed that a plaintiff must prove the following three things to establish the tort of intrusion upon seclusion:
- The defendant’s conduct must be intentional (which could include recklessness).
- The defendant must have invaded the plaintiff’s private affairs or concerns without lawful justification.
- A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.
The plaintiffs in Evans v Bank of Nova Scotia do not allege that the Bank acted intentionally with respect to the unauthorized access by Wilson. Rather, the plaintiffs claim that the Bank is vicariously liable for the tort of intrusion upon seclusion committed by Wilson.
In the decision released on June 6, 2014, the Ontario Superior Court of Justice certified the class action, finding there was a significant connection between the risk created by the Bank and the wrongful conduct of Wilson. The Bank created the opportunity for Wilson to abuse his power by providing him with unsupervised access to customers’ private information, without installing a monitoring system to protect vulnerable customer information.
Since this was an application for class certification, and not a final determination, the court did not decide whether the Bank was indeed vicariously liable.
This decision is a warning to employers, particularly those who collect personal information about customers. Employer should carefully monitor the collection, use and distribution of such personal information within their organization, including information security programs.
Clear boundaries should be established with employees regarding their access to customer information, and those boundaries must be effectively enforced. Personal information policies should be reinforced with technological safeguards, and by disciplining employees who do not follow company policies in their collection, use or distribution personal information.
See our previous blogs posts on Jones v Tsige, Alberta v AUPE, and R v Cole for further discussion of privacy issues relevant to this case.