ICBC employee sold private information of customers who were then targeted with shooting attacks
The BC Court of Appeal has upheld the finding that the Insurance Corporation of British Columbia (ICBC) is vicariously liable for a breach of privacy by one of its employees.
In Insurance Corporation of British Columbia v. Ari, 2023 BCCA 331, ICBC employed Candy Rheaume as a claims adjuster. In 2011, she accessed the personal information of 78 customers for no apparent business reason. She searched for customers' personal information by running license plate numbers provided to her by Aldorino Moretti, which information she then sold to him for over $25 per license plate. The homes and vehicles of 13 of the 78 customers were then targeted in arson, shootings, and vandalism.
A class action was instituted against ICBC, and the trial court ruled that ICBC is vicariously liable for Rheaume's statutory tort of violation of privacy under the Privacy Act. The trial judge found that the personal information provided by the customers to ICBC attracted a reasonable expectation of privacy. The customers expected that ICBC would only use the information for its legitimate business purpose—to operate an insurance plan and its functions related to vehicle registration.
The trial judge further found that ICBC created the foreseeable and foreseen risk of wrongdoing concerning an employee in Rheaume's position and that her misconduct was directly related to her employment.
ICBC advanced an appeal, arguing that the information accessed was not private but mere contact information that people regularly provide to others. Furthermore, ICBC contended that vicarious liability was wrongfully imposed because all that ICBC provided was the opportunity for the employee to access the information. ICBC asserted that it did everything right regarding having workplace privacy policies, and imposition of liability on it is inappropriate.
Breach of privacy
The BC Court of Appeal found that ICBC had not established that the judge made an error in finding that customers had a reasonable expectation of privacy in the information they gave ICBC. ICBC argued that the type of privacy protected by the Privacy Act is "highly sensitive" information, while the information in this case was simple contact information publicly available. ICBC asserted that by treating data as private for the Privacy Act, the judge conflated the statute that protects personal information with the Privacy Act.
However, the appeal court disagreed with ICBC's propositions. The court said there is no authority to conclude that the statutory tort is limited to "highly sensitive" information at the biographical core of individuals. The language of the Privacy Act is not so narrow. The statutory tort expressly requires consideration of the entire context to determine what is a reasonable expectation of privacy in the circumstances.
Furthermore, the appeal court found that the judge correctly considered an individual's right to control their personal information, including the controlling degree to which it is disclosed and to whom, as an aspect of his analysis under the Privacy Act.
Contrary to the trust of ICBC's arguments, the appeal court emphasized that it is not just the nature of the relevant personal information but also the context of the nature and degree of disclosure of that information. The court further said that the nature of the information is simply part of the contextual circumstances to consider when determining what is a reasonable expectation of privacy. While some types of data might be much more sensitive than a person's home address, such as intimate photos or health records, there can still be a breach of privacy for less sensitive information, and the context of the intrusion on privacy is all important.
Accordingly, the appeal court concluded that ICBC failed to establish that the judge made a palpable and overriding error in his finding that the class members had a reasonable expectation of privacy in the personal information they gave ICBC-- an expectation that the information would not be used except for ICBC's legitimate operational purposes.
Vicarious liability
The court noted that assessing vicarious liability involves considering whether the employee's conduct was "sufficiently related" to conduct authorised by the employer to justify the imposition of vicarious liability.
The court explained that Rheaume was not in a position akin to a janitor cleaning the office, a person delivering the mail, or an employee who after-hours surreptitiously went outside of their job responsibilities and looked at an open computer or a file on a desk. The abuse she engaged in as an employee was closely connected to her employment.
The appeal court further said there was a risk that Rheaume's employment responsibilities as a claims adjuster, which involved working with ICBC's computer database to access personal information that customers had provided, could lead her to access private information for an improper purpose. ICBC knew that information was vulnerable to abuse. Furthermore, the court said it was inherent in ICBC's enterprise that it would collect the personal information of its customers and that information would be stored in a database and could be linked to an electronic search of license plates. The court emphasized that ICBC understood that its customers "entrusted" it with the information and knew that customers were vulnerable to abuse of this information.
"Knowing all this, ICBC gave Ms. Rheaume unlimited power to search and access its customers' private information as part of her regular employment duties," the court wrote in its judgment. "It is readily apparent that Ms. Rheaume's unlimited access to the searchable electronic database made her work more efficient and furthered ICBC's aims."
Ultimately, the court concluded that the judge did not commit an error in imposing vicarious liability on ICBC. The court ruled that ICBC materially created the risk, allowed its employee to commit the wrong, and that the employee's conduct was sufficiently related to her authorized duties. Accordingly, the court said policy reasons support the imposition of vicarious liability.