Thursday, September 22, 2011

Federal Court slaps law firm for publishing a Privacy Commissioner finding that identified the complainant

The Federal Court of Canada has just issued a decision in Girao v. Zarek Taylor Grossman Hanrahan LLP, 2011 FC 1070 (CanLII), in which it found a law firm liable for having posted on its website a previous report of findings from the Office of the Privacy Commissioner of Canada along with a cover letter that identified the complainant.

As is clear from the decision, this arises from a long-standing string of litigation and privacy complaints involving the complainant and All State Insurance. The firm was counsel to the insurer. The firm had posted the document thinking it would be useful and instructive to its clients.

The complainant said that the firm posted her personal information without her consent and should be liable for $5,000,000 in damages.

The Court agreed that it was a breach of PIPEDA and awarded $1500. Here is the Court's discussion on the appropriate quantum of damages:

[53] Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matters.

[54] Section 16 of PIPEDA provides no guidance as to the quantum of damages that may be granted. Here the applicant is claiming that she suffered mental anguish as a result of the breach. In calculating what might be an appropriate amount to award for such harms, it may be useful to refer to relevant provincial legislation. Section 65 of the Ontario Personal Health Information Act, 2004, SO 2004, c 3, Sch A, may be of assistance in this context as it deals with the protection of medical information. Under that provision, the Superior Court of Justice may award damages, not exceeding $10,000.00 for mental anguish resulting from the willful or reckless contravention of the statute.

[55] In some cases, such as Nammo, a damages award may also be used to compensate a complainant for economic loss and expense incurred in dealing with the consequences of the breach. Here, the respondent points to the lack of any evidence in the applicant’s record that would support a finding that she had suffered any damages as a result of the posting. The respondent submits that the posting of the 2009 Report has not attracted adverse attention to the applicant in any way that would sustain a claim of damages. I agree that the record does not establish that the applicant suffered humiliation as a result of the breach.

[56] The applicant asserts that her mental health was seriously affected. The record before me does not make a connection between the treatment she is presently undergoing and the disclosure of the personal information. The one medical report filed is from a psychiatrist dated April 4, 2008; almost one year before the 2009 Report and letter were posted. The letter speaks to the applicant’s psychological condition and treatment as it related to the car accident, and not in any way to the subsequent disclosure of her personal information.

[57] According to an exhibit attached to Mrs. Girao’s affidavit, her husband became aware of the ZTGH posting as early as May 2009. Mrs. Girao referred to it in a letter to a PCC investigator in August 2009, presumably while the first complaint was under review. No steps were taken to inform ZTGH of this prior to the PCC’s call to Mr. Grossman in February, 2010. The information thus remained on the ZTGH website for a much longer period than might have been the case if the firm had been notified in a timely manner. It is not clear when it first appeared on the US website.

[58] The evidence is that 247 persons accessed the information on the ZTGH site prior to the filing of the complaint, including members of the firm itself. I expect that most of those persons would have been interested in the legal issues arising from the case and not in Mrs. Girao’s personal information. While the 2009 Report may still be accessed at the U.S. site and could be disseminated further by visitors to that site, the evidence indicates that the traffic to that page was minimal. In any event, there is nothing before me to indicate that there would be any broader interest in the applicant’s personal information or that it has been used in any way to cause any adverse effects to her health and welfare.

[59] There is no evidence before me that the respondent posted the information for economic gain. Mr. Grossman saw the 2009 Report to be an important precedent in the domain of insurance defence litigation and posted it on his firm’s website to inform their clients and others about the development of the law in that field. It is a common business practice for law firms to post such information. Success achieved by the firm in litigation may help to retain or attract clients. But there is no basis in law upon which Mrs. Girao would be entitled to an accounting of any benefits that may have flowed to ZTGH from the publication of the 2009 Report even if the value of such benefits could be calculated, which is unlikely.

[60] The nature of this breach fits somewhere at the low end between the breach committed in Randall: “the result of an unfortunate misunderstanding”; and that which was committed in Nammo: a “serious breach involving financial information of high personal and professional importance”. That is not the case here. While the information related to her claim for increased benefits, there was no disclosure of her financial status. The applicant submitted evidence of her current limited income on this application, but there is no evidence that this is due to the disclosure of her personal information or that she has missed opportunities to earn income as a result.

[61] The respondent was careless in posting but did not act in bad faith. ZTGH deleted from its website all references to the applicant as soon as it became aware that there was a concern. The law firm was negligent in not taking steps to ensure that any personal information about an identifiable complainant was removed before it posted the report. In the result I consider it appropriate to make an award of $1500.00.

No comments: