A new ruling by the Alberta Court of Appeal says civil claims for privacy breaches can be filed more than two years after the breach occurred.
Calgary-based Moore’s Industrial Service Ltd. requested the dismissal of a civil claim, which was filed by a former employee whose privacy had been breached after his termination. The request was filed on the grounds that the breach occurred almost six years prior.
In 2009, when Wilfried Kugler was terminated, he returned a company laptop that he’d used during his employment. In October 2010, Kugler learned his personal emails had been forwarded from his work laptop to another employee. A year later, he filed a complaint with the Office of the Information and Privacy Commissioner of Alberta.
Following an OIPC investigation, it issued an order in November 2013 that found Moore’s had breached its obligations to Kugler under the provincial Personal Information Protection Act. In January 2015, Kugler filed a civil claim for $310,000 in damages.
In its appeal, Moore’s argued Kugler’s claim should be dismissed because it was filed more than four years after the breach, exceeding the time limit set out in the province’s Limitations Act. However, the judges found the two-year timeframe under the Limitations Act didn’t begin until after the OIPC ruling was finalized. They also noted a civil claim filed under section 60 of PIPA — the type of claim filed by Kugler — can’t be heard by a court until after the OIPC has finished its inquiry.
Sheena Owens, senior counsel in the employment and labour group at Stikeman Elliott LLP, says Alberta employers should take note of this case because it means they’re on the hook longer for potential civil actions after a privacy breach.
“When you look at cases like that, it really emphasizes that employees can be a great asset to an organization but have the potential to be a liability,” she says, noting many employees now have work laptops or cell phones that contain sensitive information.
“Someone who leaves their phone on a bus now can potentially be exposing their organization to all sorts of civil claims,” says Owens. “If you take it in the context of someone who’s got 100 vendors or client contacts on their phone and the phone is lost, that’s a potential disclosure of information . . . and they all have rights under the privacy legislation.”
Employers should implement strict policies and procedures around safeguarding personal information and back it up with proper training, she adds. They should also make sure they’re maintaining any records related to a breach for several years after it occurs.