Long-time readers may recall a truly frightening insider breach at the Insurance Corporation of British Columbia (ICBC) that resulted in cases of arson and people being shot at. The breach was first disclosed in 2011. An employee had reportedly accessed personal information on 65 people. We would later learn that Candy Elaine Rheaume had accessed personal information on 78 people and sold information on 45 of them to gang members. Thirteen of them wound up having their homes or vehicles set on fire, or they were shot at. Unsurprisingly, a lawsuit against ICBC was filed.
In June 2024, the court found for the plaintiffs and awarded them each $15,000. ICBC appealed. Now Jeremy Hainsworth reports that the chief justice of B.C. has dismissed ICBC’s appeal:
“Where—as here—the breach is serious, deliberate, and for an improper purpose, it is entirely open to a judge to conclude more than technically nominal damages are required to compensate for the intrinsic damage to the privacy rights of the plaintiff,” B.C. Court of Appeal Chief Justice Leonard Marchand said in his April 23 decision.
The decision, concurred with by two other justices, said the public insurer had been found vicariously liable for a serious breach by Candy Elaine Rheaume of the privacy of a number of its customers and others.
Read more at Vancouver is Awesome.
The Canadian Press provides some additional details, including that the insurer wanted the court to award only “nominal” damages of $500 each. ICBC had argued that the $15,000 amount was too high because “consequential harm” to individual class members has yet to be proven, and is still before the court to decide.
Reading the court’s decision makes it clear that the damages award is solely for the breach of their privacy interests. The $15,000 does not include any compensation for damages to homes, vehicles, or other forms of harm the plaintiffs might have suffered. From the chief justice’s decision:
[70] The aggregate damages award made by the judge provides compensation for the injury to the class members’ privacy interests and is responsive to the seriousness of the defendant’s misconduct. It provides no compensation for any mental distress, upset, property damage, loss of income, loss of opportunity, or any other kind of consequential harm that may have been suffered by the members of the plaintiff class.
[71] It remains open, at the individual issues phase of the litigation, for any class member who has suffered consequential pecuniary or non-pecuniary harm beyond the simple fact of the breach to prove that loss and have appropriate compensation assessed. Of course, at that stage, the judge must be careful to ensure there is no double compensation.
[72] The only questions left to be addressed are what kinds of purely consequential harms the class members have suffered, and what damages are required to make them whole.