Shifting Privacy Paradigms: Mass Data Breaches and Corporate Accountability

The recent B.C Court of Appeal cases Campbell v. Capital One Financial Corporation, 2024 BCCA 253 (“Campbell”) and G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252 (“G.D”) have pivotally reshaped the privacy landscape in British Columbia, particularly regarding the accountability of organizations in safeguarding personal data. Both cases, decided in 2024, highlight the evolving legal interpretations of privacy protection in the context of corporate data breaches.

In Campbell, the Court affirmed that a reckless failure to secure personal information might be considered a “willful violation” under B.C.’s Privacy Act, even in the absence of direct harm caused by the breach. In this case, the B.C. Court of Appeal ruled that a class action lawsuit against Capital One for a data breach could proceed under the Privacy Act. The Court found that the plaintiffs could allege “reckless” data security failures by Capital One, which may constitute a “willful violation” of privacy, even if the breach was caused by a third-party hacker. The Court recognized that the breach of privacy tort created under B.C.’s Privacy Act was broader in application than the tort of “intrusion upon seclusion” recognized in provinces without similar legislation.

Similarly, in G.D., the Court held that class action claims under B.C.’s Privacy Act could proceed, even when a breach occurs due to a third-party hacker’s actions. In this case, the plaintiff, G.D., filed a class action after a data breach exposed sensitive personal information stored by TransLink. The breach occurred when a third-party hacker accessed a system storing personal data, including names, addresses, and identification details. The B.C. Court of Appeal ruled that the plaintiff’s claims under B.C.’s Privacy Act could proceed, acknowledging that organizations could be held liable for failing to take reasonable measures to protect personal data from cyberattacks​.

Both decisions signal a shift toward recognizing privacy breaches not just as technical failures but as violations of individuals’ quasi-constitutional privacy rights, especially in the digital age. They suggest that organizations must prioritize cybersecurity and privacy protections to avoid legal consequences. This evolution in case law echoes a broader trend seen globally, such as the European Union’s General Data Protection Regulation (GDPR), which imposes strict penalties for breaches and is seen as a model for robust data protection​.

These cases also emphasize that the law in B.C. is beginning to actively respond to the increased risks of cyberattacks, and organizations may soon face heightened legal scrutiny and accountability for failing to protect personal data​. Considering this shifting tide towards corporate accountability for privacy breaches even where the perpetrators were external to the organizations, organizations must prioritize robust cybersecurity practices to safeguard personal data and mitigate the risks of liability for third-party data breaches. As an initial step, organizations should adopt comprehensive security strategies that include data encryption, frequent software updates, and multi-factor authentication. Implementing a layered security architecture—such as firewalls, intrusion detection systems, and regular vulnerability testing—can help prevent unauthorized access. Staff training on cyber threats, including phishing and ransomware, is also essential, as human error remains a significant vulnerability. Finally, organizations may want to consider investing in cyber insurance to cover potential liabilities and costs arising from a breach, including legal fees and penalties. With the rise in cyberattacks and increasing pressure from regulators and courts, proactive cybersecurity measures are not just a best practice—they are a legal necessity.

If you have questions or concerns about navigating the evolving legal landscape surrounding data protection, please do not hesitate to contact Roshni Veerapen or any member of our Privacy and Data Protection group.