ICBC ordered to pay damages for privacy breach
A B.C. Supreme Court judge has awarded damages to Insurance Corporation of British Columbia (ICBC) customers whose personal data was leaked in a privacy breach linked to a series of attacks in the Lower Mainland.
On Monday, Justice Nathan Smith awarded at least $15,000 in damages for each person at risk from the data breach. In his judgment, Smith said it's important to hold organizations accountable at a time when they collect "vast amounts of personal information."
"The court must stress the need for protection of that information and make clear there will be consequences for any failure to do so," he said.
Privacy breach linked to targeted attacks
Former ICBC adjuster Candy Elaine Rheaume, searched the licence plate numbers of 79 people more than a decade ago, "without apparent business purpose," in the insurer's database, according to the judgment.
The privacy breach was linked to a series of attacks in the Lower Mainland., including a 2012 arson at a West Vancouver home. (Combined Forces Special Enforcement Unit B.C.)
The search revealed customers' personal information, like their name and home address. According to the judgment, Rheaume sold that information for $25 per licence plate number. ICBC admitted in court that 45 customers' information had been stolen.
Between April 2011 and January 2012, houses and vehicles belonging to 13 of the 79 customers who had their data stolen were targeted in arson and shooting attacks.
Vincent Cheung, 43, pleaded guilty in 2016 to multiple counts stemming from the attacks.
An agreed statement of facts in that case said the man targeted more than a dozen families throughout the Lower Mainland after tracking down their homes with information obtained from their licence plates.
All the victims had a member of their family park at the British Columbia Justice Institute, which offers training for people working in public safety including police officers and firefighters.
Nobody was injured or killed.
In an email to CBC News, ICBC spokesperson Greg Harper said the insurer fired Rheaume in 2011. She pleaded guilty to unauthorized use of a computer six years later.
"We take the protection of customers' personal information very seriously," said Harper, who added that ICBC is reviewing the court decision and will not comment further while the matter is still in the court process.
The cost of privacy
The customers launched a class action in June 2012 against Rheaume and ICBC over the breach of privacy.
Twelve years later, Smith awarded the ICBC customers damages, less 35 per cent legal fees and disbursement. The customer who represented the class action will be granted an additional $10,000.
The total amount of damages has yet to be determined.
"We're really happy with the result," said Richard Parsons, co-counsel for the customers. "It vindicates the claim we made all along, that the breach of these individuals' privacy is very significant, and they need to be compensated for it."
Parsons said everyone who lived at a residence at the time of the breach may also claim damages for related medical expenses, loss of the ability to work, pain and suffering. He estimates about 200 people will be eligible to claim damages.
Smith said he awarded "modest" or "nominal" damages to hold organizations that collect British Columbians' data accountable.
"The people who provide that information often have no meaningful choice about whether to do so," Smith said.
"All of that electronically stored information may be easily accessible to many people within an organization and is vulnerable to improper access and misuse."
