A B.C. court has denied ICBC an appeal after it was found liable for an employee who sold the personal data of dozens of clients — information that was later used to target customers in shootings and arson attacks.
Claims adjuster Candy Rheaume had sold private information linking the customers’ license plates to their home addresses. Several of those customers were then targeted in the attacks, Justice Susan Griffin said writing for the three judge panel in a unanimous Aug. 15 decision.
On appeal, ICBC claimed the judge erred in concluding that the information was private.
“I do not accept ICBC’s argument that the personal information was simple contact information for which there is no privacy interest,” Griffin said.
In upholding ICBC's liability in the case, the B.C. Court of Appeal judge said it would preserve incentives for employers to create workplace environments that guard against the misuse of private information. Griffin said the ruling would also deter employers from being lax in their oversight of the private information they collect and store electronically.
Sold personal data leads to string of arson, shootings and vandalism
In 2011, Rheaume accessed the personal information of 78 customers for no apparent business reason, according to the judge.
The ICBC claims adjuster searched customers’ personal information by running license plate numbers provided to her by Aldorino Moretti. Rheaume then sold Moretti each license plate number for $25 or more.
“There was no monitoring of staff access to personal information in the database during the time Ms. Rheaume was carrying out these activities,” Griffin said.
Between April 2011 and January 2012, the information obtained from Rheaume was then used to target the homes and vehicles of 13 customers. Vincent Eric Gia-Hwa Cheung, Thurman Ronley Taffe and others used the leaked information in a series of targeted shootings, arson attacks and vandalism, Griffin said.
In August 2011, police investigating the attacks approached ICBC and informed the agency about Rheaume’s activities.
ICBC fired her the following month. Rheaume later pleaded guilty to fraudulently obtaining a computer service and received a suspended sentence with nine months’ probation.
The others involved were also charged and sentenced for various associated criminal offences.
Victims had a 'reasonable expectation of privacy'
The case began as a proposed class action suit filed by Ufuk Ari with a B.C. Supreme Court judge. The suit claimed the victims suffered a breach of privacy under the Privacy Act. The claim was certified as a class action in 2017.
The judge in the case was tasked to determine whether Rheaume breached the class members’ privacy when she accessed their personal information.
“ICBC argued that the information did not attract a reasonable expectation of privacy,” Griffin said. “The judge rejected that argument.”
Griffin said there was a reasonable expectation that ICBC would only use the information for its legitimate business purpose – insurance and vehicle registration.
