|
Date:
Fri, 13 Oct 2006 15:24:12 +0200
From:
Tsachi Keren-Paz
Subject:
Liability for data security breaches
First
- negligence is not a new tort, and although data security breaches
are a new problem, liability for breaches of data security simply
recognizes duties latent in negligence. (This argument is weakened
as one must establish that pure economic losses are recoverable
in this situation - suggesting that data security breach liability
is new).
According
to this logic, the claim in Bhaduria could be recasted
as a negligence claim. In fact, I argue that it should in a forthcoming
book "Torts Egalitarianism and Distributive Justice".
In Ch. 7 I argue that we could and should conceive of discriminatory
behaviour as potentially negligent, and examine whether there was
breach, and whether there was duty.
I
have some doubt, though, whether Canadian courts would follow this
path. They might argue that duty should be denied due to the policy
of not circumventing the comprehensive legislative scheme that strikes
the balance between (allegedly) discriminators and victims.
Tsachi
(Zack) Keren-Paz
Tsachi
Keren-Paz
Faculté de droit de l'Université de Montréal
Pavillon Maximilien-Caron, bureau A-7450, 3101 chemin de la Tour
C.P. 6128, succ. Centre-Ville
Montréal Québec Canada
Phone: 514-343-7211 (w) 514-489-2871 (h)
-----
Original Message -----
Sent: Friday, October 13, 2006 4:12 PM
Subject: ODG: liability for data security breaches
Hello
all:
I
have been looking at the new group of cases dealing with tort liability
for breaches of data security - in which careless handling of customer
personal information results in the loss/theft of the information
and subsequent ID theft.
I'm
looking at the question of whether PIPEDA (the Personal Information
Protection and Electronic Documents Act) forecloses negligence liability
for breaches of data security.
PIPEDA
requires that reasonable measures to protect data security be used
by organizations holding personal information.
The
act also provides a reasonably comprehensive scheme for the adjudication
of complaints by the federal Privacy Commissioner, as well as (eventually)
a limited ability for a complainant to appeal to the Federal Court
and to seek damages there.
It
occurred to me that the Bhadauria, Frame v. Smith line
of cases suggests that comprehensive statutory regimes foreclose
the development of new common law torts to cover the same matter
as the statute.
However,
I can think of two possible reasons why this might not be the case
here.
First
- negligence is not a new tort, and although data security breaches
are a new problem, liability for breaches of data security simply
recognizes duties latent in negligence. (This argument is weakened
as one must establish that pure economic losses are recoverable
in this situation - suggesting that data security breach liability
is new).
Second
- doesn't the constitutional division of powers mean that only provincial
statutory regimes can pre-empt the development of tort remedies?
I have found cases where courts have held that federal regimes have
pre-empted tort liability - but these cases do not mention the constitutional
issue. Although courts have recognized that federal statutes can
create civil remedies in some cases, it seems to be a different
matter for a federal statute to "occupy the field" of
tort law - a matter of provincial jurisdiction. On the other hand,
federal attempts to create regimes to deal with problems within
their jurisdiction might be undermined if the courts could create
parallel systems to resolve disputes. What do you think?
<<<<
Previous Message ~ Index ~ Next
Message >>>>>
| 