a close up of a rock

 Privacy & Security Breaches

Regardless of your organization’s size or industry, a security breach is a highly-disruptive event. Risks to data protection can never be totally eliminated—all organizations have potential vulnerabilities. That’s why it is key to have a trusted, knowledgeable legal team who can identify emerging threats, offer proactive, preventative strategies before a breach occurs and assist you when responding to a breach.

In the event of a security breach, our skilled team has the expertise and experience to respond immediately and effectively. We advise on a range of crisis-management strategies, including:

  • investigations and fact-finding
  • assembling the best experts
  • designing a multi-faceted response to address technical, legal/regulatory and reputational issues

We can obtain emergency remedies, such as Anton Piller (civil search and seizure) orders and Norwich Pharmacal (disclosure) orders to identify wrongdoers and preserve relevant evidence.

We serve a range of clients and sectors, including financial services, retail, entertainment, health care, non-profit and municipalities.


  • Evans v. The Bank of Nova Scotia - BLG is defending one of the first class actions brought under the “intrusion upon seclusion” breach of privacy tort.  The case is likely to be precedent-setting, in what is considered by many observers to be the fastest-growing area for class actions. BLG represents a “Big Five” Bank being sued for the criminal actions of a rogue employee alleged to have breached the privacy of customers of the Bank.  The matter will be proceeding to a common issues trial, which will decide novel legal issues, including whether an employer can be vicariously liable for its employees’ breach of privacy.
  • Hopkins v. Kay - BLG represents the defendant hospital in a proposed class action relating to alleged privacy breaches committed by hospital employees.  In this case, the hospital is challenging application of the “tort of intrusion upon seclusion” to health care privacy, which is comprehensively governed in Ontario by the Personal Health Information Protection Act.  This case considers the rules and scope of the cause of action by which health care institutions can be sued for breaches of privacy by their employees.
  • Broutzas/Taylor v. Rouge Valley Health System and John Doe RESP Corporation - BLG represents the hospital in two proposed class actions alleging that hospital employees improperly accessed new-mother contact details and sold that information to persons selling RESPs, who then contacted the patients at home.  The litigation raises questions about vicarious liability for criminal breaches of privacy as well as the interplay between PHIPA and common law breach of privacy claims.
  • Represented a financial services regulator named as a defendant in a class action regarding the loss of personal information. BLG was successful in obtaining the dismissal of the certification on the basis that the representative plaintiff suffered no compensable harm since his personal information was not used fraudulently.
  • Represented a leading Internet search engine named as a defendant in a potential class action (now at the pre-certification stage) on behalf of persons whose electronic data was allegedly transmitted over unsecured wireless internet connection and whose personal information was allegedly intercepted.
  • Represented a major automobile financing company named as a defendant in a class action regarding the loss of personal information that was stored on a data tape which was lost during transit. The class action was certified on the basis that the representative plaintiff alleged that his personal information was used fraudulently.
  • Helped manage security breaches for various clients (including corporations operating in the financial services and retail trade industries) involving different Canadian jurisdictions. This included investigating the violations, acting as the contact-person with the different interested parties and stakeholders, the individuals concerned, the media and the different privacy commissioners (including the Privacy Commissioner of Canada, the Alberta and British Columbia Privacy Commissioners and the Commission d'Accès à l'Information du Québec), and assisting in drafting relevant letters of notification and generally contributing to the response strategy.
  • Prepared the defence strategy for one of Canada's largest telecommunications and media companies (listed on the TSX) following a complaint at the Commission d’accès à l’information du Québec, alleging breaches of privacy connected with their business practices.
  • Represented clients, including an American multinational corporation traded on the New York Stock Exchange (NYSE), a leader in international family entertainment and interactive media, a multinational technology company and two financial institutions, in investigations carried out by privacy commissioners.

Key Contacts

Stay Up to Date

Subscribe to receive our insights and perspectives on the latest legal developments that will affect you.