Privacy Watch Weekly – 2016-09-16

Instead of spending $1.3 million, FBI could have Hacked iPhone in just $100

Do you remember the infamous encryption fight between the FBI and Apple for unlocking an iPhone 5C belongs to a terrorist?

Yes, you got it right, the same Apple vs. FBI case where the FBI paid almost $1.3 Million to a group of hackers to unlock that iPhone.

However, if the agency had shown some patience to explore more ways to get into that iPhone, then it might have cost them nothing less than

Rise of the internet has reduced voter turnout

During the initial phase of the internet, a “crowding-out” of political information occurred, which has affected voter turnout, new research shows.

What Is This Cow Hiding?

A UK cow has captured the world’s heart — even without a visible face.
The bovine’s face is blurred out on Google Streetview, Guardian opinion e…

Read more: Animals, Google, Online Privacy, Cows, Weird News News

When hackers turn out the lights

The development of the smart power grid and the smart meter in our homes to accompany it brings several benefits, such as improved delivery and more efficient billing. Conversely, any digital, connected technology also represents a security risk. Researchers now explain how a malicious third party that hacked into the metering system could manipulate en masse the data being sent back to the smart grid and perhaps trigger a power generation shortfall.

Using ‘Signal’ for Encrypted Chats? You Shouldn’t Skip Its Next Update

Two Researchers have discovered a couple of vulnerabilities in Signal, the popular end-to-end encrypted messaging app recommended by whistleblower Edward Snowden.

One of those vulnerabilities could allow potential attackers to add random data to the attachments of encrypted messages sent by Android users, while another bug could allow hackers to remotely crash vulnerable devices.


Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor

Note — Don’t miss an important update at the bottom of this article, which includes an official statement from Xiaomi.

Do you own an Android Smartphone from Xiaomi, HTC, Samsung, or OnePlus?

If yes, then you must be aware that almost all smartphone manufacturers provide custom ROMs like CyanogenMod, Paranoid Android, MIUI and others with some pre-loaded themes and applications to increase

Introducing Sophos Intercept X – a completely new approach to endpoint security

sophos-intercept-x-icon-150At Sophos, we’re no strangers to next-generation security. You can see it across our entire product line, from our powerful Security Heartbeat technology that leverages Sophos Central to facilitate communication between endpoints and the network, to our advanced behavioral analytics and malicious traffic detection features (and a whole lot more).

Today, with the introduction of Sophos Intercept X, we’re taking a massive leap forward in next-generation protection – not just for Sophos, but across the entire security industry as a whole.

Sophos Intercept X ushers in a new era of endpoint protection for modern threats, featuring signatureless anti-exploit, anti-ransomware, and anti-hacker technology that includes beautiful visual root-cause analysis and advanced malware cleanup – all managed via the Sophos Central Admin console.

No other solution on the market offers so many features in a single package. Use it alongside our Sophos Central Endpoint Advanced protection or as additional protection to augment and double-check the antivirus coverage from your current vendor, all with minimal impact to system performance: no signatures, no scanning, and no meaningful CPU usage until we’ve intercepted and eliminated something malicious.

You’ve undoubtedly seen countless headlines about crippling ransomware attacks that cost people billions of dollars each year. With Sophos Intercept X, we’ve integrated powerful ransomware protection that’s capable of not only automatically stopping ransomware attacks as soon as they’re detected, but rolling back damaged files to known and safe states as well.

While ransomware seems to grab all the headlines these days, our ransomware-killing technology is made possible by the advanced anti-exploit technology that serves as the foundation of Intercept X. It blocks zero-day and patient-zero threats without the need for traditional file scanning or signature updates. In other words: even if we don’t know about it yet, we can still stop it.

In addition, we’ve added automated forensic reporting that traces attacks back to their origins, pinpoints additional infection points, and offers prescriptive guidance for strengthening your organization’s security posture in the future. Sophos Intercept X also includes comprehensive deep-cleaning technology, which hunts spyware down that other traditional AV misses and rips out deeply embedded, lingering malware to make remediation a snap. Again, no other vendor offers this much protection in a single package.

We invite you to take Intercept X for a free 30-day spin alongside our advanced endpoint protection or your current vendor’s. If you’re already a Sophos Central customer, simply contact your partner to get set up; if you’re new to Sophos, sign up for a free 30-day trial account of Sophos Central, which includes Intercept X. Please visit the Sophos Intercept X product page for more details.

We hope you enjoy using Intercept X as much as we’ve enjoyed building it. This is the first in a new line of incredibly powerful next-generation solutions from Sophos. We’re extremely excited with how far we’ve come and with what’s still on the horizon.

Filed under: Corporate, Enduser Tagged: Endpoint security, Intercept, Next-gen, next-generation security, Sophos Central, Sophos Intercept X

FBI Director — You Should Cover Your Webcam With Tape

Should you put a tape or a sticker over the lens of your laptop’s webcam?

Yes, even Facebook CEO Mark Zuckerberg and FBI Director James Comey do that.

Covering your laptop’s webcam might be a hell cheap and good idea to guard against hackers and intruders who might want to watch your private life and environment through your devices.
<!– adsense –>
In fact, Comey recently came out

Massive Data Breach Exposes 6.6 Million Plaintext Passwords from Ad Company

Another Day, Another Data Breach! And this time, it’s worse than any recent data breaches.


Because the data breach has exposed plaintext passwords, usernames, email addresses, and a large trove of other personal information of more than 6.6 Million ClixSense users.

ClixSense, a website that claims to pay users for viewing advertisements and completing online surveys, is the latest

Sophos Mobile Control offers same-day iOS 10 compatibility

ios-10Apple has made iOS 10 available and will push upgrade notifications out to devices over the next few days. Some early adopters even have iOS 10 already installed!

Good news – Sophos Mobile Control is ready with same-day support of iOS 10. Once iOS 10 is loaded onto your users’ devices, it’ll be supported by all components of Sophos Mobile Control.

For a comprehensive list of iOS 10 features, please visit Apple’s iOS product page. Another good source of information about iOS 10 and the newly-announced Apple gadgets is’s live blog from Apple’s recent iPhone 7 keynote.

As long as your users are using the latest versions of Sophos Mobile Control apps, there’s nothing you need to do to fully support iOS 10 across your Sophos Mobile Control estate. We’ve already tested against the various alpha and beta versions of iOS 10 and have modified Sophos Mobile Control to be compatible whenever your users are ready to update their devices.

Filed under: Enduser Tagged: Apple, iOS 10, Mobile, Sophos Mobile Control

The Project Zero Contest — Google will Pay you $200,000 to Hack Android OS

Why waiting for researchers and bug hunters to know vulnerabilities in your products, when you can just throw a contest for that.

Google has launched its own Android hacking contest with the first prize winner receiving $200,000 in cash.

That’s a Hefty Sum!

The contest is a way to find and destroy dangerous Android vulnerabilities before hackers exploit them in the wild.
<!– adsense –>

Microsoft and Adobe Rolls Out Critical Security Updates – Patch Now!

In BriefYou should not miss this month’s Patch Updates, as it brings fixes for critical issues in Adobe Flash Player, iOS, Xcode, the Apple Watch, Windows, Internet Explorer, and the Edge browser.

Adobe has rolled out a critical update to address several issues, most of which are Remote Code Execution flaws, in its widely-used Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS.

Lawful Access (2016): There, I fixed it for you.

In December 2013, I posted “Lawful Access: There, I fixed it for you.“. I didn’t think I’d need to link to it again so soon, but in light of the Government of Canada’s recent Green Paper on national security, lawful access is back in the public policy spotlight. If you’d thought that the Spencer decision had put a bullet into the law enforcement and national security argument that “basic subscriber information” needs no protection and should be available wholesale the state, you’re apparently wrong. The RCMP and the Canadian Association of Chiefs of Police have been working behind the scenes to try to circumvent the SCC’s Spencer decision (See Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong.)

In my 2013 post, I’d suggested a fix for the apparent problem of police having difficulty in getting access to “basic subscriber information”. It’s now relevant again and I offer it for your consideration. I’ve made some small tweaks since 2013.

I’m happy to hear any input …

Subscriber information production order

*(1) A justice or judge, including a designated judge under the Canadian Security Intelligence Act, may order a telecommunications service provider to produce subscriber information.

Production to peace officer

(2) The order shall require the subscriber information or information regarding multiple subscribers to be produced within the time, at the place and in the form specified and given

(a) to a peace officer named in the order; or

(b) to a public officer named in the order, who has been appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament.

Conditions for issuance of order

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that

(a) there are reasonable grounds to believe that an offense designated under this Section has been, is being or is about to be committed;

(b) there are reasonable grounds to believe that the subscriber information will afford evidence respecting the identity of the person or persons believed to be responsible for the commission of the offence, or the identity of the persons believed to be the victim or the intended victim of such offense;

(c) there are reasonable grounds to believe that the person who is subject to the order has possession or control of the documents or data; and

(d) the issuing of the order will not unduly infringe the relevant subscriber’s rights set out in the Charter of Rights and Freedoms, including freedom of expression, based on the totality of the circumstances.

Terms and conditions

(4) The order may contain any terms and conditions that the justice or judge considers advisable in the circumstances, including terms and conditions to protect a privileged communication between a lawyer and their client or, in the province of Quebec, between a lawyer or a notary and their client.

Power to revoke, renew or vary order

(5) The justice or judge who made the order, or a judge of the same territorial division, may revoke, renew or vary the order on an ex parte application made by the peace officer or public officer named in the order.


(6) Unless the justice or judge who made the order, or a judge of the same territorial division orders otherwise, aAny person whose information is obtained as a result of such order shall be notified of the order and the disclosure of his or her subscriber information within six months of the date of the order. An order to delay the giving of notice under this paragraph may be made by the justice or judge who made the order, or a judge of the same territorial division may be made shall only be applicable for a maximum of six months and shall only be made if such justice or judge is satisfied, based on information on oath in writing, that the giving of such notice will likely compromise an active investigation or prosecution of an offence under this or any other Act of Parliament.

Probative force of copies

(7) Every copy of a document produced under this section, on proof by affidavit that it is a true copy, is admissible in evidence in proceedings under this or any other Act of Parliament and has the same probative force as the original document would have if it had been proved in the ordinary way.

Return of copies

(8) Copies of documents produced under this section need not be returned.

Subscriber information

(9) For the purposes of this section, “subscriber information” means the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.

Use and retention of subscriber information

(10) Unless otherwise ordered by the justice or judge who made the order, or a judge of the same territorial division,

(a) subscriber information obtained pursuant to an order under this Section shall only be used for the investigation and prosecution of the offense or offenses referred to in the information used to obtain the order; and

(b) if the person about whom the subscriber information relates has not been charged with an offense referred to in the information to obtain the order, subscriber information shall only be retained until six months following the date on which the relevant person is notified pursuant to paragraph (6) herein.

Designated offences

(11) For the purposes of this Section, a designated offense means

(a) any offence that may be prosecuted as an indictable offence under this or any other Act of Parliament, or

(b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a).

Tele-production Orders

(12) Section 487.1 respecting telewarrants shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies with respect to search warrants.

National effect

(13) A subscriber information production order issued under this Section shall be applicable with respect to the telecommunciations service provider in any territorial division of Canada without requirement of endorsement by a justice or judge in the territorial division where the telecommunications service provider is located.


(14) The telecommunciations service provider named in a subscriber information production order shall be compensated for the production of subscriber information in the manner and in the amount prescribed. Nothing herein shall require a telecommunications service provider to collect or retain any subscriber information beyond that which is ordinarily collected or retained in the course of the telecommunciations service provider’s business.

Report to Parliament

(15) Each calendar year, the Minister shall lay before Parliament a report regarding the use of subscriber information production orders, which report shall include:

(a) the number of subscriber information production orders issued in total for the previous calendar year;

(b) the number of subscriber information production orders issued per designated offense for the previous calendar year;

(c) the number of subscriber information production orders issued per territorial division of Canada for the previous calendar year;

(d) the number of and nature of the charges, prosecutions and convictions respecting each use of subscriber information production orders, including information respecting cases where charges do not result; and

(d) any other information the Minister considers relevant regarding the use of subscriber information production orders.

Application for review of production order

(16) Section 487.0193 shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies to the production orders referred to in that Section.

324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway

Around 324,000 users have likely had their payment records stolen either from payment processor BlueSnap or its customer Regpack; however, neither of the company has admitted a data breach.

BlueSnap is a payment provider which allows websites to take payments from customers by offering merchant facilities, whereas RegPack is a global online enrollment platform that uses BlueSnap to process

Sophos showcases anti-ransomware technologies and more at Cloud Expo Asia 2016

CloudExpoAsiaThe future of cloud security is a hot topic, and we can expect further insights on the subject at Cloud Expo Asia 2016, which happens on 12 and 13 October in Singapore.

Sophos will be there, as the official Cloud Security Expo Keynote Theatre sponsor where our security experts will be giving talks, and at the Sophos booth (P9). Our friendly team will be on hand with tips and advice, so make sure you stop by the booth and say hi!

Throughout the two-day event, you’ll hear from our Sophos experts, including:

Chester Wisniewski, principal research scientist at Sophos, will be explaining why security should be treated as a first-class problem for any connected device in the Internet of Things era, as well as offering practical security tips to safeguard against “geo-malware”.

Australia-based Sophos security expert Sean Richmond will be discussing data security in the public cloud. He’ll also share how Sophos is harnessing the power of the cloud to make security simple.

We’ll also be showing off innovative solutions at the Sophos stand with one-of-a-kind XG Firewall with Sophos Security Heartbeat; our unique, cloud-delivered next-gen sandboxing technology, Sophos Sandstorm; and our upcoming endpoint protection – Sophos Intercept X – our signatureless anti-exploit, anti-ransomware, and anti-hacker technology that includes root-cause analytics and advanced malware cleanup – all managed via the Sophos Central admin console.

Break a hacker’s heart and receive a cool Sophos webcam cover, plus more…

Visit us at booth P9 in the Cloud Security Expo Exhibitor Zone. Talk to our security experts and say the phrase “Break a hacker’s heart” to instantly win a Sophos webcam cover (while supplies last). While you’re there you can also enter our daily drawing for your chance to win an Apple Watch!

Register for your free expo pass today!


Filed under: Cloud, Corporate, Events Tagged: Cloud Expo Asia

Toby Nwazor: Improving Your Online Privacy: The 5 Best VPN Services Compared


Concerns about surveillance and cybercrime have risen in recent years, and more people are looking to VPNs to boost their internet privacy and…

Read more: Vpn, Internet Security, Toby Nwazor, Online Privacy, Technology News

How to Hack Smart Bluetooth Locks and IoT Devices — Check this Out

Bluetooth Low Energy, also known as Bluetooth Smart or Bluetooth 4, is the leading protocol designed for connecting IoT devices, medical equipment, smart homes and like most emerging technologies, security is often an afterthought.

As devices become more and more embedded in our daily lives, vulnerabilities have real impact on our digital and physical security.
<!– adsense –>
Enter the

Here’s How Hackers Can Disrupt ‘911’ Emergency System and Put Your Life at Risk

What would it take for hackers to significantly disrupt the US’ 911 emergency call system?

It only takes 6,000 Smartphones.

Yes, you heard it right!

According to new research published last week, a malicious attacker can leverage a botnet of infected smartphone devices located throughout the country to knock the 911 service offline in an entire state, and possibly the whole United States,

Conduct Law Blog

Pink Larkin

App vs. website: Which best protects your privacy?

Should you use the app — or a web browser — for that? That’s the ques­tion that researchers ask in a new study that explores how free app- and web-based ser­vices on Android and iOS mobile devices com­pare with respect to pro­tecting users’ privacy.

The nuance of “accepting” vs. “reading” a privacy policy

5 simple words: “I accept the privacy policy”.  Normally displayed at the bottom of a website registration form, immediately above or below the submit button, with the underlined words linking off to the privacy policy.  There might even be a tick box next to these words for the user to indicate, affirmatively, that he or she does indeed agree to the privacy policy.  What could possibly be more harmless?

For many businesses, sticking this kind of consent language on a web page is a no-brainer.  It allows them, they think, to demonstrate that the users who chose to register with their website agreed to their privacy policy and all of its contents – and no one’s going to criticise them for getting consents from their registrants, right?   Sure, some privacy professionals say that consents collected this way might not be valid, on the basis that no one ever reads a privacy policy and so users can never meaningfully consent to its contents,  But to many this criticism seems theoretical at best – after all, how many businesses have ever been taken to task by regulatory authorities for using such an approach? 

Consequently, this style of privacy policy “consent” remains pervasive around the web but, looking forward to the GDPR, businesses may be well-advised to think again.  Under the GDPR, the very notion of consent – and its consequences – has been considerably strengthened.  Businesses who rely on consent as the legal basis for their processing under the GDPR may therefore find themselves attracting additional compliance hurdles they weren’t expecting.

To highlight a few examples:

  • Consent must be auditable:  The GDPR says that any business relying on consent must “be able to demonstrate that the data subject has consented to processing of his or her data”.  The most obvious way to demonstrate a user’s consent is to keep a record of their consent, but this may require re-engineering back-end systems to make sure they accurately record this consent.  It’s not just a matter of recording a simple “yes” or “no” either: from a practical perspective, the business will also need to know which version of the privacy policy the user consented to so that the scope of their consent (and hence what the business can and can’t do with the data) can be validated.
  • Deletion requirements are strengthened with consent:  The GDPR says that it must be as easy for individuals to withdraw consent as it is to give it.  Consent, once withdrawn, has the consequence under the GDPR of triggering the right to erasure (aka the “right to be forgotten”) – meaning, essentially, that the business has to erase the user’s data once they withdraw consent.  That in itself may not sound so bad, but there may be many legitimate reasons why a business needs to retain user data even after the user has withdrawn consent – for example, to retain a record of user transactions for accounting purposes.  To be fair, the GDPR does say that the data has to be deleted only “where there is no other legal ground for the processing” – but, if such another ground does in fact exist, doesn’t that suggest the processing was never really consent-based anyway?
  • Consent triggers data portability rules:  If users consent to use of their data, then they are also entitled to a right of “data portability” under the GDPR – meaning that the business must provide them with the ability to extract their data from its service “in a structured, commonly used and machine-readable format”. Further, the business may also have to help the user transfer that data to another third party business.  Again, this may require some engineering effort and, inevitably, some businesses will have concerns about helping their user base to migrate data to competitor platforms.
  • Privacy policy consents are even less likely to be valid than before:  While the above type of privacy policy consent may have questionable validity under the Directive, it comes under even greater challenge under the GDPR.  In addition to requiring that consents must be “unambiguous”, the GDPR also says that “Consent is presumed not to be freely given … if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance” (emphasis added).  This means that online service providers who rely on user consent now face even greater risk that their consents are invalid.  In addition, they face greater consequences given the significantly enhanced enforcement powers that exist under the GDPR.

Of course, in certain cases consent may be entirely appropriate once the context, nature and purpose of the data processing has been taken into account.  The point of this post is not to criticise consent, but rather to encourage businesses not to default to consent without understanding its consequences and considering the alternatives.  After all, the GDPR provides five alternative (non-consent-based) grounds for allowing businesses to lawfully collect and use data, and some of these may carry less of a compliance overhead – for example, businesses that process data on the basis of their “legitimate interests” are not compelled to fulfil data portability requirements. 

For those businesses that choose not to rely on consent under the GDPR, the language linking to their privacy policy will need to change from “I accept the privacy policy” to “I have read the privacy policy” (or similar).  A very simple change – but one that could make a world of difference to an organisation’s responsibilities and risks under the GDPR.  Choose your words – and your data processing strategy – carefully!

New MySQL Zero Days — Hacking Website Databases

Two critical zero-day vulnerabilities have been discovered in the world’s 2nd most popular database management software MySQL that could allow an attacker to take full control over the database.

Polish security researcher Dawid Golunski has discovered two zero-days, CVE-2016-6662 and CVE-2016-6663, that affect all currently supported MySQL versions as well as its forked such as MariaDB and

CHINA: Yet more changes proposed to China cyber and data security laws

China’s cybersecurity and data privacy frameworks are facing yet more significant changes, as in recent weeks the Chinese Government has announced two further initiatives. These are in addition to the significant legal developments that we highlighted in July 2016.

Strengthening the standardisation of national cyber security: The Cyberspace Administration of China (CAC), the General Administration of Quality Supervision, Inspection and Quarantine of China and the Standardization Administration of China collectively issued an official comment, namely the Several Opinions on Strengthening the Standardization of National Cyber Security, on 22 August 2016, which demonstrates an intention towards standardising cybersecurity regulations and practices in China.

This is an interesting move away from the current patchwork of different cyber security (and data privacy) rules in China – with variations in standards applying as between different industries and regulators – towards a more comprehensive national framework. It appears that there is an intention towards mandatory national and industry standards in relation to network security, equipment and communications, but details have not yet been published.

The statement also indicates that there will be more of an alignment with international cybersecurity standards, perhaps demonstrating that China is keen to build influence over the development of international rules and standards for the Internet, and also that it is responsive to foreign concerns that have been expressed in recent months and years regarding China’s national focus on cyber security. Indeed, earlier this year, CAC for the first time opened up its Technical Committee 260, which was originally mainly composed of Chinese officials and domestic technology companies, to selected foreign companies including Microsoft and Cisco. International businesses will no doubt be hoping that harmonisation between national and international cybersecurity standards might afford them greater opportunities in the Chinese market.

Enhancements to data privacy laws applicable to personal data of consumers: The State Administration of Industry and Commerce published for public consultation the Draft Regulations on the Implementation of the Law on the Protection of the Rights and Interests of Consumers (the Draft Regulations). The Draft Regulations propose strengthening the existing regime protecting personal data of consumers under the PRC Consumer Protection Law and associated measures. Proposed amendments in the Draft Regulations include:

  • expanding the definition of personal data to include “identifying biological characteristics”;
  • imposing a requirement for business operators to follow the principle of necessity when collecting and using consumers’ personal information, such that the information collected needs to be related to their business operations;
  • requiring business operators to retain for at least five years supporting documents that can prove that they have fulfilled their obligations to inform and obtain consent from consumers regarding the collection and use of consumers’ personal information; and
  • requiring business operators to notify consumers in a timely manner of, and take remedial measures in case of, any actual or anticipated loss or disclosure of consumers’ personal information.

In light of these and other recent developments, international organisations doing business in China are strongly advised to keep the rapidly evolving Chinese compliance environment under review.

DLA Piper’s Data Protection and Privacy practice delivers topical legal and regulatory updates and analysis from across the globe. To learn more please click here.

Ontario court awards damages for family member’s disclosure of mental health information

The Ontario Small Claims Court, in Halley v McCann, 2016 CanLII 58945 (ON SCSM), has recently awarded a plaintiff $9,000 in damages for breach of privacy. The case arose because the defendant disclosed the fact that the plaintiff had admitted herself to a mental health facility. The defendant is also the half-sister of the plaintiff. It was alleged that the defendant had told three people outside the facility about the plaintiff’s stay there. No other information was disclosed.

10. The plaintiff left the crisis facility after a 6 day stay feeling much better and in control. Unfortunately this did not last. A week after returning home she was sitting on the front porch of Dean’s home when Lisa, Fabion’s former common law spouse, arrived. Upon seeing the plaintiff, Dean recalls that Lisa “blurted out ‘Were you in a crisis house?’ not even saying Hello first”. The plaintiff was visibly upset and shaken by the question and asked how she knew. Lisa said Fabion told her about the stay.

12. In the opinion of the plaintiff’s family doctor, filed as Exhibit 5, the plaintiff has “definitely” become more stressed, anxious and depressed since finding out that others were told of her stay in the crisis facility. It may also be contributing to her increased back pain.

13. Both the plaintiff and her boyfriend Dean report that she has become more fragile, anxious and reclusive than before the incident. Unlike before she rarely goes out, will not go shopping and has blackened the windows of her basement apartment. She will not seek respite care help even from other facilities because she fears treatment would likely come to the attention of the defendant through the network of caregivers.

The Court noted that two invasion of privacy torts exist in Ontario:

19. In sum, there are two recognized invasion of privacy torts in Ontario; neither requires proof of pecuniary loss or harm to an economic interest. Aggravated and punitive damages may be awarded and an award should serve as a deterrent to others.

20. These two common law torts exist in addition to the statutory right or cause of action available to a plaintiff under the privacy legislation. The Personal Health Information Protection Act, 2004 S.O. c. 3, Sch A, s. 65 (PHIPA) contemplates mental anguish damages for breaches of statutory duty up to a maximum of $10,000. In Hopkins v. Kay 2015 ONCA 112 (CanLII) (paras 44-45, 73) the Ontario Court of Appeal considered whether the complaints process available under PHIPA displaces the common law authority of the courts to award damages for breach of the statutory duty and found that the legislation is not intended to be an exhaustive or comprehensive compensatory scheme. The complaints process is more suited to systemic breaches and an individual victim retains the right to bring a civil court action for damages.

The Court made a number of conclusions that are worth noting:

27. I disagree for at least four reasons. First, personal health information includes information about the providing of health care (s. 4(1)(b) PHIPA), not just the details of diagnosis or treatment. The defendant’s disclosure told others that the crisis facility was providing health care to the plaintiff. “Visits” to the facility are expressly listed on the consent form as “confidential and/or personal health information”. I agree with the opinion of the crisis facility director; the staff and facility are under a statutory and contractual duty to keep the provision of care private.

28. Second, the names associated with the facility – Crisis Respite and Homes for Mental Health – provide some information about the mental health status or condition of the individuals who seek treatment there. Therefore the disclosure went beyond just the providing of care but gave some indication of the nature of the condition being treated. This health information was also required to be kept private.

29. Third, the plaintiff considered this a “private matter” – she did not tell anyone in her family and signed consents limiting the access to information to only two people. The defendant saw the file, and Dean’s name on the paperwork. “Visits” to the facility are expressly listed on the consent form as “confidential and/or personal health information”. The defendant knew or should have known that this was a private matter and it was a secret to be kept from other family members. In her evidence and counsel submissions, the defendant acknowledges the private nature of the stay when she submits that she did everything she could to protect the plaintiff’s privacy during her shift. She claims to have sought advice, stopped reading the file, remained out of sight and gave away her other shifts, all out of respect for the plaintiff’s privacy. These actions show that prior to disclosure she knew the stay was a private matter to be held in confidence.

30. Finally, the confidentiality agreement signed by the defendant included a broad undertaking to keep confidential “any information regarding any consumer” – this promise extends beyond just personal health information. It clearly prohibits the health care worker from discussing resident’s information at all. The privacy policy requires a staff member to obtain the consumer’s express consent before giving personal health information or personal information to a “family member who is not a substitute decision maker.” The word “Express” is in bold font. In sum, I find that the information disclosed was personal health information, was a private matter concerning the private life of the plaintiff, and was information that the defendant was required to keep confidential under her confidentiality agreement and the privacy policy. Disclosure fell below the privacy standard established by the legislation and the crisis facility and forms the basis for tort liability.

The Court took judicial notice that mental health issues are particularly stigmatized and concluded that the disclosure of this information is highly offensive to a reasonable person: “I have no trouble finding that a reasonable person would find disclosure of their need for crisis mental health treatment to be highly offensive.”

The Court also found malice:

39. I have already found that the disclosures were made intentionally and not for advice, support or concern. The defendant denies that they were done with malice but on the facts I am prepared to infer that the disclosures were done with malice, particularly that to the brother. They were intended to diminish the plaintiff in the eyes of her family and cause her embarrassment. I emphasize the brother because I suspect the defendant’s daughter and husband had already had their opinion of the plaintiff shaped by the defendant. However, the brother appeared to be trying to walk a middle ground between the two feuding sisters. The defendant seemed engaged in some kind of competition for her brother’s attention as evidenced when she races to be the first to invite him to Christmas dinner, calling the plaintiff “crazy” as she did so. This subsequent conduct along with her failure to apologize, confirms malice.

On the topic of damages, the Defendant argued that it was a case for nominal damages of around $300. The Court strongly disagreed:

42. I disagree. Actual emotional harm was suffered by the plaintiff. The doctor’s opinion confirms the worsening of her mental health condition following the public disclosure. In submissions during closing, the defendant asks me to disregard the general practitioner’s opinion but did not summons or cross examine the doctor’s opinion nor supply contrary medical expert evidence. Therefore, I accept the opinion of the plaintiff’s doctor as to the plaintiff’s worsened anxiety and depression. It is the only medical expert evidence submitted at trial and was not contradicted.

43. As to the claim that the plaintiff’s reaction is extreme and unusual, again I disagree. It is completely reasonable and foreseeable that the mental health of a patient already suffering from anxiety will deteriorate when someone releases mental health information about them. Unlike Mustapha the withdrawal of the plaintiff is not an extreme, unpredictable or unusual reaction – it is completely reasonable and foreseeable. This is an obvious situation of “take your victim as you find them” – mental fragility was not an unknown or hidden condition which the defendant could not have foreseen. The defendant knew the mental health status of the plaintiff before she committed the wrongful act and therefore she must take her victim as she found her and (I would add) as she knew her to be.

44. Finally, the defendant argues that the failure to subsequently seek treatment at other facilities is a failure to mitigate which goes to reduce her damage award. The failure to seek in-patient treatment is completely predictable in the circumstances and is a by-product of the defendant’s humiliation and embarrassment of the plaintiff. The defendant’s actions have made it more difficult for the plaintiff to seek treatment as she no longer trusts institutional care. She is still privately seeing her family doctor for out-patient care as the doctor’s opinion verifies. Failure to seek in-patient treatment is a symptom evidencing the worsening of the plaintiff’s condition. Prior to the disclosure the plaintiff was willing to seek in-patient treatment, after she was not. In sum the severity of her anxiety and depression is worsened, she rarely leaves her darkened apartment and her quality of life is severely reduced.

45. This is not a case for nominal damages. It properly falls within the range set for non-pecuniary damages in Jones. The summary of past damage awards contained in Appendix A & B of Jones offers a context for setting damages in this case. The documented psychological harm suffered takes the damages well beyond nominal amounts for embarrassment and humiliation while the limited number of people told and the temporary manner of communication (telephone rather than internet) go to contain the award. I award $7,500 for general damages.

The Court then awarded an additional $1500 in punitive damages.


Comments are closed