ICBC remains responsible for an employee whose data theft resulted in customers being targeted with shootings and arson attacks.
BC Justice Susan Griffin ruled this month in the BC Court of Appeal that the provincial auto insurance corporation is responsible for a claims adjustor who breached the privacy of 78 customers in 2011, selling licence plate search results to a third party.
The employee had unmonitored access to a database of customer information, which she used to sell search results for as low as $25 per search.
The homes and vehicles of 13 affected customers were targeted in arson, shootings, and vandalism. All the affected vehicles had at some point been parked at the Justice Institute of BC.
In the ruling Griffin points out one of the attackers, Vincent Eric Gia-Hwa Cheung, was found to have been engaging in substance use, held a delusion that he was being targeted and controlled by the Justice Institute, and had paid to obtain information about the vehicles in the parking lot that he believed were owned by police officers.
In 2010 ICBC did an internal pilot project to see if proactive data monitoring was needed, and found several employees were accessing private information inappropriately. However, the ruling points out security recommendations from the pilot project were not implemented until 2012, after the series of attacks in 2011.
Griffin rejected ICBC’s claims the stolen information was not private, and also rejected claims it was not responsible for its employee’s actions. Griffin says in her judgment ICBC created the risk and provided the opportunity for the breach. Griffin upheld a previous ruling which says “ICBC had in place rules and policies forbidding improper use of its databases, but the possibility of an individual employee choosing to ignore them was clearly foreseeable and there is no evidence of any system or method that would have prevented or detected that conduct at the time it happened.”
The latest ruling means affected customers can launch a class action against ICBC.
