The Need to Know Versus the Right to Intrude: A Caution on Fraud Investigation

by Bennett Jones LLP
Contact

Inevitably, properly conducted fraud investigations involve reviewing and digesting the information of the alleged fraudster. Bank records, e-mail accounts, correspondence – all of it must be obtained and examined to prove the fraud, trace the misappropriated funds and obtain recovery. While such intrusions on otherwise private information are a feature of any civil litigation, the tight timelines, zeal and covert manner in which fraud investigations are conducted create particular tension between the apparent need of the defrauded, investigating victim to know what happened and the privacy interests of the innocent-until-proven-guilty suspect. Recent jurisprudence has brought this tension squarely into the open.

Earlier this year, the Ontario Court of Appeal made Canada's first definitive statement on the newly evolving common law right of action for breach of privacy. In Jones v. Tsige, the Ontario Court of Appeal recognized, for the first time in Canada, the tort of intrusion on seclusion, already established in most American jurisdictions. While the subject of much commentary in the employment context, the case has significant implications in fraud recovery litigation as well.

The Case

Jones involves a dispute between two bank employees, Sandra Jones and Winnie Tsige. Tsige became involved in a romantic relationship with Jones' ex-husband and, contrary to the bank's policy, repeatedly accessed Jones' personal account information over the course of four years. Jones became suspicious that Tsige was accessing her account and complained to their employer. When confronted by the bank, Tsige admitted that she had looked at Jones' banking information numerous times, apologized for her actions, and accepted the bank's internal disciplinary measures.

Still, Jones commenced a civil action seeking damages for invasion of privacy. On a motion for summary judgment and cross-motion for summary dismissal, the motions judge dismissed Jones' action on the ground that the issue was novel and there was no common law right of action for invasion of privacy.

On appeal, the Ontario Court of Appeal held that the time had come to recognize invasion of privacy as a tort in its own right. According to the Court, there are four elements to this new tort:

  1. An unauthorized intrusion;
  2. The intrusion was the sort that is highly offensive to the reasonable person;
  3. The matter intruded upon was private; and
  4. The intrusion caused anguish and suffering.

While the Court of Appeal was willing to forge a new common law cause of action in breach of privacy, it acted conservatively in establishing an upper cap for non-pecuniary damages at $20,000 (in Jones awarding $10,000).

The Impact

While the low general damages figures may lead some to dismiss the case as unimportant relative to the large damages at issue in most fraud recovery litigation, this new tort ought to be carefully considered in conducting both internal and external fraud investigations for several reasons.

First, while the maximum general damages are (for now) modest, the financial penalties for breaching this tort are not limited to just those damages. In Jones the Court left open the possibility of claiming larger provable pecuniary loss, punitive damages and aggravated damages and greater general damages where warranted. It reasoned that damages may exceed the cap in appropriate circumstances having consideration to: the nature of the intrusion; the effect of the intrusion on the plaintiff's health, welfare, social, business or financial position; any relationship between the parties; any distress, annoyance or embarrassment suffering by the plaintiff; and the conduct of the parties including any apology or offer of amends made by the defendant. Clearly, the more intentional and egregious the intrusion, the greater the resulting damages. As such, the incautious or overly aggressive investigator may find itself facing a substantial counterclaim, possibly even one that exceeds the original fraud claim depending on the circumstances.

Apart from monetary risk, there are potential evidentiary and remedial ones as well. As a new tort, one that presumably arises from the Court's equitable roots, Courts will undoubtedly be faced with arguments that evidence obtained in breach of this tort ought to be excluded in ongoing litigation. While there is yet no recorded case of a court doing so, it is possible to conceive of a Court excluding evidence obtained in breach of a person's right to privacy, particularly if the breach was intentional. Indeed, even prior to the explicit recognition of this tort, the Ontario Courts were arguably already moving in the direction of excluding evidence obtained in breach of a defendant's privacy interests.1

A breach of privacy will also impact a party's ability to seek equitable remedies. A party seeking equitable relief, such as a disclosure order or Mareva injunction must come to the Court with clean hands. If the party has intentionally intruded on a person's right to privacy, it is quite possible that the Court will refuse to grant the equitable relief sought. Such a result may even apply to unintentional but nonetheless ham-fisted investigations that disregard the right to privacy the tort protects.

In short, an improperly performed investigation can result in a defrauded plaintiff being left without evidence, without a remedy and potentially facing a significant counterclaim.

Avoiding the Pitfalls

To avoid such a result, careful consideration of the scope and nature of the new tort is essential so that fraud investigations can be conducted appropriately and in the proper framework environment.

In terms of scope, an investigating party should understand that the tort includes not only physical intrusions but also listening or looking, with or without mechanical aids, into a person's private affairs, opening private or personal correspondence, intercepting communications, or examining a private bank account. The new tort specifically recognizes a person's right to informational privacy (as distinct from personal and territorial privacy) including sensitive health information, sexual orientation, employment information, diary or private correspondence, information indicating where a person lives, what he purchased where he travelled, or any communications by cell phone, e-mail or text message. As a result, the cases and commentary on internal employee fraud investigations in the wake of the new tort of inclusion on seclusion warn that employers may be limited in accessing employee personal information stored on company computers and hardware, even if that information is critical to an investigation into the employee's wrongdoing.2

As such, part of creating a good framework environment necessarily involves delineating the private from the public in the workplace. Organizations should implement clear Internet, e-mail and information services policies establishing that employees have no expectation of privacy when using company computers, blackberries, tablets or other electronics or e-mail and, further, that any personal information stored on company property is subject to routine inspection and deletion without notice. The more the investigating entity can say "this is not private and was known to be not private" the less risk this tort poses.

In terms of conducting the investigation after the fraud has been discovered, obviously precision is to be preferred over brute force. American courts have already given warnings to over-eager plaintiffs who review or even just make copies (without reviewing) of more than they ought to when conducting investigations.3 Investigating parties must carefully consider appropriate limitations of the search before it starts and then further closely monitor the execution of the investigation as it progresses. Parties must remain mindful that there is no requirement that the improperly obtained information be used, published or even viewed. It may be enough that private information was gathered without justification and in breach of a right of seclusion.

Finally, such warnings apply both to internal investigations, but also investigations conducted with external assistance (from accountants, private investigators, legal counsel, etc). The investigating party will of course be held liable for the acts of its agent in breaching another's privacy. As such, and as always, be careful how you proceed.

Notes
  1. Autosurvey v. Prevost (2004), 44 CPR (4th) 274. Note, in that case there were breaches of privilege as well, but the Court's language references both breaches of privilege and privacy as justifying its decision to exclude evidence.
  2. See specifically R. v. Cole, 2011 ONCA 218
  3. See Dalley v. Dykema Gossett, Docket No. 289046, February 11, 2010 (Mich. Ct. of Appeal)

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bennett Jones LLP | Attorney Advertising

Written by:

Bennett Jones LLP
Contact
more
less

Bennett Jones LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.