Candy Elaine Rheaume was paid $25 a name for information she gave to an acquaintance involved in drug trafficking.
A BC Supreme Court judge has ruled ICBC liable for some of the damages stemming from an employee leaking driver information to others – a move that led to a series of shootings and arson attacks.
The court said that Candy Elaine Rheaume unlawfully accessed customer information and that without her, the attacks could not have happened.
“I find ICBC to be vicariously liable for Ms. Rheaume’s conduct and any damages awarded,” Judge Nathan Smith said in his Aug. 24 decision. “I feel that using the information for illegal purposes was among the perfectly foreseeable consequences of disclosing the information to someone outside ICBC. It was also foreseeable that identified persons would be the target for illegal purposes.”
As a result of a police investigation in 2011, ICBC discovered that an employee had mistakenly accessed the files of at least 79 of its clients.
Between April 2011 and January 2012, 13 people’s homes and vehicles were attacked with arson and shootings. All of the victims were identified because they parked their vehicles at or near the Justice Institute of British Columbia (JIBC) in New Westminster.
According to the decision, the customers’ personal data was sold to an employee of the United Nations Gang who was responsible for organizing the attacks.
In 2017, Rheaume, a resident of New Westminster, pleaded guilty to unauthorized use of a computer in a provincial court.
She received a nine-month suspended sentence with an order to do 40 hours of community service. But that was not the end of the case, as the victims demanded compensation for the consequences of Rheaume’s actions.
The BC Court of Appeals ruled in May 2019 that a privacy class action lawsuit against ICBC could proceed in the case.
The original lawsuit resulted from Rheaume selling the information of 79 people who had been at or near the JIBC – very often members of the police force. This personal information included names, addresses, driver’s license numbers, vehicle descriptions and identification numbers, license plates and damage histories.
Rheaume passed the information on to an acquaintance involved in the drug trade and was paid $25 per name given.
She pleaded guilty to charges of fraudulently using a computer service to illegally access customer information at work, the court said.
Deputy plaintiff Ufuk Ari alleged that he was told by ICBC in 2012 that on June 17, 2010, an ICBC employee viewed Ari’s personal information “without an apparent business purpose.”
The information was used to attack 13 people whose information had been handed over, the appeals court said.
Attorney Guy Collette represented Ari in the class action lawsuit.
“This is a significant victory for all individuals whose personal information has been unlawfully obtained from ICBC employees and their families,” said Collette. “In addition to compensating all individuals whose files were infringingly accessed and those living with them at the time of the breaches, ICBC will provide additional compensation for property damage, physical and psychological injuries sustained as a result of the data breaches are.”
ICBC admitted that Rheaume, a claims adjuster, used its databases to access some of its clients’ personal information without authorization in a manner that exceeded the purpose of the database access she was granted as part of her job. ICBC admitted it sold information used in the attacks.
The court said ICBC admitted that Rheaume sold some information it received to Aldorino Moretti and that some of that information was used by Vincent Eric Gia-Hwa Cheung, Thurman Ronley Taffe and others to carry out the attacks.
“There was a direct link between Ms. Rheaume’s information and Mr. Cheung’s attacks. He could not have carried out the attacks without them,” Smith said, adding ICBC is vicariously liable for general damages and property damage caused by Rheaume’s actions.
“The attacks were not unforeseen interludes and liability extends to property damage suffered by the lower class members as a result of the attacks,” the judge said.
Smith directed attorneys to schedule case management meetings to assess class-wide harms and appropriate procedures to determine individual issues.
In a statement to Glacier Media, ICBC said it was reviewing the decision to determine next steps.
“We took immediate action when the data breach related to this case was uncovered in 2011, including terminating the data subject’s employment for inappropriate access to customer information,” the statement said. “ICBC takes the protection of customers’ personal information very seriously and our actions on this matter reflect that.”