Breach of Confidentiality Explained

Breach of confidentiality examples

Understanding how breach of confidentiality arises in practice helps businesses recognize when they are at risk and when a claim may be available. The following are common scenarios that give rise to confidentiality claims in Ontario.

Departing employee takes confidential information

A sales manager resigns and, before leaving, downloads the company's full client database to a personal device. They then join a competitor and use that list to solicit clients. This is among the most common and most damaging forms of confidentiality breach. The employee may have signed an NDA or confidentiality clause, but even without one, the implied duty of confidentiality in the employment relationship and the tort of breach of confidence provide protection. Remedies can include an injunction preventing use of the list, damages for lost business, and disgorgement of any profits derived from the misuse.

Contractor discloses proprietary information

A business engages a software developer under a contract that includes a confidentiality clause. The developer uses the company's proprietary system architecture as a template for work they do for a competitor. This is a breach of the contractual confidentiality obligation and potentially the tort of breach of confidence. The fact that no physical documents changed hands does not prevent a claim: using confidential information mentally retained from an engagement is still a breach.

Business partner leaks commercial information

Two companies enter a joint venture and share financial projections, client information, and pricing strategy. The venture falls apart. One company then discloses the other's financial information to a mutual competitor. Even if no formal confidentiality agreement was signed for the joint venture discussions, the circumstances of the relationship created an implied obligation of confidence. This is the scenario addressed in Lac Minerals: commercial negotiations impose confidentiality obligations even between arm's-length parties.

Professional discloses client information

A lawyer, accountant, financial advisor, or other professional discloses client information to a third party without the client's consent. Professional confidentiality obligations are among the strongest in law. A breach exposes the professional to a civil claim, regulatory discipline, and potential loss of their licence to practise. For businesses that engage professionals, a breach of professional confidentiality can cause serious commercial harm beyond the professional's own exposure.

Accidental breach of confidentiality

An employee emails a confidential client report to the wrong address, accidentally copying an external party. A staff member discusses a sensitive HR matter within earshot of other employees. A laptop containing confidential data is left unattended in a public place. These are accidental breaches of confidentiality: they were not intentional, but they are still breaches. The question of liability in accidental cases depends on whether the organization had adequate safeguards in place and whether the accidental disclosure caused recoverable harm. See the dedicated section on accidental breaches below.

Former employee sets up a competing business

A partner or senior employee leaves the organization and establishes a competing business using confidential client relationships, pricing knowledge, and proprietary processes they acquired during their employment. This scenario typically involves both a confidentiality breach and a breach of fiduciary duty, and may also trigger non-solicitation and non-compete clause enforcement. For more on this scenario, see our article on what to do when your partner starts a competing business.

Breach of confidentiality at work

The workplace is the most common context for confidentiality breaches, and it is also where the legal framework is most complex. Multiple overlapping obligations can apply simultaneously: express contractual duties under an NDA or employment contract, implied contractual duties arising from the employment relationship itself, fiduciary duties for senior employees and officers, and the tort of breach of confidence.

Express confidentiality obligations in employment

Many employment contracts include express confidentiality clauses prohibiting employees from disclosing or using the employer's confidential information during or after employment. NDAs are also commonly used when employees have access to particularly sensitive information. Where an express clause exists, breach of it is a breach of contract, giving the employer a claim for damages and potentially injunctive relief.

The enforceability of post-employment confidentiality clauses depends on their scope and drafting. Overly broad clauses that attempt to prevent an employee from using general skills and knowledge acquired during employment may be unenforceable. Courts distinguish between genuinely confidential information specific to the employer and general professional knowledge that belongs to the employee. Getting this distinction right in drafting is critical.

Implied confidentiality in employment

Even without an express confidentiality clause, an implied duty of confidentiality exists in every employment relationship. Employees are not permitted to disclose or misuse their employer's confidential information, even if they never signed an NDA. The implied duty covers information that a reasonable employee would recognize as confidential in the circumstances, including client information, financial data, business strategy, and trade secrets.

The implied duty continues after employment ends, but its scope narrows. Post-employment, it covers only genuinely confidential information specific to the employer, not the employee's general skills, experience, and professional knowledge.

Fiduciary duties and senior employees

Senior employees, officers, directors, and others in positions of trust owe fiduciary duties that go beyond ordinary confidentiality obligations. A fiduciary must act in the best interests of the employer and cannot use confidential information for personal benefit. The fiduciary duty continues after the relationship ends in relation to information acquired during the fiduciary relationship. For businesses, a senior employee who takes confidential information on departure may face both a confidentiality claim and a breach of fiduciary duty claim.

What employers should do when a breach is discovered at work

When an employer discovers or suspects a breach of confidentiality, the steps taken in the first hours and days are critical. Acting too slowly allows further damage to accumulate. Acting without legal advice can create additional legal exposure or compromise subsequent enforcement steps.

• Preserve all evidence immediately: emails, access logs, device records, and any communications that evidence the breach
• Do not confront the employee without first obtaining legal advice on how to conduct the conversation
• Secure systems and revoke access to confidential information immediately
• Assess whether an injunction is needed to prevent further disclosure or use
• Consider whether the breach triggers any reporting obligations
• Consult a litigation lawyer before taking any disciplinary or legal action

Accidental breach of confidentiality

Not every confidentiality breach is intentional. Accidental breaches are common in busy workplaces and can be just as damaging as deliberate ones. Understanding when an accidental breach gives rise to legal liability is important for both businesses assessing their exposure and individuals who have made an error.

Does intent matter?

For the purpose of legal liability, intent is generally not required. A breach of a confidentiality agreement is a breach regardless of whether it was deliberate. The tort of breach of confidence similarly does not require the defendant to have acted maliciously: unauthorized disclosure causing detriment is sufficient. What intent does affect is the nature and quantum of remedies: deliberate or fraudulent breaches are more likely to attract punitive damages and stronger injunctive relief than accidental ones.

Common causes of accidental breaches

• Misdirected emails: sending confidential information to the wrong recipient, a common and underestimated risk
• Unsecured devices: leaving a laptop, phone, or USB drive containing confidential data in an insecure location
• Verbal disclosure: discussing confidential matters within earshot of unauthorized persons, in a coffee shop, on a phone call in a public space, or in an open-plan office
• Inadequate data security: failing to use appropriate encryption, password protection, or access controls
• Sending the wrong attachment: attaching a confidential document to an email intended to have a different attachment
• Social engineering: being deceived into disclosing confidential information by a third party impersonating an authorized recipient

How to respond to an accidental breach

When an accidental breach is discovered, the response matters as much as the breach itself. A prompt, organized response can limit legal exposure and demonstrate good faith. The first step is to assess what information was disclosed, to whom, and in what circumstances. If the disclosure was to an external party, legal advice should be obtained immediately on whether to contact them and what to request. In some cases, a prompt request to delete or return the information, combined with appropriate follow-up, can limit the practical consequences significantly.

For regulated businesses, accidental breaches of personal information may also trigger obligations under Ontario's Personal Health Information Protection Act or federal privacy legislation depending on the nature of the information disclosed.

What happens if you break a confidentiality agreement?

Breaking a confidentiality agreement is a breach of contract. The consequences depend on the terms of the agreement, the nature of the information disclosed, and the harm caused.

Legal consequences can include:

• Damages: Compensation for financial losses caused by the breach, including lost business, lost competitive advantage, and costs of remediation
• Injunction: A court order stopping further disclosure or use of the confidential information, which can be obtained urgently where ongoing harm is occurring
• Account of profits: An order requiring the person in breach to hand over any financial benefit they derived from the unauthorized disclosure or use
• Delivery up or destruction: An order to return or permanently destroy all copies of the confidential information in the person's possession
• Punitive damages: In cases of deliberate, calculated, or fraudulent breach, courts may award additional damages to denounce the conduct
• Legal costs: Ontario courts regularly award a portion of the successful party's legal costs against the losing party in confidentiality disputes

Beyond the legal consequences, breaking a confidentiality agreement typically has professional and reputational consequences. In regulated professions, it may trigger disciplinary proceedings. In commercial relationships, it typically ends the relationship and can damage broader reputation in the industry.

Consequences of breaching confidentiality

The consequences of a confidentiality breach extend beyond the immediate legal remedies. For businesses whose information has been misused, the harm can compound quickly: clients lost to a competitor using stolen information, a product advantage eliminated by disclosed trade secrets, or a business relationship destroyed by leaked commercial terms.

For the person or organization responsible for the breach, the consequences can include:

• Civil liability for damages, potentially running into significant sums where the confidential information had high commercial value
• Injunctive orders that prevent them from using information they may have built a business or career around
• Professional discipline and potential loss of licence in regulated fields
• Termination of employment or commercial relationships
• Reputational damage that outlasts any court proceedings
• In cases involving fraud or deliberate theft of trade secrets, potential criminal liability

For businesses that have suffered a breach, the consequences depend heavily on how quickly and effectively they respond. Businesses that identify a breach early, preserve evidence, and obtain legal advice promptly are significantly better positioned to limit their losses and obtain effective remedies than those that wait.

How to deal with a breach of confidentiality

Whether you are a business that has suffered a confidentiality breach or an organization trying to manage an accidental disclosure, the steps you take immediately after discovering the breach determine the range of options available to you.

Step 1: Preserve evidence immediately

Do not delete, alter, or reorganize any documents, emails, or system records related to the breach. Evidence of when the breach occurred, what information was disclosed, and to whom is critical to any subsequent legal action. Instructing IT to preserve relevant system logs and access records at the earliest opportunity is essential.

Step 2: Assess the scope of the breach

Identify what information was disclosed, to whom, in what form, and whether it may have been further distributed. The scope of the breach determines the urgency of the legal response and the remedies that are realistically available.

Step 3: Obtain legal advice before taking action

The steps taken in the first hours after discovering a breach can significantly affect the legal position. Confronting a suspected employee without legal advice, making public statements about the breach, or contacting the recipient of confidential information without a lawyer's involvement can all create unintended legal complications. Get advice first.

Step 4: Consider urgent injunctive relief

Where confidential information is actively being used or is about to be disclosed to further parties, an injunction can stop the harm immediately. Courts can grant interim injunctions on short notice where there is a serious risk of imminent and irreparable harm. Injunctive relief is most effective when sought early: once information has been widely disseminated, an injunction may be less practically valuable.

Step 5: Pursue damages and account of profits

Once the immediate breach has been addressed, the focus shifts to recovery. This involves quantifying the losses caused by the breach, gathering evidence of any benefit the defendant derived from the misuse, and pursuing the appropriate monetary remedies through negotiation or litigation.

Breach of confidentiality in British Columbia

BC businesses and employers face the same confidentiality risks as those in Ontario, and the same legal framework broadly applies. The tort of breach of confidence, established in Canadian common law, applies in BC courts. Express confidentiality agreements are enforced as contracts under BC law. The implied duty of confidentiality in employment relationships is recognized in BC as it is in Ontario.

BC's Privacy Act (RSBC 1996, c. 373) provides an additional cause of action for the violation of privacy, which can overlap with confidentiality claims in some contexts. BC's Limitation Act sets a two-year basic limitation period for civil claims, the same as Ontario's Limitations Act, 2002.

For BC employers dealing with a confidentiality breach, the same urgency applies and the same practical steps are recommended. If you are in BC and have suffered a breach of confidentiality, seek legal advice from a lawyer familiar with BC Supreme Court procedure and BC employment and commercial law.

---