The Ontario Superior Court of Justice recently approved a settlement agreement in the Lowanski v The Home Depot class action,1 a decision that highlights adequate protection and a sufficient response can significantly reduce the legal risks after a data breach. This class action was filed following a data breach that gave access to personal information such as names, credit card numbers, expiration dates and verification value codes from Home Depot's card payment system for six months during 2014.

Although the parties had agreed to settle the class action for more than $1 million, the Honourable Justice Perell reduced the amount to $400,000. Similarly, the agreed-upon counsel fee was reduced from $406,000 to $120,000. He also did not approve any honoraria.

Amounts granted by Canadian courts to members of class actions related to data breaches are usually modest, but this judgment is quite surprising since it is unheard of for a court to reduce a settlement amount in a class action approval hearing.

The judge's decision centred on the lack of significant damage suffered by the plaintiffs and Home Depot's responsible and prompt response to the data breach.  

Lack of significant damage

Plaintiffs raised three heads of damage from the payment card system breach: (1) The risk of a fraudulent charge on one's credit card; (2) the risk of identity theft; and (3) the inconvenience of checking one's credit card statements.

Justice Perell considered that the proof of any consequent damage was in the range of negligible to remote. On the first and second heads of damages, there was no evidence that any class member had suffered a fraudulent charge or that the data breach increased the risk of identity theft since the stolen data was inadequate to fake another's identity.

With regard to the last ground of damages, the Ontario Court of Appeal recognized in 2012 that economic loss is not necessary to ground an action in the tort of intrusion on seclusion. Any non-economic damage suffered as a result of a privacy breach may be compensated by granting "symbolic" damages.2

However, the mere fact that a person is worried about the security of his or her personal information following a data breach does not qualify as a compensable loss. Nor were plaintiffs inconvenienced because they had to check their credit card statements for fraudulent purchases following the Home Depot data breach. According to Justice Perell, any credit card holder already bears such responsibility.

The Quebec Superior Court applied the same reasoning in the 2012 cases Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières3 and Mazzona v DaimlerChrysler Financial Services Canada Inc.4 The courts stated that monitoring account statements for fraudulent activity is an ordinary inconvenience that constitutes part of the cardholder's daily activities and does not warrant compensation. They both relied on Supreme Court case Mustapha c. Culligan du Canada Ltée5 that stated compensable injury must be serious and prolonged and rise above the ordinary annoyances, anxieties and fears that people living in society routinely accept.  

Home Depot's response

Another decisive factor in the Ontario Superior Court's decision was Home Depot's response following the data breach. The court considered Home Depot's response to be "responsible, prompt, generous and exemplary." They issued a timely press release, sent informative emails to customers and offered free credit monitoring and identity theft insurance. Justice Perell even expressed, notably in view of Home Depot's actions, that he would have approved a discontinuance of the class action on the merits.

Regarding the fee approval, Justice Perell underlined it has to be viewed through the lens of access to justice, behaviour modification and judicial economy. Yet, there was no reason to think that Home Depot needed or deserved behaviour modification. After the data breach was discovered, there was no cover-up on Home Depot's part and it responded as a "good corporate citizen" toward the breach.  

Our take

The Ontario Home Depot class action highlights that adequate prevention, detection and response significantly mitigate the legal risks associated with privacy breaches. Preventive and compensatory measures are recognized by the courts as means of mitigating or eliminating potential damages.

The author wishes to thank articling student Camille Nadeau for her help in preparing this legal update.

Footnotes

1 2016 ONSC 5447.

2 See notably Jones v. Tsige, 2012 ONCA 32.

3 2014 QCCS 4061.

4 2012 QCCS 958.

5 2008 CSC 27.

About Norton Rose Fulbright Canada LLP

Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.

Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.

Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.

For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.

Law around the world
nortonrosefulbright.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.