The Ontario Superior Court of Justice recently approved a
settlement agreement in the Lowanski v The Home Depot
class action,1 a decision that highlights adequate
protection and a sufficient response can significantly reduce the
legal risks after a data breach. This class action was filed
following a data breach that gave access to personal information
such as names, credit card numbers, expiration dates and
verification value codes from Home Depot's card payment system
for six months during 2014.
Although the parties had agreed to settle the class action for more
than $1 million, the Honourable Justice Perell reduced the amount
to $400,000. Similarly, the agreed-upon counsel fee was reduced
from $406,000 to $120,000. He also did not approve any
honoraria.
Amounts granted by Canadian courts to members of class actions
related to data breaches are usually modest, but this judgment is
quite surprising since it is unheard of for a court to reduce a
settlement amount in a class action approval hearing.
The judge's decision centred on the lack of significant damage
suffered by the plaintiffs and Home Depot's responsible and
prompt response to the data breach.
Lack of significant damage
Plaintiffs raised three heads of damage from the payment card
system breach: (1) The risk of a fraudulent charge on one's
credit card; (2) the risk of identity theft; and (3) the
inconvenience of checking one's credit card statements.
Justice Perell considered that the proof of any consequent damage
was in the range of negligible to remote. On the first and second
heads of damages, there was no evidence that any class member had
suffered a fraudulent charge or that the data breach increased the
risk of identity theft since the stolen data was inadequate to fake
another's identity.
With regard to the last ground of damages, the Ontario Court of
Appeal recognized in 2012 that economic loss is not necessary to
ground an action in the tort of intrusion on seclusion. Any
non-economic damage suffered as a result of a privacy breach may be
compensated by granting "symbolic"
damages.2
However, the mere fact that a person is worried about the security
of his or her personal information following a data breach does not
qualify as a compensable loss. Nor were plaintiffs inconvenienced
because they had to check their credit card statements for
fraudulent purchases following the Home Depot data breach.
According to Justice Perell, any credit card holder already bears
such responsibility.
The Quebec Superior Court applied the same reasoning in the 2012 cases Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières3 and Mazzona v DaimlerChrysler Financial Services Canada Inc.4 The courts stated that monitoring account statements for fraudulent activity is an ordinary inconvenience that constitutes part of the cardholder's daily activities and does not warrant compensation. They both relied on Supreme Court case Mustapha c. Culligan du Canada Ltée5 that stated compensable injury must be serious and prolonged and rise above the ordinary annoyances, anxieties and fears that people living in society routinely accept.
Home Depot's response
Another decisive factor in the Ontario Superior Court's
decision was Home Depot's response following the data breach.
The court considered Home Depot's response to be
"responsible, prompt, generous and exemplary." They
issued a timely press release, sent informative emails to customers
and offered free credit monitoring and identity theft insurance.
Justice Perell even expressed, notably in view of Home Depot's
actions, that he would have approved a discontinuance of the class
action on the merits.
Regarding the fee approval, Justice Perell underlined it has to be
viewed through the lens of access to justice, behaviour
modification and judicial economy. Yet, there was no reason to
think that Home Depot needed or deserved behaviour modification.
After the data breach was discovered, there was no cover-up on Home
Depot's part and it responded as a "good corporate
citizen" toward the breach.
Our take
The Ontario Home Depot class action highlights that adequate prevention, detection and response significantly mitigate the legal risks associated with privacy breaches. Preventive and compensatory measures are recognized by the courts as means of mitigating or eliminating potential damages.
The author wishes to thank articling student Camille Nadeau for her help in preparing this legal update.
Footnotes
1 2016 ONSC 5447.
2 See notably Jones v. Tsige, 2012 ONCA 32.
3 2014 QCCS 4061.
4 2012 QCCS 958.
5 2008 CSC 27.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.
Law around the world
nortonrosefulbright.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.