Canada: Cyber Class Action Exposure In Canada

Last Updated: May 1 2019
Article by David Mackenzie and Dominic Clarke

The Canadian insurance market is awakening to the need for cyberinsurance against data loss and privacy breach events. Although there is clearly room for this market to grow, Canadian insurers are routinely issuing cyber coverage to protect against these risks. While insurers have developed loss-experience with first party data breach expense, ransomware and business interruption claims in recent years, knowledge and understanding of third-party risks caused by covered breaches remains limited. This article reviews the status of emerging third-party claim experience.

Class actions seeking damages arising out of data loss and privacy breaches are becoming increasingly common. However, all of the actions to date either remain at the certification stage or have been resolved through settlements. As a result, we have yet to see judicial analysis at a common issues trial of the causes of action being advanced and a final determination of damages. Nevertheless, three recent cases are instructive about the potential indemnity obligations of Canadian insurers under the cyber policies they have issued: Condon v. Canada (Condon); 1 Tucci v. Peoples Trust Company (Tucci); 2 and Broutzas v. Rouge Valley Health System (Broutzas).3

1. Litigation and Causes of Action

The decisions in Condon, Tucci, and Broutzas provide insight into various potential causes of action, because each arises out of a distinct set of circumstances. Condon pertains to the loss of a hard drive on which personal and financial information of hundreds of thousands of Canadian student loan recipients was stored. Tucci arose out of the hacking of a bank by a malicious third party. Broutzas concerns alleged misappropriation of personal health information by hospital employees and the subsequent sale of that information to vendors of certain financial services (particularly Registered Educational Savings Plans, or "RESPs").

Each of these claims was made the subject of a putative class action (Broutzas was the subject of two distinct class actions). As a result, Canadian courts have been asked to certify causes of action in each set of circumstances. Condon is the subject of a negotiated settlement, which the Federal Court of Canada has approved. The consideration given to the various causes of action in the course of certification – and in the case of Condon, appeal and settlement as well – provides insight into the difficulties that class counsel and defence counsel (together with their instructing insurers) face in prosecuting and defending privacy and data breach class actions.

The putative class actions advanced many theories of liability: negligence; breach of contract; Intrusion upon Seclusion; Breach of Confidence; waiver of tort/unjust enrichment; and statutory theories of liability. Only three of these, however, have met with a measure of success at the certification stage: negligence; breach of contract; and intrusion upon seclusion.

In Canada, in order for certification to be granted, it must merely not be "plain and obvious that the cause of action will fail".4 Provided that there is "some basis in fact" for the existence of a common issue to be tried on behalf of all class members, the action can proceed as a class action.5 These are low threshold standards. Judicial consideration of each of these at the certification stage, however, has highlighted potential weaknesses in each theory and given rise to cautions from the bench with regard to their relative chances of success at trial. This article focuses on the strengths and weaknesses of each of these causes of action.

Review of these decisions also highlights the increased importance of "nominal damages" in the context of data/privacy breach class actions. As is outlined below, it is apparent that class counsel will in many, but not all, cases have difficulty in proving class-wide compensatory damages. While success at trial is far from assured, certain causes of action, if proved, can result in awards of nominal damages even in the absence of proven compensable injury. To better understand the exposure facing defendants and their insurers, we will also examine the meaning of "nominal damages" in the Canadian context.

2. Negligence

In each of the proceedings the putative class alleged that the defendants were negligent, arguing that they owed a duty of care to class members and failed to meet that duty by falling below the standard of care owed. More particularly, they failed to have adequate safeguards in place to protect the information of class members. Each of the actions asserted that the class members had suffered actual damages as a result.

There are three primary pitfalls with respect to the allegations advanced. First, the theory of liability being advanced against many defendants is novel, in that it is not well established in Canada that a plaintiff can sue many defendants for what amounts to pure economic loss in the circumstances of a data/privacy breach. Second, proving actual damages on a class wide basis, as is required in negligence, may be an insurmountable challenge, particularly where the risks involved are primarily prospective identity theft. Finally, even if a negligence cause of action is certified, class counsel must still prove the claim.

In Broutzas, the RESP dealer defendants were allegedly negligent for not properly supervising their employees who were allegedly buying confidential personal information of new mothers from hospital employees. That information was used to market RESP investments to those mothers. While the hospital acknowledged that it was in a relationship of proximity to its patients, the RESP dealers argued that the relationship between them and the class members was not sufficiently proximate to give rise to a duty of care. Perell J. characterised that element of the claim as novel and undertook the three-step analysis established in Anns v. Merton London Borough Council6 – foreseeability, proximity, and policy considerations. He determined that there was no duty of care on the part of the RESP defendants as the privacy breach was perpetrated by hospital employees. In the Court's view it was nonsensical to suggest that the RESP dealers could have supervised hospital employees.

While commenting primarily on the breach of contract claim, Perrell J. also expressed concerns that the negligence cause of action as proposed, merely mirrored existing statutory obligations and the emerging tort of intrusion on seclusion. He was reluctant to certify any novel negligence action in circumstances where a statute already spoke to the issue. He also expressed concern that the negligence theory was being used as a "backstop" to the intrusion on seclusion claim that was also being advanced. He refused to certify the negligence claim against the RESP dealers and their employees and, as seen below, the entirety of the claim.

Standing in contrast to that analysis is the decision in Tucci. There, the defendants provided financial services to members of the putative class and required those members to provide sensitive personal and financial information. The information at issue could clearly be used to harm the class members if lost (foreseeability) and those people were in a direct commercial relationship with the defendants (proximity). Masuhara J. did express concerns regarding the public policy stage of the Anns test, providing: 1) negligence ought not to step in where statutes already govern; and 2) a duty of care should not be imposed that creates indeterminate liability. He found that the theory of liability advanced did not arise because of statutory obligations but out of privacy and security policies the defendant itself had created. Similarly, liability was not indeterminate because it could only be owned to those who were customers of the Defendant and whose information was stolen. This latter conclusion appears controversial, as liability could still be regarded as temporally indeterminate, in that damages for the future risk of identity theft clearly seek to compensate for an indeterminate period of time and amount. While this risk may be real, the law of negligence has rarely been used to impose damages for a potentially perpetual risk.

The novel nature of the negligence claims is not the only issue standing in the way of succeeding on a negligence claim. A plaintiff must prove actual loss resulting from the negligence of the defendant. The fact that the claim is being advanced through a class action only complicates matters, as actual damage must be demonstrated on a class-wide basis.

Tucci and Condon considered the loss of control over financial information, not personal health information as was the case in Broutzas. This is a critical distinction. In Tucci, it was not plain and obvious that damage to credit reputation cannot constitute a compensable harm. Similarly, out of pocket expenses including credit monitoring and wasted time and inconvenience related to preventing identity theft could constitute a class-wide harm.

These concerns were raised at the certification stage in Condon. There the court acknowledged that the allegations advanced against the government could support findings of a duty of care and of a breach of the standard of care, but questioned whether claims for compensable damages were advanced. It concluded they were not:7

... The Plaintiffs have not been victims of fraud or identity theft, they have spent at most some four hours over the phone seeking status updates from the Minister, they have not availed themselves of any credit monitoring services offered by the credit monitoring agencies nor have they availed themselves of the Credit Flag service offered by the Defendant.

The certification court held that damages cannot be awarded for merely speculative injuries and declined to certify the negligence issue for trial. Class counsel appealed that decision and it was overturned by the Federal Court of Appeal on the basis that "costs incurred in preventing identity theft" and "out of pocket expenses" could satisfy the damages requirement. While such damages may be capable of proof, actually marshalling this evidence on a classwide basis appears to require judicial approval of some form of aggregate model. Whether this is possible or will be accepted by the courts is unclear.

Finally, in many circumstances, actually proving negligence may be difficult. Attacks by hackers, theft of large amounts of data by employees, and even lost laptops are relatively new phenomena. The fact that courts are still grappling with the law of negligence in this context is not surprising. When a person slips and falls, when one car hits another or when professional services fall below the expected standard, the act, error or omission is relatively straightforward and the resulting damages are reasonably identifiable. In data breach cases, numerous questions arise that are not so easily answered. If an organisation has handling and security protocols and an employee breaches those protocols, has the organisation fallen below the required standard? If that same organisation suffers a criminal attack that defeats the cyber-security in place, has it failed to fulfil its obligations? If a stolen laptop is password protected and the data encrypted, has the organisation been negligent? These are all considerable hurdles.

3. Breach of Contract

Breach of Contract allegations have met with some success, being certified in both Condon and Tucci. Condon involved contracts in the form of Student Loan Agreements. Multiple sections expressly pertained to the Minister's collection, protection and use of the information provided. The certification court acknowledged that these terms could potentially be relied upon to establish a breach of contract such that it was not plain and obvious that the claim would fail.

Similarly, in Tucci there were express contractual terms between the bank and its customers. The exact terms of the contract, however, needed to be determined, as the pleadings asserted that the contract included the defendant's "Website Terms & Conditions" and other terms. Those included statements that the defendant would comply with Federal and provincial privacy legislation, as well as express or implied terms that the defendant would keep information confidential and secure from loss and theft and would not use it except for purposes expressly authorised.

The defendant disputed that the contract included all such terms. It further argued that there was no allegation that those terms had been breached; it had promised to take reasonable steps to protect the information and had done so. The fact that a security breach had occurred did not mean that reasonable steps to protect the information had not been taken. Masuhara J. acknowledged these arguments but held that they should be determined at trial. The Court did not accept the defendant's argument that all forms of damages claimed were too remote, on the basis that, even if no actual damages were proved, nominal damages could be awarded if a breach of contract had occurred.

An interesting discussion pertained to a limitation of liability clause which the defendant said precluded the claim. The Court found that the limitation of liability clause did not preclude the claims per se; and that its effect was an issue for trial.

In Broutzas, the court refused to certify the breach of contract claims advanced. They were premised on the existence of a contract between the patients and the hospitals, which allegedly included terms governing the protection and use of personal information and promising peace of mind. Perell J. ruled that it was "plain and obvious that the putative Class Members [did] not have a claim for breach of contract and warranty". The judge agreed with Rouge Valley's submission that this claim was an artifice by which to sue for breach of statutory obligations. The pleadings simply alleged the duties that the hospitals owed under the Personal Health Information Protection Act, 2004. 8 Moreover, the admission forms and information forms provided to the incoming patients were not contractual in nature, and there was no bargaining between patients and the hospital about preserving the confidentiality and privacy of patient information, which the hospitals were statutorily obliged to do. In short, there was no contract into which terms could be implied and if there had been, those terms were already the subject of non-contractual legal duties.

Where a commercial relationship is present, any contract is likely to either be silent on privacy issues or to favour the corporate entity. Commercial contracts, particularly consumer contracts, increasingly feature arbitration, venue and jurisdiction clauses that may restrict the ability of individuals to bring claims before Canadian courts – especially those claims seeking to enforce express or implied terms of the contract itself. While the Supreme Court of Canada, together with lower courts, has questioned the validity of onerous terms (see Douez v. Facebook9 and Heller v. Uber Technologies Inc. 10), reasonable terms may still be enforced. Where that existing contract considers the gathering of information by the organisation, a contract claim will likely be easier to have certified than a negligence claim because there is no requirement to show actual damages. A breach alone should be sufficient to result in nominal damages at minimum. However, a breach of contractual terms must still be shown, and those terms will not necessarily create an obligation to prevent security breaches or misuse of information altogether. As the Defendant in Tucci pointed out, the fact that a security breach has occurred does not mean that reasonable steps to protect the information have not been taken.

Like potential class members, organisations that have been hacked are victims of a crime. The standard likely to be imposed by contract is not strict liability. If express contractual terms drafted by the organisation set the standard, that standard is not likely to be high. Again, certification is a low bar, but proving contractual terms existed and were breached may be a significant challenge. On the other hand, there is arguably an important benefit to breach of contract claims: they can result in an award of nominal damages even if no actual loss is proved. However, a passage in Condon suggests the availability of an award of nominal damages may not be a certainty in the class action context:11

[The Defendant] further argues that nominal damages should never be awarded in a class action as it would not favour the plaintiffs but rather their counsel, since the latter would be the only ones effectively standing to benefit financially from the outcome.

The Defendant advances an interesting and strong argument on this point but the Plaintiffs' position, although novel in the context of a class proceeding is supported by sufficient authorities that this cause of action should be considered on the merit of the action. In other words, it is not plain and obvious that the cause of action in contract would fail. As to any disproportionate advantages in favour of the Plaintiffs' counsel, the Court will also be better positioned to rule on that issue when it hears it on the merit.

Although it must be acknowledged that the court in Tucci certified the question as to whether wasted time could be the basis for awarding aggregate damages, it is open to question whether such damages are "nominal" in nature, or simply a form of compensatory damages arising out of economic loss. In short, like negligence claims, it is not clear that breach of contract claims offer a direct path to recovery for class members in the data and privacy breach context.

Footnote

1. Condon v. Canada, 2014 FC 250.

2. Tucci v. Peoples Trust Company, 2017 BCSC 1525.

3. Broutzas v. Rouge Valley Health System, 2018 ONSC 6315.

4. R v. Imperial Tobacco Canada, 2011 SCC 42 at 17.

5. Fehr v. Sun Life Assurance Co of Canada, 2018 ONCA 718 at 85.

6. Anns v. Merton London Borough Council, [1978] AC 728 (HL).

7. Condon at 68.

8. Broutzas at 216–217.

9. Douez v. Facebook, Inc, 2017 SCC 33.

10. Heller v. Uber Technologies Inc, 2019 ONCA 1.

11. Condon at 50–51.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be ought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Topics
 
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions