Data breaches are among the most common areas of subject matter for Canadian class actions in 2021. There are currently more than 80 class actions involving privacy breaches in progress across the country.1 Siskinds itself represents class members in several prominent ongoing privacy breach class actions, including ones involving Desjardins, Facebook, and Marriott, and recently won court approval of a settlement in the BMO and CIBC/Simplii Financial Data Breach class action.
Yet despite the ever-increasing occurrences of privacy class actions in Canada, a Canadian court had yet to make a decision on the merits in any class action involving a data breach until earlier this spring – when the Quebec Superior Court of Justice rendered its judgment in an action brought on behalf of a class whose financial information was lost when a laptop was left on a train.
In Lamoureux c Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM),2 the Court held that the Investment Industry Regulatory Organization of Canada (IIROC) was not liable under Quebec's Civil Code for any damages relating to the loss of the data.
Though the case could potentially be viewed as a victory by defence lawyers representing other companies accused of privacy breaches, a closer look at the decision reveals a very fact-specific outcome – one that should not pose a chilling effect on future class actions involving lost data and may incentivize companies to take quick and comprehensive actions to fix privacy breaches.
The laptop has left the station: The facts of Lamoureux
The class action arose out of an incident in February 2013 when an IIROC employee forgot his laptop on the train he was riding home in Montreal. IIROC is the self-regulatory organization that oversees all investment dealers and all transactions in the equity and debt markets in Canada. The laptop was password protected, though not encrypted, and contained personal information of over 48 thousand individuals and legal entities who were clients of brokerage firms. The information was classified as sensitive to highly sensitive in nature. The laptop was never reported or found.
When it learned that the laptop was missing, IIROC immediately triggered an internal investigation. It engaged independent experts in computer security to determine the details of the missing information and manage the risks and obligations related to the loss. IIROC reported the incident to the police, the Commission d'accès à l'information du Quebec, and the Office of the Privacy Commissioner of Canada. It also arranged to provide a variety of free credit protection services to impacted investors, including an initial offer of a six-year alert on each investor's credit report through Equifax to advise of possible compromises to personal information and a later, supplemental offer of one-year credit monitoring with Equifax and posting a fraud warning on each investor's credit report with TransUnion for six years. Two months after the breach, IIROC sent letters to affected investors letting them know of the incident and steps taken to mitigate potential risks, including the initial offer of the free six-year credit report alert.
Within days of the letters being sent, an investor brought a class action, which failed at the authorization stage3 (the Quebec equivalent to certification – where a court determines whether the action is fit to proceed as a class action, without determining liability) on the basis that the plaintiff failed to demonstrate the existence of compensable damage (a required element for a Civil Code privacy claim). An appeal to the Court of Appeal was also unsuccessful.4
The plaintiff in the case at hand, Danny Lamoureux, filed his class action days after the failed appeal. Unlike the previous plaintiff, Mr. Lamoureux had been the victim of identify theft in the time since the data breach. Mr. Lamoureux claimed compensatory damages, on behalf of all people who had their data lost, for any actual or attempted frauds suffered and for anxieties and inconveniences suffered due to the loss of personal information. He also sought punitive damages for IIROC's delay in notifying the class. This class action was eventually authorized and a trial on liability finally took place nearly eight years after the laptop left on that evening train to Montreal.
Considering the facts and all the evidence, the Quebec Court dismissed the class action.
Despite Mr. Lamoureux's driver's license and social insurance numbers being used by fraudsters, when it came time to presenting evidence linking the identity theft to the lost laptop Mr. Lamoureux could not prove the events were related. Rather, there was evidence that his social insurance number and driver's license were not even ever received by IIROC from his brokerage. In fact, expert evidence showed no links to any frauds or identity thefts alleged by class members.
The Court also held that the alleged anxieties and inconveniences suffered by the class due to the loss of their data were not compensable. Though testimony from a sampling of class members allowed the court to infer that anger, worry, stress and fear were common feelings felt by the class, the Plaintiff did not provide any documentary, medical or other evidence of the extent of the suffering. In relying on the Supreme Court's threshold for compensable psychological injury in Mustapha v Culligan, the Court held that the psychological injuries of the class members did not "rise above the ordinary annoyances, anxieties and fears that people living in society routinely... accept. "
Though the Class Members argued that the incident imposed a need for increased monitoring of bank accounts and credit cards, the Quebec Court had previously established that those constitute normal activities for which plaintiffs cannot recover damages. Though additional actions such as setting up credit monitoring and security alerts, obtaining credit reports, and canceling cards or closing accounts would rise above "ordinary annoyances, anxieties and fears", IIROC had already provided investors with all necessary supervision and protection measures free of charge. A remedy limited to compensation for any minimal time and inconvenience experienced by the class from the mere fact of having to subscribe to the free credit monitoring services would not achieve the objective of deterrence and would dissuade companies from voluntary corrective actions.
The claim for punitive damages that IIROC was reckless by delaying publicizing the incident was also unfounded. There was unrefuted expert evidence that a certain period of time was necessary to identify the personal information concerned and put in place measures to ensure upstream protection of information. In the circumstances, IIROC was quick to put in appropriate measures.
Does Lamoureux close the (Mac)book on class actions regarding lost data?
Though it remains to be seen precisely how Lamoureux will be interpreted by Canadian Courts, it should not dissuade plaintiffs from bringing new class actions arising from situations where personal data is lost, even if there is no evidence the data used nefariously or even accessed.
Most privacy class actions in Canada outside of Quebec are based on claims under the tort of "intrusion upon seclusion", which requires an intentional or reckless intrusion into a person's private affairs, without lawful justification, that would be viewed by a reasonable person as highly offensive.5 Notably, the tort of intrusion upon seclusion does not require proof of damage as an element of the claim.6 Unlike in Lamoureux, the lack of evidence of actual psychological harm that meets the Supreme Court's threshold would not necessarily be fatal to proving liability.
The Court can award "symbolic" or "moral" damages for intrusion upon seclusion of modest amounts to vindicate privacy rights in cases where plaintiffs suffer no pecuniary losses.7 In Mr. Lamoureux's case, he was not seeking moral damages – only compensatory and punitive damages.
In cases where there is no evidence of pecuniary loss, viable claims for intrusion upon seclusion will arise only for significant invasions of personal information. However, intrusions into financial records are among the matters that the Ontario Court of Appeal has held as capable of being viewed objectively as highly offensive.8 Information like what was lost in Lamoureux could fit the bill.
Canadian courts have even accepted that simply providing an opportunity for unauthorized access to private information without evidence of actual access or usage can be enough to ground a class action.9 Ontario Courts have dubbed this the "peephole" argument – the analogy being that privacy would be invaded if a landlord installed a peephole to a tenant's bathroom even if it wasn't used.10
There is even at least one example of a class action based solely upon the loss of a hard drive containing personal financial information. In Condon v Canada,11 a hard drive containing student loan information was lost by a federal Ministry. Despite an absence of evidence that the information was used or accessed, the Court certified the class action. The claim that the defendants unlawfully disclosed and failed to delete the information, in breach of contracts with class members, met the threshold for a highly offensive intrusion. The case ultimately settled for $17. 5 million to compensate the class for time and inconveniences associated with the data loss.12
When can you be compensated for a data breach? It's always a question of the (Equi)facts.
In its analysis regarding whether to award damages, the Court in Lamoureux stated that the loss of private information may not always result in prejudice – "Tout est une question de faits".13
If the facts of a privacy breach show that sensitive financial data was recklessly lost in violation of a contract, or intentionally accessed by external parties, or used in any unauthorized manner, such as by marketers or fraudsters, the breach may be one that's sufficient to ground a viable claim.
But if the facts of a privacy breach show that the data at issue was lost but never used or accessed, and that defendant took swift, appropriate steps to protect against and monitor for future unauthorized uses, Lamoureux establishes that a claim for that incident may not always succeed, at least under Quebec's Civil Code.
However, the key takeaway from Lamoureux, as argued by defence counsel,14 ought to be how companies can appropriately respond when a privacy breach occurs by protecting the affected individuals through programs like free credit monitoring. Lamoureux will ideally incentivize the types of voluntary corrective actions that the Court was attuned to potentially disincentivizing had it awarded damages to the class for the time spent subscribing to the Equifax credit report alert.
When it comes to privacy breaches it all comes down to the facts (and sometimes, Equifax).
If you were affected by a data breach and believe you have a claim, please contact our office. Siskinds' team of consumer protection lawyers has experience and expertise helping people whose personal, confidential information was disclosed without consent.
2 Lamoureux c Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2021 QCCS 1093 (CanLII), <<a href="https://canlii.ca/t/jf1c5" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/jf1c5>
3 Sofio c Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061 (CanLII), <<a href="https://canlii.ca/t/g8r2w" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/g8r2w>
4 Sofio c Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2015 QCCA 1820 (CanLII), <<a href="https://canlii.ca/t/gm04g" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/gm04g>
5 Jones v Tsige, 2012 ONCA 32 (CanLII) at paras 70-71, <<a href="https://canlii.ca/t/fpnld" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/fpnld>
6 Ibid at para 74.
7 Ibid at para 75.
8 Ibid at paras 72-73.
9 Simpson v Facebook, 2021 ONSC 968 (CanLII) at para 31, <<a href="https://canlii.ca/t/jd655" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/jd655>; Grossman v. Nissan Canada, 2019 ONSC 6180 (CanLII), <<a href="https://canlii.ca/t/j32qt" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/j32qt>
10 Bennett v Lenovo, 2017 ONSC 1082 (CanLII) at para 27, <<a href="https://canlii.ca/t/gxjx4" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/gxjx4>
11 Condon v Canada, 2014 FC 250 (CanLII), <<a href="https://canlii.ca/t/g69g7" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/g69g7>
12 Condon v Canada, 2018 FC 522 (CanLII), <<a href="https://canlii.ca/t/hsfn8" target="_blank" rel="noreferrer noopener">https://canlii. ca/t/hsfn8>
13 Supra note 2 at para 60.
14 Supra note 1.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.