Data breaches and cyberattacks continue to make headlines as individuals and companies alike have become increasingly reliant on digital services, particularly during the COVID-19 pandemic. In June 2020, we wrote about two fundamental problems with liability in data breach class actions, namely (i) whether there is a basis for civil liability for a data breach without proven damages, and (ii) whether companies are liable for criminal acts of third parties who steal their data1.
Over the last year, courts have begun to provide clarity on some of these questions. The Ontario Divisional Court recently considered whether the tort of intrusion upon seclusion applies when data is stolen by a third party rather than by the defendant, and we now have a first decision on the merits in a data breach class action.
Some evidence of harm is required
Canadian courts are developing a theory of liability in data breach class actions that depends on evidence of harm. In defining the threshold of harm that must be proven, courts are looking to the type of information concerned and the actual rather than feared consequences of a breach. Plaintiffs in data breach class actions therefore face hurdles in showing not only that defendants were negligent in their safeguarding of information, but also that legally recognizable harm was suffered.
These hurdles create limitations on those who will be held liable for damages when a data breach occurs. In the first decision on the merits in a data breach class action in Canada, Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), the Superior Court of Québec dismissed the class action on the basis that there was no evidence of compensable harm. This ruling is consistent with other actions across Canada where certification has been denied because of a lack of proof of harm.
In Lamoureux, the defendant, IIROC, admitted that it was at fault for losing a laptop containing class members' personal information, and for not ensuring maximum protection of class members' information, since the laptop did not feature the two-step encryption IIROC's policies required. The question at issue was whether the alleged prejudice to class members was compensable.
While the Court acknowledged that the negligent loss of information can ground a finding of prejudice, it found that the anxieties flowing from the loss of information did not constitute compensable prejudice in this case. The plaintiffs' claims for damages as a result of anger and stress were not supported by sufficient evidence, and had not proved lasting psychological harm. Crucially, the Court dismissed allegations that class members' increased monitoring of their financial accounts amounted to compensable prejudice. Instead, the Court held that this type of activity formed part of the normal expected behaviour of someone who is mindful of protecting their assets. This finding follows prior jurisprudence in Québec, which has consistently held that minor inconveniences cannot form the basis for a damages claim.
While the decision in Lamoureux appears to focus on a requisite degree of harm, which minor inconveniences do not satisfy, other decisions have focused on the type of information at play in determining whether class members suffered any harm.
In Setoguchi v. Uber B.V., the Alberta Court of Queen's Bench denied certification, emphasizing that not all personal information is private information2. In this case, the information included Uber riders' and drivers' names, phone numbers, and email addresses. In exercising its gatekeeping function, the Court highlighted that the information accessed was no more private than that which was included in a typical phone directory of the past. The Court found there was no evidence that class members had a reasonable expectation of privacy in the information. The case highlights the difference between personal information and private information. The mere fact that personal information has been disclosed is unlikely to ground common law liability for damages. Rather, the decision in Setoguchi suggests that the plaintiff must prove that the information was private, and that harm was suffered.
Proactive breach response may prevent punitive damages
Companies' responses to a breach are important in minimizing both compensatory and punitive damages. This is especially so in Quebec, where the right to privacy is explicitly protected by the Quebec Charter of Human Rights and Freedoms3. In Quebec, defendants can be liable to pay punitive damages for "intentional interference" with that right,4 even where no compensatory damages are awarded.
In Lamoureux, the Court found that the defendant had been diligent in following best practices and promptly responding to the breach. For example, the defendant conducted several internal investigations to identify the cause and extent of the breach and took steps to minimize the impact of the breach on class members. These measures contributed to a finding that an award of punitive damages was not justified. Justice Lucas placed significant emphasis on this prudent reaction, which seemed to belie any suggestion that the defendant intentionally interfered with class members' rights to a private life. Such a reaction could provide a defence blueprint for companies facing similar situations.
This decision is consistent with the growing trend in privacy class action settlement approvals,5 which affirms the importance of taking proactive steps to identify the extent of lost or potentially compromised personal information, notify relevant stakeholders, provide a forum for stakeholders to ask questions and receive information, and mitigate any potential harm (i.e., by offering services such as credit or dark web monitoring, or identity theft protection). By taking prompt and proactive steps, companies can minimize provable harm, which may shield them from class action liability, including exposure to punitive damages.
Recently, the Quebec Court of Appeal also illustrated how a less diligent response may expose a defendant to punitive damages. In Lévy c. Nissan6, the Court of Appeal allowed an appeal, in part, by reinstating the plaintiff's claim for punitive damages. The Court of Appeal explained that while "intentional interference" with a protected right requires more than simple negligence, it is not as strict as specific intent and can arise when a person has knowledge of the probable consequences her conduct will cause. This case serves as a warning for companies that have been faced with multiple data breaches to take swift remedial action: failure to implement appropriate security measures after a breach, delays in reacting, and a lack of full disclosure may be factors that courts will look to when deciding whether to award punitive damages. However, given the unique legislative landscape in Quebec, it remains to be seen whether this jurisprudence will be adopted in other provinces.
Proof that information was compromised is likely required
Another key issue for class action plaintiffs is proving that the information was actually compromised. In Simpson v Facebook, the Ontario Superior Court refused to certify a proposed class action against Facebook because the plaintiffs could not prove that the information had been improperly shared7.
Simpson is one of two class actions against Facebook after the Cambridge Analytica scandal8. The Simpson action covered "Canadian residents whose Facebook Information was shared with Cambridge Analytica Group9. The other action – Donegani – covered Facebook users whose personal information was improperly obtained either directly or indirectly by third parties (except for Canadian residents whose Facebook information was shared with Cambridge Analytica Group).
The Court declined to certify the Simpson action because the plaintiff failed to prove that the proposed class members' information was shared with Cambridge Analytica. In doing so, the Court rejected the plaintiff's "peep hole" argument, which alleged that the mere fact that Facebook made users' information was accessible was sufficient to warrant a remedy, even if such access was never exploited10.
While the Court rejected this argument on procedural grounds (since it overlapped with the issues in Donegani), whether this argument can succeed on the merits remains to be seen. If successful, the "peep hole" argument could decrease the burden on plaintiffs to show provable harm.
Third-party hacking may not support privacy tort claims against businesses
Many data breach class actions are founded on claims of intrusion upon seclusion. Under the tort of intrusion upon seclusion, a plaintiff does not face the same burden to prove damages as they do under negligence. Although attractive for this reason, courts have consistently questioned whether intrusion upon seclusion applies when a third-party hacker, as opposed to the defendant, invaded the plaintiffs' privacy.
The Ontario Divisional Court recently addressed the scope of intrusion upon seclusion in an appeal from a certification order11 in Owsianik v. Equifax Canada Co. The proposed national class action concerned the 2017 Equifax data breach that reportedly affected approximately 19,000 Canadians12. The certification judge had certified intrusion upon seclusion as a cause of action, and the Divisional Court was asked whether "the tort of intrusion upon seclusion is available against collectors and custodians of private information ... where the private information is improperly accessed by a third party13.
In a split judgment (Sachs J. dissenting), the Divisional Court allowed the appeal and set aside the certification of intrusion upon seclusion14. Justice Ramsay (McWatt A.C.J. concurring) found that the tort was defined "authoritatively" in Jones v. Tsige15 in relation to humiliation and emotional harm for which there is no other remedy because the loss cannot be quantified in monetary terms. Because the essence of the claim in Equifax had to do with economic interests, it was appropriate to require the plaintiff to prove damages. Because the data was accessed by third-party criminals, the Court held the lack of intrusion on the part of Equifax, which "is the central element of the tort"16 was fatal to the intrusion upon seclusion claim – put simply, it was the hackers and not Equifax who were the intruders.
While the decision may be appealed, the prevailing view of liability for intrusion upon seclusion for the misconduct of third parties is restrictive. As Justice Perell recently observed, most data breach class actions settle for "notional nominal general damages," and this will continue until a plaintiff class is successful on the merits17. Ultimately, however, recent decisions suggest that if a class cannot provide some evidence of harm, it is unlikely to succeed.
August 2021: Further authority that third-party hacking a non-starter for privacy tort claims
Another recent decision appears to confirm that businesses will not be liable for third-party hacking that exposes class members' personal information. In Del Giudice v. Thompson,18 Justice Perell dismissed a proposed class action concerning the Capital One data breach in 2019, which affected approximately six million Canadians' personal and credit information. A hacker had accessed the database of personal information collected by Capital One, which was hosted on Amazon Web Services' computer servers. Central to the Court's skepticism of the action was the transformation of what was said to be a straightforward data breach case into a data misappropriation and misuse case. Justice Perell accordingly dismissed all nineteen causes of action put forward by the plaintiffs.
In dismissing the action, the Court denied plaintiffs' claim for intrusion upon seclusion. Citing the Court of Appeal's decision in Equifax, Justice Perell noted that the failure to prevent an intrusion does not constitute intrusion; while such a claim might be viable against the hacker, the same is not true for other defendants. Justice Perell also dismissed several claims for breach of privacy statutes, finding jurisdictional fatalities in these claims and noting that such statutes do not apply in the private sector. Additionally, Justice Perell dismissed the plaintiffs' claim in negligence and duty to warn on the basis that no compensable harm had been demonstrated and that any loss would be purely economic. He found that an increased risk of harm cannot constitute harm in and of itself and that the claim was bound to fail. In refusing to certify the action, Justice Perell lifted the stay of other proposed class actions that he imposed when granting carriage to class counsel.
1 Torys LLP, Data breach class actions—Two fundamental problems with liability (June 25, 2020).
2 Setoguchi v Uber B.V., 2021 ABQB 18.
3 Charter of Human Rights and Freedoms, CQLR, C-12, art. 5.
4 Ibid, art. 49.
5 See e.g., Lozanski v The Home Depot, Inc., 2016 ONSC 5447.
7 This was also a live issue in Lamoureux, where the Court found there was no evidence that the information had been used by others.
8 Three class actions were started against Facebook. The Court granted carriage to two of the actions, splitting the issues to be addressed in each. See Simpson v. Facebook, 2021 ONSC 968 at para. 7.
9 Simpson v. Facebook, 2021 ONSC 968 at para. 8.
10 Donegani v. Facebook Inc., Court File No. CV-18-596626-CP.
11 Agnew-Americano v. Equifax Canada Co., 2019 ONSC 7110.
12 Equifax was also subject to an investigation by the Office of the Privacy Commissioner of Canada. The report of findings was published on April 9, 2019, and can be found here.
13 Owsianik v. Equifax Canada Co., 2020 ONSC 5761 at para. 2.
14 Owsianik v. Equifax Canada Co., 2021 ONSC 4112 [Equifax].
15 2012 ONCA 32.
16 At para. 55.
17 Karasik v. Yahoo! Inc., 2021 ONSC 1063.
18 2021 ONSC 5379.
Originally Published by The Lawyer's Daily, part of the LexisNexis Canada Group Inc.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.