The Divisional Court recently overturned certification in a data breach class action in Stewart v Demme2022 ONSC 1790, holding that it is appropriate to screen these cases out early if the evidence shows a data breach had little to no impact. The decision imposes a high bar on class action plaintiffs who advance intrusion on seclusion claims for data breaches that do not result in provable harm.

In the decade since the Court of Appeal first recognized the tort of intrusion on seclusion, courts have grappled with how to treat claims involving information that is considered more sensitive (e.g., financial or health records). Even if the data breach had little to no impact on the individuals in question, courts often struggled to screen these claims out at the certification stage.

What you need to know

  • The Divisional Court affirmed that the threshold to certify an intrusion on seclusion claim is high, and it is appropriate to screen these claims out early.
  • The mere fact that a data breach has occurred (even one involving information which is generally considered sensitive) is not, on its own, sufficient to justify a class action. The Court held: "Not every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion". Only claims which involve "very serious" data breaches can survive certification, and the seriousness of a claim cannot be judged solely based on the type of information in question.
  • To determine whether a data breach claim meets the high bar at the certification stage, courts may look at the actual impact on affected individuals.

Background and the appeal

The case involved a proposed class action against a hospital after a nurse used patient records to steal painkillers, to feed an addiction. Patient records were important because the painkillers were dispensed automatically by a machine in response to patient information-patient records were the "key" to unlocking the medication. The scale of the theft was significant. During the 10 years that the nurse's actions went undetected, she used more than 11,000 patient records to improperly dispense and steal painkillers. While this was a large-scale narcotics theft case, the evidence showed the nurse spent only seconds with each patient's record, she had no interest in the records themselves (she was only interested in the painkillers), patient information never left the hospital, and patient treatment was not affected.

Since there were no practical consequences for the patients, the lower court refused to certify the negligence claim against the hospital because there was no provable harm. While the lower court noted that "the facts do not exactly 'cry out for a remedy'", it certified the intrusion on seclusion claim because medical information was involved.

The Divisional Court reversed the certification decision and affirmed that courts should focus on the intrusion itself, not just the type of information impacted by a data breach. Intrusion on seclusion, the Court held, is "designed to offer a remedy in situations where the privacy intrusion is very serious, not any privacy intrusion".

Consistent with our earlier analysis of the lower court's decision, the Divisional Court held that the real problems behind the incident had been properly resolved when the nurse was terminated, had her licence revoked, and was criminally convicted. After the regulatory and criminal proceedings, there was nothing left to remedy through a class action.

Implications for businesses

This case is one of several recent court decisions that can be expected to reduce plaintiffs' chances of success certifying class actions based on data breaches that have resulted in little or no material impact on the proposed class members.

While class actions frequently follow in the wake of any large data breach, and especially data breaches that attract regulatory scrutiny, the Divisional Court's decision illustrates the difference between an organization's regulatory obligations and its liability for civil damages. Privacy regulators draw their jurisdiction from, and are focused on, the type of information an organization handles. Courts, however, must look beyond the type of information impacted in a data breach and assess whether-after all the regulatory safeguards that already exist have done their job-the impact on affected individuals was sufficiently severe to warrant imposing civil liability for damages as well.

The Divisional Court's decision affirms that the bar to certify a class action based on intrusion on seclusion is a high one. Going forward, certification courts can be expected to be more receptive to challenges to intrusion on seclusion claims, even where the information in question could be considered more sensitive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.