Litigation Risk on the Rise: 3 Trends in Cybersecurity Class Actions in Canada

Cybersecurity litigation in Canada is on the rise. Given that the number of data breaches in Canada has been rising exponentially in recent years, the increase in cybersecurity litigation is unsurprising. However, the increase in the volume of breaches, coupled with privacy legislation changes, has resulted in more reporting to the privacy commissioners, attempted class proceedings, and settlements of actions.

PRIVACY COMMISSIONER INVESTIGATIONS AND CIVIL LITIGATION

An organization that has experienced a privacy breach or cybersecurity incident may be subject to mandatory reporting and resulting investigations by the federal or provincial privacy commissioner. Procedural protection for the organization in the course of such an investigation is often limited. Further, in some cases, there is no (or only very limited) legal recourse to challenge unfair or erroneous findings made in a privacy commissioner report.

Plaintiffs in privacy class actions often seek to rely on privacy commissioner reports to the extent they are critical of the security safeguards an organization had in effect at the time of a breach. In two recent decisions in Ontario, however, certification judges affirmed that such reports are not determinative of civil liability or even whether a proposed class action should be certified.

In Broutzas v. Rouge Valley Health System, the plaintiffs sought a ruling that the hospital defendant was barred from challenging the findings of the Ontario Information and Privacy Commissioner (IPC) following its investigation of the privacy breaches at issue in the action, and that these findings were conclusive of the hospital’s liability. The court declined to make such a ruling, finding that it would be “egregiously unfair” to determine a class action based on the decision of an informal proceeding before an administrative tribunal.

Similarly, in Kaplan v. Casino Rama Services Inc., the certification judge confirmed that an IPC investigation report regarding the cyberattack on Casino Rama was “not determinative of legal liability.” The judge went on to conduct his own analysis based on the evidence before him on the motion.

RECENT DENIALS OF CERTIFICATION IN PRIVACY CLASS ACTIONS

There have been an increasing number of privacy class actions in Canada since 2012, when the Ontario Court of Appeal first recognized the new privacy tort of intrusion upon seclusion. While many privacy class actions have been certified, the last year has seen several denials of certification:

  • Broutzas v. Rouge Valley Health System: The Ontario Superior Court of Justice refused to certify a privacy class action in which rogue hospital employees allegedly accessed patient records to sell new mothers’ contact information as RESP sales leads. Among other things, the court found that a person’s contact information is not “inherently private” and that the tort of intrusion upon seclusion requires some deliberate intrusion by the defendants and could not be made out by some form of “guilt by association.”
  • Kaplan v. Casino Rama Services Inc.: The Ontario Superior Court of Justice refused to certify this class action brought following a criminal cyberattack on Casino Rama’s networks. The certification judge found that while some of the plaintiffs’ claims could survive a motion to strike, the proposed class “collapse[d] in its entirety” because there were no common issues among the class. The court also noted the defendants’ prompt and comprehensive response following the discovery of the cyberattack. For further information, please see our May 2019 Blakes Bulletin: Proposed Privacy Class Action “Collapses in its Entirety” on Commonality.
  • Bourbonnière c. Yahoo! Inc.: The Quebec Superior Court refused authorization of this case, which arose out of cyberattacks against Yahoo and theft of user account data. The court found that the authorization criteria were not met because there was no evidence that anyone, including the proposed representative plaintiffs, had suffered any compensable loss as a result of the cyberattacks. As such, there was no “arguable case” with respect to the plaintiffs’ claims.
  • Li c. Equifax Inc.: The Quebec Superior Court refused authorization of this case, arising out of the Equifax data breach announced in September 2017. Similar to the reasoning in Bourbonnière, the court concluded that the proposed representative plaintiff did not have an arguable case because he did not show that he had experienced any compensable damages as a result of the breach.

While we expect privacy class actions to remain commonplace in Canada for the foreseeable future, these cases suggest that courts are increasingly willing to scrutinize plaintiffs’ claims to assess whether they are viable and whether a class action is the appropriate vehicle for their resolution.

SETTLEMENT TRENDS IN PRIVACY CLASS ACTIONS 

To date, no privacy class action in Canada has proceeded to a determination on the merits. In the meantime, there have been several settlements, although it will remain to be seen what impact the cases referred to in this bulletin have on that trend.

While most settlements in privacy class actions to date have represented fairly low values per class member, there have been a few settlements involving more significant payments in cases where the information involved was highly sensitive and the defendant’s intrusion was deliberate.

Settlement structures reflect the bespoke nature of civil privacy suits and the difficulty in assessing the losses (if any) of potential class members. Common characteristics of privacy class action settlements include:

  • Compensation for losses in the case of fraud or identity theft resulting from the breach
  • Cash payments for other proven out-of-pocket losses (e.g., steps taken to remediate the risk of fraud, lost time)
  • Amounts for continuing credit monitoring
  • Notice and administration costs
  • Honoraria for representative plaintiffs
  • Counsel fees.

CONCLUSION

Cybersecurity incidents are an ever-increasing threat for organizations of all sizes, and with it comes the threat of privacy litigation. The class actions landscape in this area is still evolving. Encouragingly, Canadian courts are turning a careful eye to these claims and scrutinizing their viability.

For further information, please contact:

Darren Reed                             403-260-9640
Nicole Henderson                       416-863-2399

or any other member of our Cybersecurity, Privacy or Class Actions groups.

Blakes and Blakes Business Class communications are intended for informational purposes only and do not constitute legal advice or an opinion on any issue.

We would be pleased to provide additional details or advice about specific situations if desired.

For permission to reprint articles, please contact the Blakes Client Relations & Marketing Department at communications@blakes.com. © 2019 Blake, Cassels & Graydon LLP