March 18, 2015

Data Breach, Class Actions and Certification: Québec Turns Off the Tap as Ontario May Face Increase

Two recent Canadian decisions illustrate the differing approach to the certification of class actions following data breach events.

In Sofio v Investment Industry Regulatory Organization of Canada (IIROC) (2014), the Superior Court ruled that a petitioner must demonstrate personal compensable damages for a class action to be certified in Québec, while in Ontario, the Federal Court has certified a class action on the basis of the tort of intrusion upon seclusion, in which proof of harm to a recognised economic interest is not an element of the cause of action.

The dispute in Sofio arose out of IIROC's loss of a laptop containing the unencrypted personal data of approximately 50,000 individuals.

A petitioner sought to have a class action certified against IIROC for all individuals whose personal data was compromised, and claimed damages of CAD1,000 ($781.46) per class member. The court held at the certification stage that the petitioner met all the criteria for certification except for one: identifiable and compensable damages.

The petitioner argued that, following the event, he undertook to verify his credit card and bank accounts monthly, to monitor any suspect mail delivery, to remember not to give any personal information over the phone, by mail or in an email, as well as conduct extensive correspondence with a credit-reporting agency.

The court acknowledged that moral damages (such as stress, emotional trauma, trouble and inconvenience) are compensable and could form the basis of particular class actions, but found that the “damages” sought by the petitioner were no more than one of the disadvantages of 21st century living.

For the court, the monthly verification of one’s accounts was not exceptional – such data being easily accessible via the internet. The court was not convinced that the hazards raised by the petitioner were any different from those faced by anyone in today’s digital world, and, in the absence of fraud or theft, therefore denied certification.

While this is a welcome move, in Ontario, new avenues are being opened up to petitioners as the tort of "intrusion upon seclusion", first recognised by the Ontario Court of Appeal in January 2012, seems set to expand.

The tort requires an intrusion that a reasonable person would regard as highly offensive, causing distress, humiliation or anguish. Petitioners are now arguing that it should apply to organisations for acts committed by their employees, alleging they should be held liable for not having properly protected personal information from breaches.

At least two class actions (Hopkins v Kay (2014) and Evans v The Bank of Nova Scotia (2014)) have been certified in Ontario on this basis, and in Condon v Canada (2014), the Federal Court also allowed a motion for certification stating that “it is not plain and obvious that an action based on the tort of intrusion upon seclusion would fail”.

This expansion is concerning as, at the certification stage, it is argued that frustration and anxiety are sufficient to establish the necessary "distress". It is certain that the parameters of this tort will continue to develop and in the meantime, these decisions serve as yet another reminder to organisations to maintain adequate policies and practices to oversee and contain employee access to personal information.