Data breach class actions—Two fundamental problems with liability
“Data breaches involving the theft of personal information coupled with a ransom demand are becoming commonplace. In some cases, the loss of privacy and actual harm sustained is significant; in other cases, it is slight. But in almost every case a class action is sure to follow”.
Justice Belobaba, Grossman v Nissan Canada1
The world has gone digital. While Canada’s privacy regulators are well established, the law of civil liability is still playing catchup. This is particularly true in the class actions context.
Since 2012, when the Ontario Court of Appeal in Jones v Tsige recognized the first common law privacy tort (intrusion upon seclusion), a body of cases dealing with disputes between individuals has developed. Like Jones, these cases typically involve invasions of privacy that are intentional, and occur in the context of intimate personal relationships, where social and emotional harm can be real and significant.
To date, however, there has been no merits decision in a mass data breach class action. This has left the courts to grapple with fundamental issues about the scope of liability for mass data breaches in a context—certification motions—that is not well suited to resolving them. A recent series of decisions highlights two important issues:
- When third-party cybercriminals successfully breach a computer system and steal data, is the company that owns the computer system liable?
- When a data breach occurs, but there are no provable damages (i.e., no identity theft or fraud, no out-of-pocket expenses, and no objective psychological harm), is there a basis for civil liability?
The certification case law is conflicting. However, if these issues were tried on their merits, there are reasons to believe that the answer to both issues would be “no”.
Liability for the criminal acts of third parties
As Justice Perell observed in Lozanski v The Home Depot: in a cyberattack, “[t]he real villains” are “the computer hackers, who stole the data”2. But, because cybercriminals often can’t be found, class actions usually focus on data custodians.
In Jones, the Ontario Court of Appeal held that intrusion upon seclusion requires intentional conduct, which was present in that case. However, Justice Sharp went on to state: “I would include recklessness”3.
Relying on this statement, courts have certified several class actions against organizations after cybercriminals successfully breached their systems. Despite this, certification judges have repeatedly observed that the basis for finding recklessness in a data breach caused by third-party criminals is tenuous. In Tucci v Peoples Trust Company, Justice Masuhara of the BC Supreme Court called it “a stretch to say that the defendant invaded the plaintiff’s private affairs, as that was done by a third party”. Because the tort was still relatively new, Justice Masuhara certified the case. However, he had reservations about liability: “it may be a stretch to call the disclosure here reckless”4.
In Kaplan v Casino Rama, Justice Perell was blunt about the problems with intrusion upon seclusion: “I was initially of the view that the intrusion upon seclusion tort…was doomed to fail on the facts of this case for one simple reason: it was the hacker, and not the defendants, who invaded the plaintiffs’ privacy”5. Justice Perell ultimately denied certification because the data stolen varied so widely that the class action would have devolved into individual issues. However, Justice Perell noted that—but for that fatal flaw—he would have certified intrusion upon seclusion, citing Tucci and the unsettled status of the recklessness issue.
The recklessness problem was front and centre again in Agnew-Americano v Equifax Canada Co, with Justice Glustein certifying the case because of “[t]he need for the court to consider, on the merits, whether intrusion upon seclusion can be established against Database Defendants for hacker attacks exposing persons to identity theft”6.
It’s clear the courts have been reluctant to cut off cyberattack data breach claims at the certification stage, based as they are on recklessness. However, it is equally clear that there is real doubt whether liability could actually be established in these cases. The problem for these claims is that recklessness is not the same as vicarious liability. The justification for extending liability to employers for the intentional wrongdoing of their employees is well-established. Doing so for the criminal misconduct of third parties is not. Clearly, cybercriminals are liable for intrusion upon seclusion. What is not clear is whether the legal concept of recklessness is capable of extending liability to the organizations that cybercriminals prey on. This issue is ripe for summary judgment.
What these cases are really trying to do is impose a standard of care analysis onto data custodians. The question these cases ask is: did the data custodian take reasonable precautions? The problem with framing this question under the rubric of intrusion upon seclusion is that Canada already has a tailor-made cause of action for this issue: negligence. Negligence asks whether a reasonable person would have acted the way the defendant did.
Negligence, however, requires harm that can be quantified in real dollars. Intrusion upon seclusion tends to be relied on when there is no evidence of financial harm. This leads to the second fundamental merits issue raised by data breach class actions: what are the limits on recovery if a data breach has resulted in no identity theft, no fraud, no out-of-pocket expenses, and no objective psychological harm?
The limits on “moral” damages
Data breaches pose unique problems for damages. These often arises in cyberattack data breach cases (which also suffer from the recklessness problem). But they can come up in the more traditional vicarious liability cases as well.
If the organization compensates customers for any direct losses (e.g., points stolen from a rewards account), there is no evidence that fraud or identity theft have occurred in the 1-2 years it usually takes to get to certification, and there are no out-of-pocket expenses, it’s not clear what financial harm exists that could support a class action.
The damages problem becomes even more clear if the organization takes the further step of paying for identity theft insurance and credit monitoring services. Where these services have been provided, the risk of potential future harm (i.e., fraud or identity theft) has been mitigated and the source of any alleged anxiety has been objectively addressed. In the US, plaintiffs who only plead the risk of potential future harm (and related anxiety) cannot bring a class action, because they do not have standing7.
In Jones, the Ontario Court of Appeal held that intrusion upon seclusion doesn’t require financial harm. “Moral” damages are compensable too. However, because no data breach case has gone to trial, the limits on “moral” damages are not clear. Most of the privacy cases that have gone to trial have involved invasions of privacy that were intensely personal, like Jones, where a bank teller spent many years snooping through the financial records of her partner’s ex-spouse.
“Moral” damages make sense in cases involving former intimate partners—the social and emotional harm can be real and significant and objectively assessed on a reasonable person standard, even if it doesn’t result in a visible provable illness. However, in a mass data breach, the exposure is impersonal and may even be fleeting. If there are no practical consequences and no objective psychological harm (because identity theft insurance and credit monitoring have been provided), it’s not clear that civil damages are justified. In Jones, the Court of Appeal held that the mere fact of a privacy breach is not actionable:
- It requires an intrusion that was “deliberate and significant”;
- “Claims from individuals who are sensitive or unusually concerned about their privacy are excluded”; and
- The intrusion must be one that, “viewed objectively on the reasonable person standard, can be described as highly offensive”8.
For mass data breaches where no provable harm has been suffered, two approaches appear to have emerged at certification:
- Assess the type of data at stake and certify the claim if information was exposed that seems to be more “private”. For example, if the data breach involved the type of car a person drives, or the fact that they are having a child, the claim might not be certified. However, if credit reports are involved, it might be certified9.
- Assess the consequences of the breach and certify if the impact was serious. For example, if the only consequence is the inconvenience or nuisance of having to change one’s passwords or deal with telemarketers, a class action might not be certified10. While this approach has been applied in Ontario, it is more likely to be followed in Québec where the criteria for authorization (i.e., certification) expressly require compensable damages. As a result, there may be real benefits for organizations defending data breach class actions to have the authorization of any Québec claims heard separately in Québec, and ahead of any common law certification hearing.
The contest between these two approaches was centre stage in the recent certification decision in Stewart v Demme. There, a hospital was sued after a nurse used patient information to dispense painkillers which she then stole. The evidence showed the nurse spent only seconds with the patient records, had no personal interest in them, patient information never left the hospital, and because the drugs that were improperly dispensed weren’t recorded on patients’ files, patient treatment was not affected. Since there were no practical consequences, Justice Morgan refused to certify the negligence claim because there was no provable harm. However, citing the fact that hospital records were involved, Justice Morgan certified the intrusion upon seclusion claim.
Clearly, what the nurse did in Demme was problematic. But, as Justice Morgan found: “the facts do not exactly ‘cry out for a remedy’”11. The nurse had already lost her licence to practice, had been terminated by her employer, and had received a criminal conviction. The hospital, in its turn, had been subject to serious regulatory review. The court’s decision to certify the intrusion upon seclusion claim appears to have been motivated by the patient relationship, rather than the actual consequences of the data breach. In circumstances like these, where there is no provable harm and behaviour modification has been accomplished, perhaps the “moral” aspect of the privacy interest is more properly satisfied by these parallel, punitive proceedings—making a damages claim not the preferable procedure.
Until a mass data breach case is decided on its merits, however, this issue (like the recklessness issue) is unlikely to be resolved.
1 2019 ONSC 6180, para 1.
2 2016 ONSC 5447, para 100.
3 2012 ONCA 32, para 71.
4 2017 BCSC 1525, para 152.
5 2019 ONSC 2025, para 28.
6 2019 ONSC 7110, para 115.
7 Clapper v Amnesty International USA, 568 US 398 (2013, U.S. Supreme Court).
8 2012 ONCA 32, para 72.
9 Grossman v Nissan Canada, 2019 ONSC 6180 and Broutzas v Rouge Valley Health System, 2018 ONSC 6315.
10 Rouge Valley and Bourbonnière c. Yahoo! Inc., 2019 QCCS 2624.
11 2020 ONSC 83, para 72.
Reprinted by permission of LexisNexis Canada Inc., from the Class Action Defence Quarterly Edited by Eliot N. Kolers, Copyright 2020.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.