Data breach class actions – The proof of damages dichotomy

Data Breach

Litigation, Arbitration and Investigations Alert

By:

On September 7, 2017, Equifax announced that the personal information of 143 million of its users, including an estimated 8,000 to 19,000 Canadians, was compromised as a result of a global data breach.

On September 11, 2017, Daniel Li filed an Application for Authorization to Institute a Class Action before the Superior Court of Quebec (Li c. Equifax inc., 2019 QCCS 4340 (CanLII)), primarily alleging:

  1. That Equifax was extra-contractually liable pursuant to Article 1457 of the Civil Code of Quebec ("CCQ") due to its failure to store and safeguard the personal and financial information of the class members;

  2. The violation of class members’ right to privacy and reputation resulting from the communication or failure to prevent communication to third parties of personal information without the Plaintiff’s authorization, pursuant to Articles 3, 35 and 37 of the CCQ; and

  3. That Equifax violated the class members’ right to privacy and to nondisclosure of confidential information pursuant to Sections 5 and 9 of Quebec’s Charter of Human Rights and Freedoms.

As a result of the alleged faults, the Plaintiff sought compensatory damages for expenses, ‎troubles and inconveniences associated with the unauthorized access to personal ‎information, including cancellation of credit cards and the purchasing of credit monitoring ‎services; moral damages resulting from “mental distress”; and “other losses”.‎

Justice Bisson held that the allegations of fact set out in the Plaintiff’s Application for Authorization demonstrated on a prima facie basis that the data breach resulted from a fault. However, the Plaintiff’s allegations were insufficient to demonstrate any damages suffered as a result of that fault. 

Indeed, in order to successfully obtain authorization of a class action in Quebec, the Plaintiff must allege, with sufficient precision and with some supporting evidence, all of the elements of a valid cause of action. This includes not only a fault, but also damages. Moreover, Justice Bisson’s ruling reminds us that the evaluation of whether those elements are demonstrated must be studied in the light of the personal case of the Plaintiff.

Justice Bisson found that Mr. Li had yet to take any steps or incur any expenses as a result of the data breach, and had also not suffered any inconveniences as a result of same. Indeed, Mr. Li himself had not been a victim of identity theft and had not organized or purchased credit monitoring services or cancelled his credit cards. Moreover, the Plaintiff’s characterization of mental distress in his Application for Authorization did not rise above the ordinary annoyances, anxieties and fears that people living in society routinely accept (if sometimes reluctantly). Furthermore, the “other losses” claimed by the Plaintiff were not described.

In light of all of this, Justice Bisson concluded that the Plaintiff had not demonstrated the existence of damages in his personal case, and therefore no colour of right justified the authorization of the class action. He further held that, for the moment, Quebec law does not recognize a ‎damage simply because a third party is in possession of personal information without ‎authorization, and no more. 

Indeed, in this case, the Plaintiff’s damages were uncertain and hypothetical. Article 1611 of the CCQ sets out that a party can be compensated for the amount of the loss suffered and the profit of which the party was deprived. Future losses may be taken into account when awarding damages only when they are certain and assessable. Thus, uncertain and hypothetical damages cannot be compensated.

Class actions authorized in data breach scenarios

This case can be distinguished from other class action cases in Quebec that have been authorized in data breach scenarios, in which the plaintiffs have indeed sustained a loss that when alleged, demonstrated a colour of right with respect to damages that justified the authorization. 

That is the case, for example, in the case of Zuckerman v. Target Corporation ‎(2017 QCCS 110 (CanLii)).  In that instance, Mr. Zuckerman had purchased one month of credit monitoring services before Target advised Canadian customers impacted by the data breach that it would be offering one year of free credit monitoring services. As a result, the Court concluded that there was a prima facie demonstration of a damage resulting from the expense of $19.95 incurred by Mr. Zuckerman for those credit monitoring services. Moreover, Mr. Zuckerman had claimed punitive damages, and the Court held that the allegations of the Application for Authorization met the relatively low standard to demonstrate a claim of such damages.

More recently, authorization/certification was sought of parallel Quebec and Ontario class actions resulting from a data breach in December 2017 by an unknown Nissan employee, who accessed a company data base and obtained the personal information of thousands of customers. That personal information included names, addresses, vehicle make and model, vehicle identification number (VIN) and credit scores.

In evaluating whether to certify the Ontario Nissan class action, the Superior Court of Ontario (Grossman v. Nissan Canada, 2019 ONSC 6180) noted that, almost two years later, there is no evidence that any of the stolen information has been made public or otherwise misused. Although “the actual or out of pocket losses for the plaintiffs are minimal or non-existent”, the Court indicated that class members are nonetheless potentially able to claim damages. Indeed, under the common law of Ontario, the privacy tort of "intrusion upon seclusion" allows the Plaintiff to claim an award of up to $20,000 in "symbolic" or "moral" damages, despite the absence of actual financial loss.

The class action over the Nissan data breach also received authorization in Quebec (Levy v. Nissan Canada Inc., 2019 QCCS 3957), for similar reasons as Zuckerman. The Plaintiff in this matter had also alleged that she incurred an expense for credit monitoring services as a result of the data breach. The Superior Court of Quebec confirmed that alleging as much is sufficient to demonstrate a damage for the purposes of authorization of the class action. However, contrary to Zuckerman, the Plaintiff in the Quebec Nissan case failed to make sufficient allegations to justify her claim for punitive damages, and Justice Gagnon refused to authorize same.

Conclusion

Failure to allege and demonstrate a colour of right with respect to damages suffered by the Plaintiff in the event of a data breach will be fatal to the authorization of a class action in Quebec. Demonstrating on a prima facie basis that a fault occurred is not sufficient, and the allegation of an uncertain or hypothetical harm will not pass muster. In comparison, data breach class actions in Ontario can be certified by demonstrating the existence of the privacy tort of "intrusion upon seclusion", despite the absence of actual financial loss, because the tort necessarily opens the door to possible symbolic or moral damages.

This article provides only general information about legal issues and developments, and is not intended to provide specific legal advice. Please see our disclaimer for more details.