Cyber Class Action Exposure In Canada

The Canadian insurance market is awakening to the need for cyberinsurance against data loss and privacy breach events. Although there is clearly room for this market to grow, Canadian insurers are routinely issuing cyber coverage to protect against these risks. While insurers have developed loss-experience with first party data breach expense, ransomware and business interruption claims in recent years, knowledge and understanding of third-party risks caused by covered breaches remains limited. This article reviews the status of emerging third-party claim experience.

Class actions seeking damages arising out of data loss and privacy breaches are becoming increasingly common. However, all of the actions to date either remain at the certification stage or have been resolved through settlements. As a result, we have yet to see judicial analysis at a common issues trial of the causes of action being advanced and a final determination of damages. Nevertheless, three recent cases are instructive about the potential indemnity obligations of Canadian insurers under the cyber policies they have issued: Condon v. Canada (Condon); 1 Tucci v. Peoples Trust Company (Tucci); 2 and Broutzas v. Rouge Valley Health System (Broutzas).3

1. Litigation and Causes of Action

   The decisions in Condon, Tucci, and Broutzas provide insight into various potential causes of action, because each arises out of a distinct set of circumstances. Condon pertains to the loss of a hard drive on which personal and financial information of hundreds of thousands of Canadian student loan recipients was stored. Tucci arose out of the hacking of a bank by a malicious third party. Broutzas concerns alleged misappropriation of personal health information by hospital employees and the subsequent sale of that information to vendors of certain financial services (particularly Registered Educational Savings Plans, or "RESPs").

   Each of these claims was made the subject of a putative class action (Broutzas was the subject of two distinct class actions). As a result, Canadian courts have been asked to certify causes of action in each set of circumstances. Condon is the subject of a negotiated settlement, which the Federal Court of Canada has approved. The consideration given to the various causes of action in the course of certification - and in the case of Condon, appeal and settlement as well - provides insight into the difficulties that class counsel and defence counsel (together with their instructing insurers) face in prosecuting and defending privacy and data breach class actions.

   The putative class actions advanced many theories of liability: negligence; breach of contract; Intrusion upon Seclusion; Breach of Confidence; waiver of tort/unjust enrichment; and statutory theories of liability. Only three of these, however, have met with a measure of success at the certification stage: negligence; breach of contract; and intrusion upon seclusion.

   In Canada, in order for certification to be granted, it must merely not be "plain and obvious that the cause of action will fail".4 Provided that there is "some basis in fact" for the existence of a common issue to be tried on behalf of all class members, the action can proceed as a class action.5 These are low threshold standards. Judicial consideration of each of these at the certification stage, however, has highlighted potential weaknesses in each theory and given rise to cautions from the bench with regard to their relative chances of success at trial. This article focuses on the strengths and weaknesses of each of these causes of action.

   Review of these decisions also highlights the increased importance of "nominal damages" in the context of data/privacy breach class actions. As is outlined below, it is apparent that class counsel will in many, but not all, cases have difficulty in proving class-wide compensatory damages. While success at trial is far from assured, certain causes of action, if proved, can result in awards of nominal damages even in the absence of...