Data Breach Class Actions'Two Fundamental Problems With Liability

• Published date: 26 June 2020
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Data Protection, Privacy Protection, Class Actions
• Law Firm: Torys LLP
• Author: Ms Molly Reynolds and Shalom Cumbo-Steinmetz

'Data breaches involving the theft of personal information coupled with a ransom demand are becoming commonplace. In some cases, the loss of privacy and actual harm sustained is significant; in other cases, it is slight. But in almost every case a class action is sure to follow'.

Justice Belobaba, Grossman v Nissan Canada¹

The world has gone digital. While Canada's privacy regulators are well established, the law of civil liability is still playing catchup. This is particularly true in the class actions context.

Since 2012, when the Ontario Court of Appeal in Jones v Tsige recognized the first common law privacy tort (intrusion upon seclusion), a body of cases dealing with disputes between individuals has developed. Like Jones, these cases typically involve invasions of privacy that are intentional, and occur in the context of intimate personal relationships, where social and emotional harm can be real and significant.

To date, however, there has been no merits decision in a mass data breach class action. This has left the courts to grapple with fundamental issues about the scope of liability for mass data breaches in a context'certification motions'that is not well suited to resolving them. A recent series of decisions highlights two important issues:

1. When third-party cybercriminals successfully breach a computer system and steal data, is the company that owns the computer system liable?
2. When a data breach occurs, but there are no provable damages (i.e., no identity theft or fraud no out-of-pocket expenses, and no objective psychological harm), is there a basis for civil liability?

The certification case law is conflicting. However, if these issues were tried on their merits, there are reasons to believe that the answer to both issues would be 'no'.

Liability for the criminal acts of third parties

As Justice Perell observed in Lozanski v The Home Depot: in a cyberattack, '[t]he real villains' are 'the computer hackers, who stole the data'². But, because cybercriminals often can't be found, class actions usually focus on data custodians.

In Jones, the Ontario Court of Appeal held that intrusion upon seclusion requires intentional conduct, which was present in that case. However, Justice Sharp went on to state: 'I would include recklessness'³.

Relying on this statement, courts have certified several class actions against organizations after cybercriminals successfully breached their systems. Despite this, certification judges have repeatedly observed that the basis for finding recklessness in a data breach caused by...