Data Breach Class Actions: No Harm, No Foul?

• Published date: 26 August 2021
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Data Protection, Privacy Protection, Class Actions
• Law Firm: Torys LLP
• Author: Ms Emma Loignon-Giroux, Stacey Reisman (Danis), Shalom Cumbo-Steinmetz, Molly Reynolds and Colette Koopman (Summer Student)

Data breaches and cyberattacks continue to make headlines as individuals and companies alike have become increasingly reliant on digital services, particularly during the COVID-19 pandemic. In June 2020, we wrote about two fundamental problems with liability in data breach class actions, namely (i) whether there is a basis for civil liability for a data breach without proven damages, and (ii) whether companies are liable for criminal acts of third parties who steal their data¹.

Over the last year, courts have begun to provide clarity on some of these questions. The Ontario Divisional Court recently considered whether the tort of intrusion upon seclusion applies when data is stolen by a third party rather than by the defendant, and we now have a first decision on the merits in a data breach class action.

Some evidence of harm is required

Canadian courts are developing a theory of liability in data breach class actions that depends on evidence of harm. In defining the threshold of harm that must be proven, courts are looking to the type of information concerned and the actual rather than feared consequences of a breach. Plaintiffs in data breach class actions therefore face hurdles in showing not only that defendants were negligent in their safeguarding of information, but also that legally recognizable harm was suffered.

These hurdles create limitations on those who will be held liable for damages when a data breach occurs. In the first decision on the merits in a data breach class action in Canada, Lamoureux c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), the Superior Court of Québec dismissed the class action on the basis that there was no evidence of compensable harm. This ruling is consistent with other actions across Canada where certification has been denied because of a lack of proof of harm.

In Lamoureux, the defendant, IIROC, admitted that it was at fault for losing a laptop containing class members' personal information, and for not ensuring maximum protection of class members' information, since the laptop did not feature the two-step encryption IIROC's policies required. The question at issue was whether the alleged prejudice to class members was compensable.

While the Court acknowledged that the negligent loss of information can ground a finding of prejudice, it found that the anxieties flowing from the loss of information did not constitute compensable prejudice in this case. The plaintiffs' claims for damages as a result of anger and stress were not supported by sufficient evidence, and had not proved lasting psychological harm. Crucially, the Court dismissed allegations that class members' increased monitoring of their financial accounts amounted to compensable prejudice. Instead, the Court held that this type of activity formed part of the normal expected behaviour of someone who is mindful of protecting their assets. This finding follows prior jurisprudence in Québec, which has consistently held that minor inconveniences cannot form the basis for a damages claim.

While the decision in Lamoureux...