August 11, 2020
Dolden Wallace Folick’s Class Action Newsletter – August 2020
We are pleased to announce the launch of the Dolden Wallace Folick LLP Class Action Newsletter. This is the first of our quarterly publication dedicated to class action articles, news and other updates.
Casino Rama Case Highlights Pitfalls Facing Class Actions Stemming from Privacy Breaches
By Travis Walker, Dolden Wallace Folick Toronto, Email: firstname.lastname@example.org
2019 was a busy year for class actions. Cases pertaining to data and privacy breaches were particularly prevalent as a number of large-scale breaches dominated news headlines. While we have yet to see a data breach class action advance through the trial stage in Canada, many such claims have had little trouble succeeding at the certification stage; outside of Quebec at least. However, this did not hold true for one recent data breach case, Kaplan v. Casino Rama [“Casino Rama”], which was denied certification.
Casino Rama offers some insight into the potential pitfalls that proposed class actions in this subject matter may face. An unidentified third party surreptitiously gained access to Casino Rama’s computer systems and took personal information pertaining to customers, employees, and suppliers. When Casino Rama refused to pay a ransom in exchange for the information, the hacker posted stolen information regarding nearly 11,000 people publicly. Casino Rama notified the authorities and affected individuals of the breach, offering each one year of free credit monitoring services. Casino Rama also made efforts to have the websites where the stolen information was published taken down. More than two years later, there was no evidence that anyone had suffered from fraud or identity theft due to the breach. That did not stop those potentially affected from commencing a class action against Casino Rama for damages however.
One of the requirements for certification of a class action pursuant to section 5(1) of the Class Proceedings Act, 1992 (Ontario) is that there must be an identifiable class with one or more issues common to the class. In Casino Rama, the Court took issue with certain causes of action advanced as well as the proposed class definition, yet ultimately the action “collapse[d] in its entirety” due to a lack of commonality. Class counsel sought to certify a total of 30 common issues, which the Court grouped into five categories: negligence, breach of contract, breach of confidence, privacy torts, and damages. After going through each category, the Court was unable to find commonality in any of the proposed issues.
The Court’s most notable commentary was with respect to the proposed common issues of negligence and tort of intrusion upon seclusion. Regarding the negligence allegations, the Court held that the appropriate duty and standard of care came from the federal Personal Information Protection and Electronics Documents Act, which is to say that the duty and standard of care depended on the sensitivity of the information at issue. The nature of the information which was stolen by the hacker varied for each individual. Some people had personal banking details exposed (highly sensitive), while for others it was only basic contact details (minimally sensitive). On that basis, the allegations of negligence would have to be evaluated on an individual as opposed to a class-wide basis, defeating the purpose of a class proceeding.
With respect to the tort of intrusion upon seclusion, the Court did not find the cause of action doomed to fail as with the other privacy torts. Instead, the Court shot these allegations down at the commonality stage. An essential element of the tort is that the intrusion be highly offensive to a reasonable person. The Court found that such a determination could not be made on a class-wide basis and that individual inquiries were required to determine whether a reasonable person would be offended by the publication of the information at issue which, again, was not common to all class members.
As there was no commonality among the proposed issues of liability, the Court was not required to evaluate the commonality of damages or whether the class proceeding was the preferred method for trying the issues.
Finally, the Court noted that regulatory findings, while potentially helpful to class plaintiffs, are not determinative of legal liability. Prior to the certification motion, Ontario’s Information and Privacy Commissioner issued a report which found that Casino Rama failed to have reasonable security measures in place to prevent unauthorized access to its personal information. Such a finding does not replace the analysis the Court is required to undertake on a motion for certification.
Following Casino Rama, the Ontario Superior Court of Justice certified class actions in Grossman v. Nissan Canada and Stewart v. Demme, both of which arise from wide-scale privacy breaches. The Nissan case dealt with a situation where an unidentified employee used their credentials to access and copy personal information of thousands of Nissan customers. The Stewart case pertains to a nurse who accessed health records of over 11,000 patients in order to steal narcotic pain medication.
In both Nissan and Stewart, the Court certified the allegations of intrusion upon seclusion as common to the proposed class. This is noteworthy as in both cases, as well as in Casino Rama, there was little to no evidence of any tangible harm having been suffered by any of the affected individuals. Accordingly, the cases were largely dependent upon the symbolic or moral damages which the tort of intrusion upon seclusion affords. This is likely to be true for most privacy breach cases unless evidence of fraud or identity theft in relation to the breach materializes.
As noted previously, the Court in Casino Rama would not certify the intrusion upon seclusion cause of action as individual assessments were deemed necessary to determine whether class members were actually offended by the disclosure of their information. In Nissan, the same judge who decided Casino Rama, held that assessments of individual sensitives were not permitted when assessing allegations of intrusion upon seclusion; only the objective, reasonable person standard could be used. While these positions are seemingly contradictory, the difference appears to stem from the commonality of the information at issue. In the Nissan case, the nature of the personal information exposed was common to all of the affected individuals. Similarly, in Stewart, the rogue nurse had accessed personal medical information. This suggests that in order for the intrusion upon seclusion cause of action to be certified on a class basis, the nature of the personal information compromised must be common to the proposed class.
The Casino Rama case stands out as somewhat of an oddity given that certification of a class proceeding tends to be a relatively low bar in Canada, as evidenced by the cases which followed it. Yet it provides some important insight on the certification of issues which are likely to be common to most, if not all, privacy breach actions, particularly the intrusion upon seclusion tort. In addition, with Ontario having just recognized a new privacy tort, publicity placing a person in a false light, which will no doubt be finding its way into the next wave of privacy breach class actions, some consistency in the jurisprudence is much needed at this time. One thing seems to be certain, this genre of class action is not going away anytime soon and both plaintiff and defendant class counsel are eagerly awaiting a trial decision to see how some of the issues raised on these certification motions will play out on the merits.
|Tel: 647 798 0614|
Please contact the editor if you would like others in your organization to receive this publication.