Across the country, most class actions brought against organizations further to major computer security incidents do not make it past the screening device of certification (or “authorization” in Quebec). The nature and circumstances of computer security incidents make it difficult for plaintiffs to meet class action certification requirements and leave several unanswered questions concerning the resulting liability of organizations.
Computer security incidents, and more particularly cyberattacks, are increasingly frequent, serious and costly. In its National Cyber Threat Assessment 2020, the Canadian Centre for Cyber Security noted, among other things, that the number of cyber threat actors is rising, that they are becoming more sophisticated and that malicious activity directed against Canada will almost certainly continue to target large enterprises and critical infrastructure providers. When an organization is targeted, it is not uncommon for its operations to become paralyzed to some extent.
The organization is not the only one affected, however. When an organization that experiences a computer security incident is one that collects, stores or uses the personal information of clients, associates or employees, these individuals may claim to have suffered a privacy breach. The breach may arise, for example, from the fact that personal information was accessed or stolen by the cyber threat actors or that the information ended up in the possession of an unauthorized third party. In such cases, the organization acting as the custodian of the personal information is often blamed.
Class actions immediately come to mind as the ideal procedure for these situations. Class actions permit the consolidation, within a single proceeding, of all claims that may arise from a cyberattack or other type of computer security incident. Although providing greater access to justice, the consolidation of such claims remains unusual and must ensure the efficient use of judicial resources.
Accordingly, before the parties can argue the case on the merits, the plaintiff must present an application to the court for certification of the class action. If the conditions set out in the applicable statute are met, the class action will be certified. It is only after having gone through this step that the parties may go to trial and have a court determine whether a breach has in fact occurred and whether the organization sued is liable. Despite the differences in the applicable statutes across the country, it has consistently been held that judges must adopt a flexible approach in their analysis at the certification stage. That said, certification must remain a meaningful screening device, such that proceedings that are frivolous, clearly unfounded or otherwise bound to fail will be dismissed.
To date, despite the proliferation of computer security incidents in Canada affecting thousands, if not millions, of people, judgments on the merits in class actions brought in response to such incidents are particularly rare. In fact, the judgment rendered last month by the Quebec Superior Court in Lamoureux v. OCRCVM, dismissing a class action for the loss of personal information, is the only example in Quebec and Canada of a judgment rendered on the merits for this type of action. While some such actions were settled out of court, several were unable to get past the screening device of certification.
For example, last February, a judge of the Ontario Superior Court of Justice refused to certify the class action brought against Facebook on behalf of Canadian residents whose information was allegedly shared with Cambridge Analytica Group. The judge found that the plaintiff did not establish a sufficient basis in fact for the alleged sharing of information. In other words, the evidence presented did not establish that the sharing of the information in question actually took place. The plaintiff’s allegation regarding the sharing of information was essentially based on a notification that Facebook sent to its clients stating that their personal information “may have [been] misused”. According to the judge, it followed that there was no factual basis to support the proposed common issues, i.e., that Facebook had violated the privacy of the class members.
Earlier this year, the Court of Queen’s Bench of Alberta also refused to certify a class action, this time against Uber. The action was brought after hackers obtained the names, telephone numbers and addresses of Uber users and drivers in 2016. It was alleged that Uber failed in its obligations to protect the personal information and to inform the affected individuals.
However, the judge found that the evidence was insufficient to establish that any individual had suffered damage as a result of the incident. In coming to that conclusion, the judge conducted a brief overview of Canadian case law on the issue, including a few recent judgments from Quebec. Among other things, this overview indicated that although a claim for nominal damages will not automatically lead to the dismissal of an application for authorization or certification, some evidence (or “some basis in fact”) of actual harm or loss is nevertheless required. If no such evidence is established, the application is incomplete. Noting that the plaintiff also failed to establish that the class action was the preferable procedure for the resolution of the common issues raised, the judge refused to certify the action.
Among the certification requirements analyzed in these two cases, the “sufficient basis in fact” was lacking. It is interesting to note that this criterion is not included in the requirements listed in the Quebec Code of Civil Procedure. Moreover, the Supreme Court recently reiterated that the class action authorization threshold is low in Quebec in comparison with the applicable thresholds in the rest of Canada. The Quebec courts do not consider whether there is a “sufficient basis in fact” to support a plaintiff’s claim but simply whether the proposed legal syllogism is arguable.
Quebec judges nevertheless exercise a screening function at the authorization stage, in the same way as their counterparts in the other Canadian provinces. That is why it was found that in cases involving privacy breaches, mere allegations of potential damage are generally insufficient to support the authorization of a class action. In this regard, it has also been found that transient embarrassment and inconveniences are insufficient grounds for authorizing a class action, although allegations of moral damages may be sufficient.
The “tort of intrusion upon seclusion” could facilitate the certification of class actions in certain common law provinces as compared with those brought in Quebec, due to the fact that the plaintiff does not need to establish proof of harm to a recognized economic interest. That said, the development of this tort remains controversial, and its application is uncertain in privacy matters, in particular because intentional or reckless conduct must be established to invoke it successfully.
Certification is an effective screening device and continues to adapt to class actions involving privacy matters. That being said, the basis of organizations’ liability for such privacy breaches remains an outstanding issue as a result of the effectiveness of this screening device (combined with frequent settlements).
To what extent can an organization be required to compensate individuals whose personal information was affected by a cyberattack when the organization took all possible measures to comply with its legal obligations regarding privacy protection? What is the applicable basis of civil liability if the damage suffered by individuals allegedly affected by a privacy breach is, in practice, impossible to prove?
The judgments rendered across the country at the authorization or certification stage, to which we can now add the Quebec Superior Court’s judgment on the merits in Lamoureux v. OCRCVM, identify with increasing precision the issues we should focus on in seeking an organization’s liability in the context of a privacy breach. As illustrated by several of the judgments discussed above, it is important to carefully examine the nature of the alleged harm and the evidence supporting it. Further argument on the merits of these issues is needed, however, before the state of the law in this area is settled.