Canada: Cyber Class Action Exposure In Canada

The Canadian insurance market is awakening to the need for cyberinsurance against data loss and privacy breach events. Although there is clearly room for this market to grow, Canadian insurers are routinely issuing cyber coverage to protect against these risks. While insurers have developed loss-experience with first party data breach expense, ransomware and business interruption claims in recent years, knowledge and understanding of third-party risks caused by covered breaches remains limited. This article reviews the status of emerging third-party claim experience.

Class actions seeking damages arising out of data loss and privacy breaches are becoming increasingly common. However, all of the actions to date either remain at the certification stage or have been resolved through settlements. As a result, we have yet to see judicial analysis at a common issues trial of the causes of action being advanced and a final determination of damages. Nevertheless, three recent cases are instructive about the potential indemnity obligations of Canadian insurers under the cyber policies they have issued: Condon v. Canada (Condon); ¹ Tucci v. Peoples Trust Company (Tucci); ² and Broutzas v. Rouge Valley Health System (Broutzas).³

1. Litigation and Causes of Action

The decisions in Condon, Tucci, and Broutzas provide insight into various potential causes of action, because each arises out of a distinct set of circumstances. Condon pertains to the loss of a hard drive on which personal and financial information of hundreds of thousands of Canadian student loan recipients was stored. Tucci arose out of the hacking of a bank by a malicious third party. Broutzas concerns alleged misappropriation of personal health information by hospital employees and the subsequent sale of that information to vendors of certain financial services (particularly Registered Educational Savings Plans, or "RESPs").

Each of these claims was made the subject of a putative class action (Broutzas was the subject of two distinct class actions). As a result, Canadian courts have been asked to certify causes of action in each set of circumstances. Condon is the subject of a negotiated settlement, which the Federal Court of Canada has approved. The consideration given to the various causes of action in the course of certification – and in the case of Condon, appeal and settlement as well – provides insight into the difficulties that class counsel and defence counsel (together with their instructing insurers) face in prosecuting and defending privacy and data breach class actions.

The putative class actions advanced many theories of liability: negligence; breach of contract; Intrusion upon Seclusion; Breach of Confidence; waiver of tort/unjust enrichment; and statutory theories of liability. Only three of these, however, have met with a measure of success at the certification stage: negligence; breach of contract; and intrusion upon seclusion.

In Canada, in order for certification to be granted, it must merely not be "plain and obvious that the cause of action will fail".⁴ Provided that there is "some basis in fact" for the existence of a common issue to be tried on behalf of all class members, the action can proceed as a class action.⁵ These are low threshold standards. Judicial consideration of each of these at the certification stage, however, has highlighted potential weaknesses in each theory and given rise to cautions from the bench with regard to their relative chances of success at trial. This article focuses on the strengths and weaknesses of each of these causes of action.

Review of these decisions also highlights the increased importance of "nominal damages" in the context of data/privacy breach class actions. As is outlined below, it is apparent that class counsel will in many, but not all, cases have difficulty in proving class-wide compensatory damages. While success at trial is far from assured, certain causes of action, if proved, can result in awards of nominal damages even in the absence of proven compensable injury. To better understand the exposure facing defendants and their insurers, we will also examine the meaning of "nominal damages" in the Canadian context.

2. Negligence

In each of the proceedings the putative class alleged that the defendants were negligent, arguing that they owed a duty of care to class members and failed to meet that duty by falling below the standard of care owed. More particularly, they failed to have adequate safeguards in place to protect the information of class members. Each of the actions asserted that the class members had suffered actual damages as a result.

There are three primary pitfalls with respect to the allegations advanced. First, the theory of liability being advanced against many defendants is novel, in that it is not well established in Canada that a plaintiff can sue many defendants for what amounts to pure economic loss in the circumstances of a data/privacy breach. Second, proving actual damages on a class wide basis, as is required in negligence, may be an insurmountable challenge, particularly where the risks involved are primarily prospective identity theft. Finally, even if a negligence cause of action is certified, class counsel must still prove the claim.

In Broutzas, the RESP dealer defendants were allegedly negligent for not properly supervising their employees who were allegedly buying confidential personal information of new mothers from hospital employees. That information was used to market RESP investments to those mothers. While the hospital acknowledged that it was in a relationship of proximity to its patients, the RESP dealers argued that the relationship between them and the class members was not sufficiently proximate to give rise to a duty of care. Perell J. characterised that element of the claim as novel and undertook the three-step analysis established in Anns v. Merton London Borough Council⁶ – foreseeability, proximity, and policy considerations. He determined that there was no duty of care on the part of the RESP defendants as the privacy breach was perpetrated by hospital employees. In the Court's view it was nonsensical to suggest that the RESP dealers could have supervised hospital employees.

While commenting primarily on the breach of contract claim, Perrell J. also expressed concerns that the negligence cause of action as proposed, merely mirrored existing statutory obligations and the emerging tort of intrusion on seclusion. He was reluctant to certify any novel negligence action in circumstances where a statute already spoke to the issue. He also expressed concern that the negligence theory was being used as a "backstop" to the intrusion on seclusion claim that was also being advanced. He refused to certify the negligence claim against the RESP dealers and their employees and, as seen below, the entirety of the claim.

Standing in contrast to that analysis is the decision in Tucci. There, the defendants provided financial services to members of the putative class and required those members to provide sensitive personal and financial information. The information at issue could clearly be used to harm the class members if lost (foreseeability) and those people were in a direct commercial relationship with the defendants (proximity). Masuhara J. did express concerns regarding the public policy stage of the Anns test, providing: 1) negligence ought not to step in where statutes already govern; and 2) a duty of care should not be imposed that creates indeterminate liability. He found that the theory of liability advanced did not arise because of statutory obligations but out of privacy and security policies the defendant itself had created. Similarly, liability was not indeterminate because it could only be owned to those who were customers of the Defendant and whose information was stolen. This latter conclusion appears controversial, as liability could still be regarded as temporally indeterminate, in that damages for the future risk of identity theft clearly seek to compensate for an indeterminate period of time and amount. While this risk may be real, the law of negligence has rarely been used to impose damages for a potentially perpetual risk.

The novel nature of the negligence claims is not the only issue standing in the way of succeeding on a negligence claim. A plaintiff must prove actual loss resulting from the negligence of the defendant. The fact that the claim is being advanced through a class action only complicates matters, as actual damage must be demonstrated on a class-wide basis.

Tucci and Condon considered the loss of control over financial information, not personal health information as was the case in Broutzas. This is a critical distinction. In Tucci, it was not plain and obvious that damage to credit reputation cannot constitute a compensable harm. Similarly, out of pocket expenses including credit monitoring and wasted time and inconvenience related to preventing identity theft could constitute a class-wide harm.

These concerns were raised at the certification stage in Condon. There the court acknowledged that the allegations advanced against the government could support findings of a duty of care and of a breach of the standard of care, but questioned whether claims for compensable damages were advanced. It concluded they were not:⁷

The certification court held that damages cannot be awarded for merely speculative injuries and declined to certify the negligence issue for trial. Class counsel appealed that decision and it was overturned by the Federal Court of Appeal on the basis that "costs incurred in preventing identity theft" and "out of pocket expenses" could satisfy the damages requirement. While such damages may be capable of proof, actually marshalling this evidence on a classwide basis appears to require judicial approval of some form of aggregate model. Whether this is possible or will be accepted by the courts is unclear.

Finally, in many circumstances, actually proving negligence may be difficult. Attacks by hackers, theft of large amounts of data by employees, and even lost laptops are relatively new phenomena. The fact that courts are still grappling with the law of negligence in this context is not surprising. When a person slips and falls, when one car hits another or when professional services fall below the expected standard, the act, error or omission is relatively straightforward and the resulting damages are reasonably identifiable. In data breach cases, numerous questions arise that are not so easily answered. If an organisation has handling and security protocols and an employee breaches those protocols, has the organisation fallen below the required standard? If that same organisation suffers a criminal attack that defeats the cyber-security in place, has it failed to fulfil its obligations? If a stolen laptop is password protected and the data encrypted, has the organisation been negligent? These are all considerable hurdles.

3. Breach of Contract

Breach of Contract allegations have met with some success, being certified in both Condon and Tucci. Condon involved contracts in the form of Student Loan Agreements. Multiple sections expressly pertained to the Minister's collection, protection and use of the information provided. The certification court acknowledged that these terms could potentially be relied upon to establish a breach of contract such that it was not plain and obvious that the claim would fail.

Similarly, in Tucci there were express contractual terms between the bank and its customers. The exact terms of the contract, however, needed to be determined, as the pleadings asserted that the contract included the defendant's "Website Terms & Conditions" and other terms. Those included statements that the defendant would comply with Federal and provincial privacy legislation, as well as express or implied terms that the defendant would keep information confidential and secure from loss and theft and would not use it except for purposes expressly authorised.

The defendant disputed that the contract included all such terms. It further argued that there was no allegation that those terms had been breached; it had promised to take reasonable steps to protect the information and had done so. The fact that a security breach had occurred did not mean that reasonable steps to protect the information had not been taken. Masuhara J. acknowledged these arguments but held that they should be determined at trial. The Court did not accept the defendant's argument that all forms of damages claimed were too remote, on the basis that, even if no actual damages were proved, nominal damages could be awarded if a breach of contract had occurred.

An interesting discussion pertained to a limitation of liability clause which the defendant said precluded the claim. The Court found that the limitation of liability clause did not preclude the claims per se; and that its effect was an issue for trial.

In Broutzas, the court refused to certify the breach of contract claims advanced. They were premised on the existence of a contract between the patients and the hospitals, which allegedly included terms governing the protection and use of personal information and promising peace of mind. Perell J. ruled that it was "plain and obvious that the putative Class Members [did] not have a claim for breach of contract and warranty". The judge agreed with Rouge Valley's submission that this claim was an artifice by which to sue for breach of statutory obligations. The pleadings simply alleged the duties that the hospitals owed under the Personal Health Information Protection Act, 2004. ⁸ Moreover, the admission forms and information forms provided to the incoming patients were not contractual in nature, and there was no bargaining between patients and the hospital about preserving the confidentiality and privacy of patient information, which the hospitals were statutorily obliged to do. In short, there was no contract into which terms could be implied and if there had been, those terms were already the subject of non-contractual legal duties.

Where a commercial relationship is present, any contract is likely to either be silent on privacy issues or to favour the corporate entity. Commercial contracts, particularly consumer contracts, increasingly feature arbitration, venue and jurisdiction clauses that may restrict the ability of individuals to bring claims before Canadian courts – especially those claims seeking to enforce express or implied terms of the contract itself. While the Supreme Court of Canada, together with lower courts, has questioned the validity of onerous terms (see Douez v. Facebook⁹ and Heller v. Uber Technologies Inc. ¹⁰), reasonable terms may still be enforced. Where that existing contract considers the gathering of information by the organisation, a contract claim will likely be easier to have certified than a negligence claim because there is no requirement to show actual damages. A breach alone should be sufficient to result in nominal damages at minimum. However, a breach of contractual terms must still be shown, and those terms will not necessarily create an obligation to prevent security breaches or misuse of information altogether. As the Defendant in Tucci pointed out, the fact that a security breach has occurred does not mean that reasonable steps to protect the information have not been taken.

Like potential class members, organisations that have been hacked are victims of a crime. The standard likely to be imposed by contract is not strict liability. If express contractual terms drafted by the organisation set the standard, that standard is not likely to be high. Again, certification is a low bar, but proving contractual terms existed and were breached may be a significant challenge. On the other hand, there is arguably an important benefit to breach of contract claims: they can result in an award of nominal damages even if no actual loss is proved. However, a passage in Condon suggests the availability of an award of nominal damages may not be a certainty in the class action context:¹¹

Although it must be acknowledged that the court in Tucci certified the question as to whether wasted time could be the basis for awarding aggregate damages, it is open to question whether such damages are "nominal" in nature, or simply a form of compensatory damages arising out of economic loss. In short, like negligence claims, it is not clear that breach of contract claims offer a direct path to recovery for class members in the data and privacy breach context.

Footnote

1. Condon v. Canada, 2014 FC 250.

2. Tucci v. Peoples Trust Company, 2017 BCSC 1525.

3. Broutzas v. Rouge Valley Health System, 2018 ONSC 6315.

4. R v. Imperial Tobacco Canada, 2011 SCC 42 at 17.

5. Fehr v. Sun Life Assurance Co of Canada, 2018 ONCA 718 at 85.

6. Anns v. Merton London Borough Council, [1978] AC 728 (HL).

7. Condon at 68.

8. Broutzas at 216–217.

9. Douez v. Facebook, Inc, 2017 SCC 33.

10. Heller v. Uber Technologies Inc, 2019 ONCA 1.

11. Condon at 50–51.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be ought about your specific circumstances.