Annoying Ain’t Enough: Moral Damages in the Context of Security or Data Breaches
In early 2013, an employee of the Investment Industry Regulatory Organization of Canada, the national self-regulatory organization which oversees all investment dealers and trading activity on debt and equity in the Canadian marketplace (“IIROC”), lost an unencrypted USB drive containing confidential and personal data of approximately 50,000 customers of its dealer members (the “Security Breach”).
Superior Court: "Inconveniences" of Security Breach Not Compensable
Further to the Security Breach, petitioner Paul Sofio (“Sofio”) instituted a motion for the authorisation to bring a class action before the Superior Court of Québec (the “Motion for authorization”) alleging that the Security Beach constituted a civil fault that resulted in damages for the purported members of the class, including himself. On August 20, 2014, Justice André Prévost dismissed the Motion for authorization finding that Sofio did not meet the “arguable case” criterion set out at article 1003 b) of the Quebec Code of Civil Procedure (“CCP”), since, in light of the facts alleged, he had not suffered compensatory moral damages (Sofio c. OCRCVM, 2014 QCCS 4061). Sofio did claim moral damages. These were essentially emotional “trauma” resulting from the fact that his confidential and personal data had been potentially exposed, and the trouble, hassle and inconvenience resulting from the time spent monitoring his banks accounts and credits card. The Superior Court found that these “inconveniences” were part and parcel of life in the twenty-first century and should not be compensated as moral damages.
Sofio appealed the decision before the Quebec Court of Appeal. On November 6, 2015, the Court of Appeal confirmed the Superior Court’s decision dismissing the Motion for authorization (Sofio c. OCRCVM, 2015 QCCA 1820).
Court of Appeal: Moral Damages Compensable, but Likely Only if Beyond Ordinary
Before the Court of Appeal, Sofio asked leave to file an affidavit from a member of the purported class who had allegedly been the victim of identity theft as a result of the Security Breach. The Court of Appeal confirmed that this new evidence, even if prima facie admissible, was irrelevant to the appeal sought. Indeed, under 1003 b) CCP, only the personal and individual case of Sofio had to be assessed. The fact that a member of the purported class had effectively suffered damages, moral or otherwise, was irrelevant under 1003 b) CCP. The Court of Appeal thus refused to grant leave to file the affidavit.
With respect to the appeal per se, Sofio argued that the Superior Court, by dismissing the Motion for authorization, had definitely closed the door to any future class action commenced further to data or security breaches where petitioner solely claims moral damages. In other words, according to Sofio, the Superior Court had now established that it was necessary to establish identify theft or fraud to meet the threshold of an “arguable case” under 1003 b) CCP in the context of data or security breaches. The Court of Appeal did not follow Sofio’s argument and confirmed that moral damages could be considered sufficient under 1003 b) CCP. In the case at hand, the Court concluded that the allegations of fact in the Motion for authorization were simply insufficient to establish any form of compensatory moral damages, even if the facts were deemed to be true.
Although the Court of Appeal confirmed that moral damages could be sufficient to meet the criterion of an “arguable case” under 1003 b) CCP, it did not give any example of facts or scenarios that might be deemed sufficient in this regard. We can infer, however, that, in the absence of actual identity theft or fraud, claims for moral damages will have to be based on allegations of fact that go beyond the “normal” or “usual” stress, hassle and inconvenience of living, working and doing business in a technologically advanced, digitally connected world.
Lessons for Businesses
In light of this, prompt and thorough action to inform and educate clients, customers and relevant third parties further to data or security breaches by providing assistance, identify theft protection and credit monitoring at no cost, for example, might reduce, and even eliminate, the stress, hassle and inconvenience that often constitute the triggers for a class action.
cyber security data breach privacy privacy breach