2021/2022 Cyber/Data Outlook: Data Breach Class Actions and Litigation in Canada
NEW CLASS PROCEEDINGS REGIME MAKES ONTARIO LESS POPULAR FOR PLAINTIFFS
In October 2020, amendments to the Ontario Class Proceedings Act, 1992 came into force, implementing a number of substantive and procedural changes that make it more difficult for plaintiffs to bring data breach class actions in Ontario.
The most significant substantive change to the legislation is a more rigorous test to be applied at certification. Influenced by the U.S. model, the preferable-procedure analysis now requires the plaintiff to prove that common issues predominate over individual ones, and that a class proceeding is superior to all reasonably available means of determining the entitlement of the class members to relief or addressing the defendant’s impugned conduct. This is in contrast to the old test (and the test that remains in many other provinces) that only required that there exist some common issues whose resolution would advance the litigation. The amendments also impose procedural changes that could make it more difficult for plaintiffs to advance claims in Ontario, such as a new presumption that defendants’ dispositive motions can proceed before a plaintiff’s motion for certification.
Overall, these amendments make Ontario a less attractive forum for plaintiffs seeking to bring class actions arising from a data breach. As many predicted, the year after the Ontario amendments came into force has brought with it a noticeable shift, with more plaintiffs seeking to bring their class actions in common law jurisdictions other than Ontario, such as B.C. and Alberta.
COURTS BEGIN TO GROW SKEPTICAL OF DATA BREACH CLASS ACTIONS; REINFORCE THE IMPORTANCE OF POST-BREACH MITIGATION
While plaintiffs continue to file litigation — often class action litigation — in the wake of data breaches, there is a real question as to whether the actual or potential release of personal information has actually caused any harm to affected individuals. Over the past year, courts have begun to look critically at plaintiffs’ claims of minimal or speculative harm.
Plaintiffs often claim damages for anxiety, inconvenience, and the risk of potential future misuse of their information arising from a data breach, such as identity theft. However, increasingly, such claims can seem opportunistic and unfounded. Cyber attacks and the resulting potential loss of data are now widely viewed as commonplace, not an exception. And many companies respond to breaches by offering services such as credit monitoring to reduce the risk of future harm. By the time a proposed class proceeding winds its way through the courts, there is often little or no evidence that any of the proposed class members has actually suffered a loss.
In 2021, Canadian courts scrutinized data breach claims, and in many cases either dismissed or refused to certify them if there was no evidence that class members actually suffered any compensable harm. For example:
- In LamoureuxInvestment Industry Regulatory Organization of Canada (IIROC), the Québec Superior Court dismissed an authorized class proceeding on the merits because the plaintiff had failed to establish any harm above ordinary annoyances, finding that such everyday anxieties and annoyances are not compensable.
- In SetoguchiUber B.V., the Alberta Court of Queen’s Bench took heed of its gatekeeper role and the culture shift away from certifying de minimus claims, and declined to certify a class action arising out of a data breach. There was no evidence class members had suffered harm or loss — indeed, there was positive evidence that no class member had. And even if some class members had suffered a loss, a multitude of individual hearings would be required to establish causation and damages, making a class proceeding inappropriate.
- In SimpsonFacebook and Kish v. Facebook, the Ontario and Saskatchewan courts refused to certify a class action about the Cambridge Analytica data breach because there was no evidence that Canadian Facebook users’ personal data was inappropriately shared, and therefore there were no common issues related to breach of privacy that could be certified.
- In KaplanCasino Rama Services Inc., the Ontario Superior Court of Justice refused to certify a class action because there was no evidence anyone had suffered any harm, including because of the defendant’s exemplary incident response. It had “contacted all appropriate authorities, took steps to close down the two websites that contained the stolen information, notified the thousands of customers, employees and suppliers potentially affected by the security breach and offered free credit monitoring services for one year to many of them.”
Looking forward, defendants who are victims of a cyber attack can expect to place more emphasis on the absence of harm to class members, as well as on the robustness of their incident response and measures to reduce risk of harm to would-be plaintiffs, as a means to defend against class actions.
PRIVILEGED? THE DEBATE OVER FORENSIC INVESTIGATION REPORTS
Lawyers advising companies in the wake of a data breach usually engage cyber forensic experts to investigate the incident and produce a report for use by legal counsel. Such reports are essential for lawyers to provide candid legal advice to their clients about the breach and related litigation and are intended to be privileged and confidential. However, plaintiffs and organizations may still try to compel production of the report in litigation or regulatory investigations.
A number of recent U.S. decisions have confronted this issue, and these decisions show that, in some circumstances, forensic reports may be vulnerable to attacks on their privilege if appropriate protective measures are not taken. For example, in In re Capital One Customer Data Security Breach Litigation, a Virginia court ruled that a forensic investigation report was not privileged because it was not created for the purpose of litigation: the forensic investigator who prepared it was previously engaged by the company under a non-privileged engagement and, even though the company’s lawyers executed a new engagement letter with the investigators after the breach, it was for the same scope of work. The court further found that, even if the report had been privileged, the privilege was waived when the company disclosed its contents to the company’s auditor, regulators, and other business personnel. Similarly, in In re Rutter’s Data Security Breach Litigation, a Pennsylvania court found that an investigation report was not privileged because it was prepared for the purpose of determining whether a breach had occurred — not for defending the company in litigation.
The U.S. decisions, while based on U.S. privilege laws, foreshadow an issue that may increasingly find its way into Canadian courts. For example, in Kaplan v. Casino Rama Services Inc., the Ontario Superior Court of Justice found that the company waived privilege over portions of forensic investigation reports prepared in the wake of a data breach when it disclosed the number of people affected by the breach.
Going forward, organizations should anticipate that regulators or plaintiff’s counsel may seek disclosure of investigation reports and challenge any privilege claimed over them. Companies should act accordingly to protect privilege. This includes working with legal counsel to establish an incident response plan and strategy for preserving privilege, over forensic investigation reports and generally. Ensuring that counsel are involved, and that expert mandates are properly structured to prevent loss of the privilege that attaches to them, is likely to become increasingly important.
To keep you informed, empowered, and ahead of the curve, McCarthy Tétrault’s multidisciplinary Cyber/Data experts have launched the 2021/2022 Outlook Report, which provides an overview of the important Cyber/Data developments of 2021 and looks ahead to potential changes in 2022. Learn more by downloading the report here.