Landmark ruling: The Superior Court dismisses a class action over the loss of personal information in Lamoureux v. OCRCVM, 2021 QCCS 1093

This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group

Introduction

In a judgment rendered on March 26, 2021, the Quebec Superior Court dismissed the class action brought by Danny Lamoureux against the Investment Industry Regulatory Organization of Canada (“IIROC” or the “Organization”) in which he claimed damages for the Organization’s loss of personal information.

The Quebec Superior Court thus rendered a noteworthy decision on the merits of a privacy class action, concluding that Mr. Lamoureux did not demonstrate sufficiently serious non-pecuniary damages to entitle him to compensation.

The Superior Court, presided by the Honourable Florence Lucas, also dismissed the claim for punitive damages, as she found that, following the incident, IIROC had implemented the appropriate response measures and had notified the concerned individuals without delay.

Background

Mr. Lamoureux’s class action was based on an incident in February 2013, during which an IIROC inspector misplaced his unencrypted laptop on a train. The device, which was merely password-protected, contained personal information belonging to thousands of Canadian investors. It was never recovered.

Following this incident, a disgruntled investor, Paul Sofio, filed an initial application for authorization to institute a class action against IIROC.[1] Mr. Sofio accused the Organization of being negligent in its loss of personal information, additionally pointing to the delay between the incident and a notice being sent to the affected individuals. According to Mr. Sofio, the incident caused him stress, for which non-pecuniary damages of $1,000 per member were being claimed.

The Superior Court, presided by the Honourable André Prévost, rejected the application for authorization, concluding that Mr. Sofio had not established a prima facie case and that consequently the criteria to authorize a Quebec class action had not been met.[2] Indeed, according to the Superior Court, there was a prima facie absence of an actual compensable harm.

Despite the Court of Appeal’s refusal to review this judgment[3], another investor, Mr. Danny Lamoureux, nevertheless took a chance a few days later by filing a new application for authorization to institute a class action against the Organization, based on the same facts. Plaintiff Lamoureux claimed for the stress and anxiety he experienced, the inconveniences endured and the consequences resulting from unlawful use of his identity. The class action was authorized by the Superior Court in 2017.

Highlights of the Superior Court judgment on the merits

Interestingly, IIROC admits that it was at fault regarding the loss of the laptop and for not ensuring the utmost protection of members’ personal information, despite its internal policies that required the encryption of laptops.

Despite this admission of fault, the Superior Court ruled that the class action brought by Mr. Lamoureux must be dismissed, given that:

- Regarding damages claimed, the worry and inconvenience suffered by the members as a result of the loss of their personal information is not a compensable harm. Indeed, said worry and inconvenience are akin to the normal inconvenience that any person living in society is required to accept. The judgment additionally mentions that:

  • The Court followed the Supreme Court’s position regarding non-pecuniary damages[4], namely that they must be serious and long-lasting, and must not amount to ordinary, minor and transient inconveniences, anxieties or fears that any person living in society must accept on a regular basis.
  • The Court concludes that the evidence provided very little detail, concrete facts or significant demonstrations of the members’ psychological state, despite the testimonies of certain class members. According to the Court, the general negative feelings experienced by members did not surpass the threshold of normal inconvenience.
  • The Court also finds that the steps members had to take, including increased monitoring of their financial accounts, were nothing more than the normal protection of their assets which every reasonable person must do in the 21st The inconvenience and time spent on these protective steps, such as calls and delays regarding the fraud alert and identity verification, cannot be compensated. In its analysis, the Court takes into account that IIROC offered for free all the necessary surveillance measures provided by Equifax and TransUnion.

- Regarding causation, there was no evidence of unlawful use of the lost information. The Court concludes that although the laptop was not ultimately located, the evidence does not establish that the individual who found it used the personal information it contained for unlawful purposes. Additionally, IIROC’s expert explained that there was no indication that the unlawful use of personal information experienced by certain members was related to the incident at hand. According to the expert, if the laptop had fallen into the wrong hands, there would have been more instances of fraud amongst the affected investors and the frauds would have been more similar from one instance to the other. The Court found that the evidence failed to demonstrate causation between the loss of the laptop and the alleged unlawful use.

- IIROC was quick to react by implementing appropriate measures to address the incident and to notify the investors. As such, the request for punitive damages is dismissed. The Court found that the approximate two-month delay from the incident and notification to the concerned individuals was reasonable. The Court also accepted the non-contradicted testimony of IIROC’s expert witness who found that IIROC’s response had been consistent with best practices. In this regard, the evidence demonstrated that IIROC:

  • had launched an internal investigation and hired a consulting firm as independent computer security experts to identify the information stored on the computer and assist the Organization in managing the risks and its responsibility regarding the loss of personal information;
  • disclosed the incident to the police, the Quebec Commission d’accès à l’information and the Office of the Privacy Commissioner of Canada;
  • met with representatives of the affected brokerage firms to explain the situation and the measures it had implemented;
  • offered free protective measures to the investors and brokerage firms and set-up call centers;
  • issued a press release, announcing the accidental loss of the laptop and the investigations underway; and
  • sent a letter to investors informing them of the incident affecting their personal information and advising them of the measures it had implemented and the services available to them.

It is noteworthy that a month after this decision, in Levy v. Nissan Canada inc.[5], the Court of Appeal authorized a claim for punitive damages in a data breach class action. According to the Court of Appeal, the allegations of inadequate security measures and the one-month delay between the cybersecurity incident and notification to the affected individuals justified that the claim for punitive damages be authorized. The Court also considered the fact that the defendant was aware of the identity theft risk during this time period where members had not yet been notified of the incident.

Conclusion

The Lamoureux decision is noteworthy for many reasons. The decision emphasizes that in class action and privacy cases, as with any civil liability action, the harm must be serious enough to give rise to compensation. It confirms that the prejudice resulting from the mere occurrence of a cybersecurity incident is not sufficient for compensation, a finding that has also been rendered at the authorization stage in Li v. Equifax inc.[6], and Bourbonnière v. Yahoo! Inc.[7]. The judgment also illustrates the measures that can be implemented by businesses dealing with the loss or theft of personal information. The Superior Court acknowledges that a diligent corporate response that complies with industry standards can prevent potential claims for punitive damages.

The story, however, does not seem to end here since the judgment has recently been appealed[8]. The outcome of the case thus remains to be seen.

 

Cybersecurity Blog Series and Related Insights:

 

To learn more about developing a cybersecurity strategy and an incident response plan, download a copy of our Cybersecurity Risk Management: A Practical Guide for Businesses or visit the Cyber/Data homepage.

To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.

 

_________________________

[1]       Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061, available here.

[2]       Section 517 of the Code of Civil Procedure, RLRQ c C-25.01.

[3]       Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2015 QCCA 1820, available here.

[4]       Mustapha v. Culligan du Canada Ltée, 2008 CSC 27.

[5] Levy v. Nissan Canada inc., 2021 QCCA 682.

[6] Li v. Equifax inc., 2019 QCCS 4340.

[7] Bourbonnière v. Yahoo! Inc., 2019 QCCS 2624.

[8] Declaration of appeal filed on April 24, 2021, Court file no. 500-09-029478-211.

 

Authors

Subscribe

Stay Connected

Get the latest posts from this blog

Please enter a valid email address