Security Breach Implicating Personal Information: Which Injuries are Compensable? 

publication 

September 2014

Privacy Bulletin

Class actions triggered by security breaches involving personal information are growing in popularity. The judgment rendered by the Honourable Justice André Prévost on August 20, 2014 in the matter Sofio v. Investment Industry Regulatory Organization of Canada (IIROC)1 clarifies the burden of proof in respect of the damage suffered by applicants at the authorization stage of a class action in the absence of proof that the personal information was misused.

Let us review the facts

A motion for authorization to institute a class action was filed on behalf of persons forming part of the following class, namely all the individuals and legal persons that have fewer than 50 employees since February 1, 2013, whose personal information was lost in Quebec by IIROC or one of its employees in 2013 (the "Members").

In February 2013, an IIROC employee lost a laptop computer containing the personal information of approximately 50,000 customers of brokerage firms, including the applicant.2

The computer, which was never found, contained only one level of protection (password), not two levels (password + data encryption) as provided for by the IIROC policies.3

An important fact to outline is that the applicant was unaware of any cases where the personal information of those customers was used maliciously (example, identity theft or fraud).

According to the applicant, IIROC, by its negligence, lost the personal information of the Members who, belatedly informed, needed to take steps to mitigate the consequences, such as measures to prevent identity theft and to protect access to their bank accounts and investments.4

The applicant failed to demonstrate a compensable injury

The authorization of a Class Action was dismissed: the criterion of authorization stipulated by article 1003(b) of the Code of Civil Procedure of Quebec was not met, namely that the applicant failed to prove that the facts alleged seem to justify the conclusions sought.

At the authorization stage, the applicant has to establish that he appears to be entitled to the right that he is exercising.5 Although the claim may in fact ultimately fail, the action should be allowed to proceed if the applicant has an arguable case in light of the facts and the applicable law".6

The applicant's legal rationale was:

  1. IIROC allegedly committed wrongdoings (i) by losing the laptop computer, (ii) by failing to ensure maximum protection of the Members' information contained therein, and (iii) by delaying notification of the Members;

  2. The Members suffered the above-mentioned damages;

  3. The damages suffered by the Members are directly related to the wrongdoings committed by IIROC.7

The judge concludes that the applicant failed to prove compensable injury.

The judge points out that the applicant is right when he submits that a party may claim moral damages to be indemnified for non-pecuniary damages.8 The doctrine and case law definitely recognize that the moral damage is compensable and that it may, in particular, include stress, emotional trauma, burden, trouble and inconvenience, and that a great deal of discretion is awarded to the judge for assessment.9

In class actions, as the applicant suggests, the courts recognized the possible existence of this type of damages, such as unlawful work stoppages and unjustifiable delays in the public transport services,10 or failure by a tour operator to meet certain of its obligations.11

In these cases, the non-pecuniary damages generally covered the accumulated inconveniences, such as stress or anger associated with delay or uncertainty, late appointment or work arrivals, fatigue and discomfort caused by the fact of having to walk (despite weather conditions) for a longer period than expected, feeling of dependence and humiliation of being held hostage, as well as discomfort and stress associated with waiting in an airport for several hours or days.

Justice Prévost points out that the Appellant's alleged inconveniences are by and large associated with a twenty-first century society existence and monthly verifications of bank accounts and credit cards is not uncommon. Since such data are easily accessible by the Internet, it is not unusual that verifications are effected at several intervals during a month.12 Checking for mail delivery irregularities no longer appears exceptional. It is a life element in our society.

The Court concluded that the damages alleged by the applicant did not constitute compensable injury and dismissed the authorization of the class action against IIROC.

What constitutes compensable injury?

By quoting the Honourable Chief Justice McLachlin in the judgment Mustapha v. Culligan of Canada Ltd.,13 the judge held that the compensable injury is an injury which must be serious and prolonged.

The following does not constitute compensable injury:

  • Temporary ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept;

  • Minor and transient upsets or disgust, anxiety and/or agitation or other mental states;

  • The mere apprehension of possible consequences of the fault.

In the judgment rendered by Justice Beaugé in Larose v. Banque Nationale du Canada14 authorizing the exercise of a Class Action in the context of a theft of three computers, although such motion presented a claim for similar damages, Justice Beaugé outlined an important fact, which clearly distinguishes it from this matter: following the computer theft, the identity of the applicant Larose was misused to fraudulently obtain a loan and four credit cards.15

Lessons to be learned

Although businesses may find this judgment reassuring regarding their possible exposure in case of security breach involving personal information, it should be noted that the implementation plan in effect subsequent to the breach, including IIROC's reaction to it was taken into account when dismissing a motion for authorization to institute a class action. The class action might have been authorized if the organization had failed to take appropriate measures and/or if there had been proof of misuse of the Members' identity.

Incidentally, it should be noted that punitive damages might be granted in certain circumstances, regardless of the absence of compensatory damages. The aggregate sum granted to each class Member as punitive damages may be extremely costly for companies defending a privacy class action.

by Eloïse Gratton and Emmanuelle Saucier

1 2014 QCSC 4061.

2 See paragraph 1 of said judgment.

3 See paragraph 2 of said judgment.

4 See paragraph 9 of the judgment.

5 Comité Régional des Usagers v. Q.U.C.T.C., [1981] 1 S.C.R. 424, p. 429.

6 Collectif de défense des droits de la Montérégie (CDDM) v. Centre hospitalier régional du Suroît du Centre de santé et de services sociaux du Suroît, 2011 QCCA 826, para. 22, referred to in Infineon Technologies AG v. Option consommateurs, 2013 S.C.C. 59 para. 72 (Infineon judgment) and Vivendi Canada Inc. v. Dell'Aniello, 2014 S.C.C. 1, para. 58 (Vivendi judgment), para. 65.

7 See paragraph 33 of the judgment.

8 See paragraph 36 of the judgment.

9 Jean-Louis BAUDOUIN and Pierre-Gabriel JOBIN, Les obligations [Liabilities], 5th edition, Les éditions Yvon Blais, para. 839.

10 Binette v. Syndicat des chauffeures et chauffeurs de la corporation métropolitaine de Sherbrooke, 2004 CanLII 20437 QCSC, Ladouceur v. Société de transport de Montréal, 2010 QCSC 1859, Boyer v. Agence métropolitaine de transport (AMT), 2010 QCSC 4079.

11 Deronvil v. Univers Gestion multi-voyages inc., 2006 QCSC 3354.

12 See paragraphs 41 and 42 of the judgment.

13 [2008] 2 S.C.R. 114, p. 119.

14 2010 QCSC 5385.

15 Id., para. 24.

a cautionary note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2014