Kaplan decision offers new insight into privacy class actions

The Ontario Superior Court’s decision in Kaplan v. Casino Rama, 2019 ONSC 2025 (Kaplan) calls into question the use of class proceedings as the procedure to address privacy breach losses. In Kaplan, Justice Belobaba declined to certify the proposed class action, which arose out of a cyber attack of Casino Rama’s computer systems, on the basis that the action “collapses in its entirety at the requirement of commonality” under section 5(1)(c) of the Class Proceeding Act¹.

What you need to know

• Despite the low bar to certify class proceedings in Canada, class actions based on third party hacking may be rejected when the “type and amount” of personal information affected by a breach varies between different categories of class members.
• While companies are also victims of criminal hacking efforts, organizations could be liable for the harm to affected individuals if their inaction or insufficient security measures facilitate an intrusion into their systems.
• Although many privacy class actions are built on negative findings from regulatory investigations, such findings are not determinative of civil liability.
• Courts continue to favourably consider an organization’s prompt and effective management of a cyber-incident, including cooperation with regulators and timely notice to affected individuals.

Background

In Kaplan, the Court was asked to certify a class proceeding against Casino Rama after an anonymous hacker broke into the casino’s computer systems and stole a variety of personal information related to customers, employees and suppliers online. After Casino Rama refused to pay the ransom demanded by the hacker, the hacker posted the personal information of 11,000 individuals online. Casino Rama notified those affected by the breach and offered many individuals free credit monitoring services for one year. It also contacted the appropriate authorities and closed the websites that contained stolen information. Two and a half years after the breach, there was no evidence that anyone affected by the breach had been subject to fraud or identify theft, nor had they suffered compensable financial or psychological loss.

Decision

Justice Belobaba warned at the outset of his analysis that the proposed class action “collapse[d] in its entirety” at the commonality stage.² Despite this, he went on to consider each of the proposed causes of action. Justice Belobaba also discussed the impact of the Ontario regulator’s recent finding from its investigation of the cyber-attack. His analysis offers potential insight into how the courts may examine the liability of companies for data breaches in the future, particularly in the class action context.

Treatment of regulatory findings

The Court in Kaplan considered, at the outset, the Information and Privacy Commissioner of Ontario’s (IPC) January 2019 findings from its investigation of Casino Rama’s practices. The Office of the Privacy Commissioner of Canada also investigated Casino Rama’s practices, though their report has not yet been released. The IPC concluded that Casino Rama “did not have reasonable security measures in place to prevent unauthorized access to records of personal information of CRR patrons and individuals registered for OLG’s self-exclusion program.”³ Justice Belobaba noted that the IPC’s finding in this regard was “helpful to the plaintiffs but not determinative of legal liability.”⁴

Viability of alleged causes of action

The plaintiffs advanced five causes of action: negligence, breach of contract, intrusion upon seclusion, breach of confidence and publicity given to private life. Justice Belobaba ruled that negligence, breach of contract and intrusion upon seclusion were viable causes of action, while breach of confidence and publicity given to private life were doomed to fail. His analysis on the viability of intrusion upon seclusion, publicity given to private life and breach of confidence offer the most novel and relevant conclusions.

With respect to intrusion upon seclusion, he confirmed that it is not just the hacker who could be liable for the intrusion, but the organization as well. Grounding his reasoning in the fact that this tort is relatively new and evolving, Justice Belobaba ruled that it was possible that a defendant could be liable if their recklessness in the “design and operation of a computer system” facilitated a hacker’s intrusion.⁵

While the tort of publicity given to private life is also novel, Justice Belobaba did not agree that a claim against the defendants was viable. On the basis of the American Restatement on Privacy, Justice Belobaba explained that a defendant is only liable for this tort if he or she actually makes the private matter public. In this case, the only person responsible for making the information public was the hacker, not the casino.

Similarly, with respect to the alleged violation of breach of confidence, which requires the defendant to have “misused” the plaintiff’s confidential information, Justice Belobaba ruled that the casino’s failure to prevent a cyber-attack could not be considered a “misuse” of confidential information.⁶ Accordingly, in light of Kaplan, an organization’s mere alleged failure to prevent a third party from publishing personal information is not sufficient enough to establish the tort of breach of confidence or the tort of publicity given to private life.

Justice Belobaba also addressed the suggestion that “additional information” may have been stolen and could be posted online at a later date as “plausible but not persuasive” and found that there was no need to be concerned about potential future claims, especially since there was “minimal to non-existent” evidence to support such claims.⁷

Commonality

Justice Belobaba moved on to consider whether the three remaining claims (negligence, breach of contract and inclusion upon seclusion) raised common issues.

With respect to negligence, Justice Belobaba ruled that the standard of care a company must maintain in its handling of personal information will depend on the sensitivity of that information. On the basis of Broutzas,⁸ Justice Belobaba also noted that it is important to remember that “not all personal information is necessarily private or confidential.”⁹ Justice Belobaba found that because the “type and amount” of personal information posted online by the hacker varied between class members, any assessment of the standard of care and assessment of individual plaintiffs’ claims would quickly devolve into individual inquiries.¹⁰ A class action was therefore not the preferable procedure for these types claims because common issues would be completely overwhelmed by individual investigations.

Similarly, with respect to intrusion upon seclusion, Justice Belobaba ruled that individual inquiries would be required to determine if class members were embarrassed or humiliated by the disclosure. Since the plaintiff had failed to show how the individual assessments “could translate into class-wide determinations” the intrusion upon seclusion issues could not be certified.¹¹

Finally, on the breach of contract, Justice Belobaba ruled that the plaintiffs had failed to adduce evidence regarding the terms or conditions of any actual contracts or evidence as to whether the contractual issues could be answered on a class-wide basis.

With none of the common issues having been certified, a class proceeding was not the preferred procedure and there was no need to assess the suitability of a representative plaintiff. Justice Belobaba noted that even though a class action is not the preferable procedure, putative class members were not without recourse. Individuals could bring individual actions (for instance before the Smalls Claims Court) or claims for damages for breach of privacy can also be made under the federal privacy statue.

Considerations

Kaplan sets out the challenges plaintiffs may face when seeking a remedy for privacy breaches through class proceedings. The decision appears to narrow the possible causes of action an organization may be liable for in a class action regarding privacy breaches and highlights the uphill battle plaintiffs face at the commonality stage if the type of information released is not uniform amongst class members. Justice Belobaba comments on this point are instructive:

“[t]he fact that there are no provable losses and that the primary culprit, the hacker, is not sued as a defendant makes for a very convoluted class action. Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes.”¹²

Justice Belobaba’s recognition of Casino Rama’s effective handling of the cyberbreach, including contacting the appropriate regulators, notifying the affected individuals, taking down websites that posted the personal information and providing credit monitoring services to many individuals, underscores the importance of effective cyberbreach management as an important tool to mitigate litigation risk.

Although it is unlikely that this decision will stall the general trend of privacy class actions in Canada, it does suggest that plaintiffs in actions arising from third party hacks will have to more rigorously consider whether the group of affected individuals, the harm arising from the breach, and the elements of the claims they allege are sufficiently similar that a court will be satisfied that a class proceeding is the most efficient way to proceed against organizations that were victims of criminal activity.

_________________________

¹ Class Proceeding Act, S.O. 1992, c. 6.

² Kaplan, para. 16.

³ Kaplan, para. 9.

⁴ Kaplan, para. 12.

⁵ Kaplan, para. 29.

⁶ Kaplan, para. 31.

⁷ Kaplan, para. 13.

⁸ Broutzas v. Rouge Valley Health System, 2018 ONSC 6315.

⁹ Kaplan, para. 62.

¹⁰ Kaplan, para. 64.

¹¹ Kaplan, para. 80.

¹² Kaplan, para. 14.