Q2 | Torys QuarterlySpring 2022

Setting the standard in data breach class actions

In the decade since the Court of Appeal first recognized the tort of intrusion on seclusion, courts have grappled with how to treat claims involving information that is considered more sensitive. Even if the data breach had little to no impact on the individuals in question, courts often struggled to screen these claims out at the certification stage.

However, the Divisional Court has now waded into the fray and affirmed that it is appropriate to screen out meritless data breach class actions at the certification stage. The overturned certification in Stewart v Demme, 2022 ONSC 1790, holds that it is appropriate to screen these cases out early if the evidence shows a data breach had little to no impact. The decision imposes a high bar on class action plaintiffs who advance intrusion on seclusion claims for data breaches that do not result in provable harm.

In this article, we explore how the mere occurrence of a data breach (even one involving information which is generally considered sensitive) is not, on its own, sufficient to justify a class action, and how only claims which involve “very serious” data breaches can survive certification.

No harm, no remedy

In Stewart v Demme, the case involved a proposed class action against a hospital after a nurse used patient records to steal painkillers, to feed an addiction. Patient records were important because the painkillers were dispensed automatically by a machine in response to patient information—patient records were the “key” to unlocking the medication. The scale of the theft was significant. During the 10 years that the nurse’s actions went undetected, she used more than 11,000 patient records to improperly dispense and steal painkillers. While this was a large-scale narcotics theft case, the evidence showed the nurse spent only seconds with each patient’s record, she had no interest in the records themselves (she was only interested in the painkillers), patient information never left the hospital, and patient treatment was not affected.

Since there were no practical consequences for the patients, the lower court refused to certify the negligence claim against the hospital because there was no provable harm. And while the lower court noted that “the facts do not exactly ‘cry out for a remedy’”, it certified the intrusion on seclusion claim because medical information was involved.

Courts must look beyond the type of information impacted in a data breach and assess whether the impact on affected individuals was sufficiently severe to warrant imposing civil liability for damages as well.

The Divisional Court reversed the certification decision and affirmed that courts should focus on the intrusion itself, not just the type of information impacted by a data breach. Intrusion on seclusion, the Court held, is “designed to offer a remedy in situations where the privacy intrusion is very serious, not any privacy intrusion”.

Consistent with our earlier analysis of the lower court’s decision, the Divisional Court held that the real problems behind the incident had been properly resolved when the nurse was terminated, had her licence revoked, and was criminally convicted. After the regulatory and criminal proceedings, there was nothing left to remedy through a class action.

Doors open to challenges to intrusion on seclusion

This case is one of several recent court decisions that can be expected to reduce plaintiffs’ chances of success certifying class actions based on data breaches that have resulted in little or no material impact on the proposed class members.

Not every intrusion into private health information amounts to a basis to sue for the tort of intrusion upon seclusion.
— Divisional Court, Stewart v Demme, 2022 ONSC 1790

While class actions frequently follow in the wake of any large data breach, and especially data breaches that attract regulatory scrutiny, the Divisional Court’s decision illustrates the difference between an organization’s regulatory obligations and its liability for civil damages.

Privacy regulators draw their jurisdiction from, and are focused on, the type of information an organization handles. Organizations that are considered “health information custodians” under the Personal Health Information Protection Act, for example, need to comply with the special requirements in that legislation. However, courts must look beyond the type of information impacted in a data breach and assess whether—after all the regulatory safeguards that already exist have done their job—the impact on affected individuals was sufficiently severe to warrant imposing civil liability for damages as well.

The Divisional Court’s decision affirms that the bar to certify a class action based on intrusion on seclusion is a high one. Going forward, certification courts can be expected to be more receptive to challenges to intrusion on seclusion claims, even where the information in question could be considered more sensitive.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now