Recent Ontario decision illustrates difficulty in certifying privacy class actions

The Ontario Superior Court of Justice’s May 2019 decision in Kaplan v. Casino Rama denied class action certification for a lawsuit stemming from the November 2016 cyber-attack, and subsequent privacy breach, suffered by Casino Rama. The personal identifiable information (PII) of approximately 11,000 Casino Rama customers, employees and suppliers was stolen and subsequently posted online in the public domain. However, the nature of the stolen PII was diverse – some was simply contact information, while other PII was of a private and confidential nature. One of the criteria that must be met in order for a class action lawsuit to be certified is that the claims of the plaintiffs must raise common issues that are capable of being determined for all class members. The wide variance in compromised PII in this instance ultimately led to certain pleaded causes of action being denied class certification on this basis.

Regarding the plaintiff’s claim of negligence, the court found that the scope and content of the applicable duty and standard of care depends on the sensitivity of the PII being held. As such, an analysis of whether the defendant’s cyber security safeguards were appropriate, and as such whether the standard of care was met, would depend on the type and amount of PII that was compromised. Due to the wide variety of PII at issue in this case, the court held that it was only possible to evaluate negligence on an individual basis, and that the common issue threshold was not met. The tort of intrusion upon seclusion, another of the plaintiffs’ allegations, similarly fell on an analogous analysis. This cause of action does not require plaintiffs to show actual economic loss; rather, it is based on the willful or reckless invasion of privacy that a reasonable person would find highly offensive. The evaluation of this claim would, once again, be contingent upon the sensitivity of PII disclosed. As the type of PII varied between individual class members, there was no mechanism to determine whether (1) all class members’ privacy had been invaded, and (2) whether such invasion would be highly offensive to each plaintiff. The claim for breach of confidence was dismissed on different grounds – this cause of action requires that the PII was misused by the defendants. As the hacker, and not the defendants, misused the class members’ PII, this allegation was also denied certification.

Oftentimes the main battleground in class action lawsuits occurs at the certification stage, with the defendants utilizing substantial resources in an effort to thwart the claim. Even though class certification was ultimately denied in this case, substantial legal defence costs were likely incurred by the defendants. A cyber liability insurance policy can help transfer some of the financial risks associated with privacy breaches, including costs associated with potential class action lawsuits that may result. A cyber policy can respond to cover legal defence costs, settlement and judgment amounts should a third-party claim result from a privacy breach that compromises third party PII in the care, custody or control of the insured organization. If the insured should also face a regulatory investigation as a result, legal defence costs and insurable fines could also benefit from coverage. In addition, a cyber policy could also respond to provide coverage for various first-party costs incurred ‘out-of-pocket’ by the insured to deal with the impact of a breach, including IT forensics, notification costs, call centre and credit/identify theft monitoring as well as expenses to hire a PR firm to mitigate the negative reputational impact of a breach.