On May 7, 2019, Justice Belobaba denied the motion for certification in the class action brought against Casino Rama relating to a 2016 data breach (Kaplan v. Casino Rama, 2019 ONSC 2025). Despite having five representatives, the plaintiffs were unable to show provable losses, which significantly hampered their case. What was ultimately fatal to the motion, however, was the lack of commonality, leading Justice Belobaba to remark:
The problem here, with almost all of the [proposed common issues (“PCI”)], is that there is no basis in fact for either the existence of the PCI or its overall commonality or both. Further, many of the PCI’s, particularly those that ask about duty of care or breach of a standard of care, require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments.
Two and a half years ago, in November 2016, Casino Rama was targeted in a cyber-attack. An anonymous hacker accessed the Casino’s computer system and stole personal information relating to customers, employees and suppliers. When ransom demands proved futile, the hacker posted the stolen data on the internet. Just under 11,000 people had some personal information posted online.
On August 19, 2018, the Casino received a new ransom demand from the hacker threatening to release additional stolen information if the ransom was not paid. However, the “sample data” provided revealed no new information. The ransom was not paid and, as it turned out, no further information, not even the “sample data”, was posted online. In short, concluded Justice Belobaba, there was no evidence that the hacker was sitting on new or additional information that was not already posted in November 2016.
No compensable harms to representative plaintiffs
Only two of the five proposed representatives had personal information posted online (in one case, only name and postal code; in the other, demographic information plus bank account details, social insurance number, and photo). No representative suffered financial loss, including the two that had information posted online. One representative whose information was not posted online nonetheless “didn’t trust the Casino” and purchased additional credit monitoring on his own.
While each of the proposed representative plaintiffs stated in their affidavits that they have been monitoring their financial accounts for suspicious activity, none of them said that they have experienced any fraud or identity theft as a result of the cyber-attack. Each of them reported being “shocked and concerned” and generally upset when they first learned about the cyber-attack but there was no evidence that any of them sustained any compensable financial loss or psychological harm as a result of the November 2016 hacking episode.
No ongoing risk once information is breached
As is the case with most cyber-attacks, while the Casino was reasonably confident that it had an understanding of the scope of the intrusion, it was not in a position to definitively rule out the possibility that additional information had been accessed or remained in the hands of nefarious actors. Plaintiffs’ counsel maintained that this possibility created an ongoing risk that should be compensated.
Justice Belobaba disagreed (at para. 13):
The suggestion that “additional information” may have been stolen and could still be posted online by the hacker or his associates in the months or years ahead is plausible but not persuasive. Given the passage of two and a half years, and the fact that the second ransom demand revealed no such additional information, it is more likely than not that the risks of any informational misuse from the November 2016 hacking episode are minimal to non-existent. And, if any additional information is posted and misused in the months ahead, causing compensable monetary loss or psychological harm, a further class action can be commenced. In other words, there is no need to be concerned at this time about possible future claims.
Justice Belobaba framed the certification as follows (at para. 14, footnotes omitted):
I now turn to the certification analysis. The fact that there are no provable losses and that the primary culprit, the hacker, is not sued as a defendant makes for a very convoluted class action. Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes. And defence counsel, not surprisingly, takes issue with all five of the certification requirements as set out in s. 5(1) of the Class Proceedings Act (“CPA”).
However, Justice Belobaba found the absence of commonality to be fatal to the motion, saying (at para. 16):
…the single most compelling submission advanced by the defendants relates to s. 5(1)(c) of the CPA and the absence of commonality. I agree with this submission. In my view, this proposed class action collapses in its entirety at commonality.
No commonality in terms of information taken
Justice Belobaba stated that “the scope and content of the applicable duty and standard of care depends on the sensitivity of the personal information that has been collected.” Not all personal information is necessarily private or confidential – the less sensitive the information – such as simply one’s name and mailing or email address, the lower the duty or standard of care; the more sensitive the information – credit card details, banking information or, say, medical records – the higher the duty and standard of care.
The problem on the certification motion was that the personal information stolen and posted online consisted of a disparate collection of unorganized documents and document fragments apparently taken from different types of folders. The type and amount of personal information posted online by the hacker varied widely from individual to individual. Some of the personal information was private and confidential (banking details); much of it was relatively mundane (contact details only).
Justice Belobaba found there was no basis in fact to suggest that the question of whether the defendants breached any duty of care applicable to each class member can be answered in common across the entire class. As a result, whether the defendants took reasonable steps to establish, maintain and enforce appropriate security safeguards (for the purposes of determining the nature and scope of the defendants’ standard of care), necessarily depended on the type and amount of personal information at issue.
Justice Belobaba agreed with the defendants that because the content of the personal information that was stolen by the hacker varied so widely for each person that any assessment of the plaintiffs’ claims quickly devolves into individual inquiries. He found that (at para. 66):
Any common issues are completely overwhelmed by these individual investigations, such that commonality is not established and a class action cannot be justified as the preferable procedure.
The test for intrusion upon seclusion
The plaintiffs, relying on the tort of “intrusion upon seclusion” as formulated in Jones v. Tsige, 2012 ONCA 32, framed one of the proposed common issues as being whether the defendants “willfully or recklessly invaded the privacy or intruded upon the seclusion of the class members in its collection, use, retention and/or disclosure of the personal information in a manner that would be highly offensive to a reasonable person.”
Here, again, Justice Belobaba found difficulties with the claim. First, there was no evidence that the defendants invaded the class members’ privacy, as opposed to the hacker. Further (at para. 79):
…[n]o evidence has been presented that any such invasion or intrusion was in relation to private as opposed to simply personal information or that any such invasion or intrusion would be highly offensive to a reasonable person. And more importantly, no evidence that the determination of whether such invasion or intrusion was or would be highly offensive to a reasonable person could be decided class-wide on a common basis.
The plaintiffs are able to recover individually
Failing to certify the class action would not leave the putative class members without recourse. Justice Belobaba noted that each individual had “the right to bring individual actions (for example, Mr. Champagne, if so inclined, could use the Small Claims Court to try to recover any additional credit monitoring costs that may have been incurred) [and] claims for damages for breach of privacy can also be made under the federal privacy statute.”
Courts appear to be becoming increasingly skeptical of claims of nebulous, uncrystallized damages founded on the allegation that something bad might happen (or the anxiety that may be associated with the possibility that something bad might happen). While compensable claims for mental distress do exist, they are (and should be) rare – courts now appear more willing to accept that the inconveniences of regularly reviewing credit card statements and monitoring account activities are the ordinary (if irritating) obligations of a reasonable, responsible consumer. While inconvenient, they do not rise to the level of compensable harm.
This debate about the damage exists in the U.S. as well, although there it is framed as a standing issue. There has been a split in decisions among the US courts. Many courts have dismissed claims arising out of cyber-attacks for lack of ‘standing’, holding that plaintiffs’ allegations regarding the threat of future harm they face from the potential misuse of their data is not sufficient. According to the line of case law from these courts, what may or may not be done with data collected from the victim of a cyber-attack is too speculative and not a concrete and immediate injury sufficient to confer ‘standing’. 
Other courts have found – depending on the type of data involved – that the mere improper access to that personal data creates an increased ‘risk of harm’ sufficient for a claim. 
Further, on the strength of this certification decision, as well as Justice Perell’s decision in Lozanski v. Home Depot, 2016 ONSC 5447, it appears that plaintiffs’ counsel are increasingly obligated to examine the merits of their claims and consider discontinuing such claims where there is an absence of provable harm.
 See, e.g., Reilly v. Ceridian Corp., 664 F.3d 28 (3d Cir. 2011); Whalen v. Michael Stores Inc., 689 Fed.Appx. 89 (2d Cir. 2017); In re SuperValu, Inc. Customer Data Breach Litig., 870 F.3d 763 (8th Cir. 2017).
 See, e.g., In re Zappos.com Inc. Customer Data Security Breach Litig., – F.3d -, No. 16-16860, 2018 WL 1883212 (9th Cir. Apr. 20, 2018); Remijas v. Neiman Marcus Grp., Inc., 794 F.3d 688 (7th Cir. 2015).
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.