In the costs motion (Kaplan v. Casino Rama, 2019 ONSC 3310) arising from the litigation regarding the Casino Rama breach, Justice Belobaba awarded costs to the defendant, saying there was neither public interest nor a novel issue sufficient to warrant costs being awarded to the plaintiffs. Justice Belobaba was of the view that the very basis for bringing the class action was questionable, a fact which played a role in the plaintiffs having to pay. This decision may have class counsel more closely scrutinizing the merits of bringing data breach class actions.
In an earlier decision released on May 7, 2019, Justice Belobaba dismissed the plaintiffs’ motion for certification, finding that the proposed class action “collapsed in its entirety” at the common issues stage. He found no basis in fact that any of the proposed common issues actually existed and/or could be resolved on a class-wide basis.
Justice Belobaba asked counsel to forward their costs submissions. The defendants, successful in defeating certification, sought $255,707 in costs (for fees, disbursements and taxes) on a partial indemnity scale. The plaintiffs submitted that no costs be awarded because the proposed class action raised novel legal issues and was in the public interest. Alternatively, if costs were awarded, the plaintiffs argued that $75,000 all-inclusive was a fair and reasonable amount.
Justice Belobaba found that neither the public interest nor the novelty submission should succeed and that the normal costs rules should apply. As a result, he found that (emphasis in original) “an all-inclusive costs award of $160,000 is fair and reasonable. Costs are therefore fixed in this amount, to be paid forthwith by the plaintiffs to the defendant.”
Rejecting the defendant’s position that the costs Grid (which imposes a $350 maximum hourly rate) is out of date and the proper measure is 60 per cent of one’s actual hourly rate, Justice Belobaba calculated the defendant’s Grid-compliant costs at $175,000. Class counsel said their costs outline would have been about $184,000 on a partial indemnity basis, excluding taxes.
Justice Belobaba found the defendant’s revised amount of $175,000 to be neither unreasonable nor excessive. He noted that in considering the costs that have been awarded to defendants on similar motions in the past, roughly $150,000 is the historical average.
No Public Interest
Justice Belobaba began by saying “[t]he very basis for this class action was questionable.” He went on to say at para. 5:
When the cyber-hack was discovered, the defendant Casino reacted quickly in a reasonable and responsible fashion. No losses were sustained by any of the 10,000 or so proposed class members that had their private information posted online. The most that they could recovered under a somewhat tenuous breach of contract claim were nominal damages. A nominal damages award (of say $1 per claimant, resulting in a total award of about $10,000) would not have justified this proposed class action on any of the traditional rationales – access to justice, judicial economy or behaviour modification.
Justice Belobaba referred back to his decision on certification, saying that he had noted that the Casino appeared to have taken reasonable steps to contain the breach, assist and protect customers, and that there was no evidence that anyone has experienced fraud or identity theft as a result of the cyber-attack and no evidence that anyone has sustained any compensable financial or psychological loss.
No Novel Issues
Justice Belobaba began this portion of the analysis by observing that “[s]imply because the action involves a criminal hacker accessing a company’s computer system and publishing the stolen information online does not make it novel.” He went on to say (at para. 9) (footnotes omitted):
Neither were the legal issues particularly unique or original. Here the plaintiffs pleaded every cause of action remotely available, from contract and tort, to intrusion upon seclusion, breach of confidence and ‘publicity given to private life’ – resulting in what I described as a “a very convoluted class action”. As I noted in my decision dismissing the motion for certification:
The fact that there are no provable losses and that the primary culprit, the hacker, is not sued as a defendant makes for a very convoluted class action. Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes.
In short, said Justice Belobaba, he was not persuaded by the “novel legal issues” submission.
Takeaways for Business
While it remains challenging to defeat a motion for certification in a data breach class action, where such motions are defeated, it is possible for the defendant to recover at least some of its costs. Courts appear, at least in Ontario, to be growing impatient with the scattershot approach of some class counsel, and are requiring more rigour be brought by class counsel in determining whether there is a reasonable basis for bringing the class action, as well as continuing one once it has begun.
 See the comments of Justice Perell in Lozanski v The Home Depot, Inc., 2016 ONSC 5447 (at para. 103): “In some cases, and in my opinion, the immediate case is an example, it may have been reasonable to commence the class action but there comes a point when the litigation should be abandoned, discontinued, or settled … and when the action is discontinued, abandoned, or settled, class counsel should not anticipate that every reasonably commenced class action will be remunerative and a profitable endeavor.”
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business