On May 7, 2019, in Kaplan v. Casino Rama Services Inc. (Kaplan), the Ontario Superior Court of Justice refused to certify a privacy class action arising out of a criminal cyberattack that included allegations of breach of privacy, breach of contract and negligence. The decision comes on the heels of another recent decision denying certification of a privacy class action, Broutzas v. Rouge Valley Health System (Broutzas), which signals that Canadian courts are scrutinizing the appropriateness of class proceedings in these types of highly individualized cases.
In November 2016, Casino Rama publicly announced that it was the victim of a criminal cyberattack in which patron, employee, and vendor information was stolen. The hacker stole a disparate collection of documents, with no consistency in the nature or sensitivity of the personal information included. After the defendants refused to respond to the hacker’s ransom demands, the hacker posted the stolen data on the internet.
Casino Rama promptly notified law enforcement and regulators about the cyberattack, cooperated with all investigations, and took steps to have the stolen data taken down from the internet. It also issued a press release about the cyberattack and took steps to directly notify past and present employees and patrons, many of whom were offered free credit monitoring services.
The plaintiffs commenced a class action alleging negligence, breach of contract, intrusion upon seclusion, breach of confidence, and publicity given to private life. By the time of the certification hearing, there was no evidence that anyone had experienced fraud, identity theft or any kind of compensable financial loss or serious and prolonged psychological harm because of the cyberattack.
Justice Belobaba dismissed the motion for certification of the class action, holding: “The fact that there are no provable losses and that the primary culprit, the hacker, is not sued as a defendant makes for a very convoluted class action. Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes.”
On the issue of whether the pleadings disclosed a reasonable cause of action, Justice Belobaba struck the claims for breach of confidence and publicity given to private life because it was the hacker, not the defendants, who had intentionally published class members’ personal information online. The mere alleged failure to have prevented a third party from publishing personal information was not enough to establish these torts. He found that the negligence, breach of contract and intrusion upon seclusion claims were not “doomed to fail” under the pleadings test, although he noted that it was the hacker, and not the defendants, who invaded the plaintiffs’ privacy.
Justice Belobaba then concluded that the remainder of the case “collapse[d] in its entirety” under the common issues criterion, principally because of the wide variability in the type and amount of personal information stolen with respect to each putative class member. Some of the personal information in question was private and confidential, but much of it was relatively mundane and not sensitive (e.g., email addresses).
The Court found that the scope and content of the standard of care in negligence owed to each class member would depend on the sensitivity of the personal information that had been collected about them: the less sensitive the information, the lower the standard of care. As a result, Justice Belobaba held that there was no basis in fact to establish that a question about whether the defendants breached any applicable duty of care could be answered in common across the class.
Similarly, for the plaintiffs’ intrusion upon seclusion claim, the Court concluded that individual inquiries would be required to determine if class members were in fact embarrassed or humiliated by the disclosure of personal information about them (such as, for example, the fact that they were patrons of a casino).
The breach of contract issues failed because the Court found that there was no evidence from any of the class members regarding the terms of any contracts relating to protection of personal information, or that such terms were sufficiently similar to allow for a class-wide determination of whether they were breached.
Given the Court’s conclusion on the common issues, it did not determine the class definition. However, Justice Belobaba noted that even if the case had been certified, he would have defined the class more narrowly than the plaintiffs had proposed.
While several Canadian privacy class actions have been certified (see our 2019 Legal Trends: Cybersecurity for more information), this decision signals that courts recognize that class proceedings are not the appropriate procedure by which to seek remedies for every loss of privacy. Citing Broutzas, Justice Belobaba observed in Kaplan that not all personal information that may be disclosed without consent is necessarily private or confidential. Furthermore, where the kinds of personal information stolen in a cyberattack vary widely from individual to individual, questions relating to the standard of care in negligence and breach of privacy will quickly devolve into individual inquiries that are unsuitable for class treatment.
Justice Belobaba also spoke in positive terms about Casino Rama and the Ontario Lottery and Gaming Corporation’s response to the cyberattack, which included:
- Timely notice to, and full cooperation with, the appropriate authorities
- Takedown notices to websites that would remove stolen data
- A broad notice program for patrons and employees
- Offers of free credit monitoring services for one year in appropriate circumstances.
This is an important reminder to organizations that a prompt and effective response to a privacy breach is not only the right thing to do for affected customers and employees ― it also has the added benefit of reducing litigation risks.