Class actions are emerging as a potential venue for litigants to seek compensation for privacy breaches. The recent approval of a class action settlement in Lozanski v The Home Depot, Inc. [PDF] ("Home Depot") by the Ontario Superior Court of Justice is notable as one of the few privacy breach class action settlements in Canada. The decision also provides some much needed guidance in this area. It suggests that actual harm is needed for class members to receive compensation and that companies should adopt a proactive approach to mitigate liability when faced with a privacy breach.
Under section 29 of the Class Actions Proceeding Act, 1992, court approval is required for the discontinuance and settlement of class actions. The general principle is that the court must find the settlement to be “fair, reasonable and in the best interest of the class members” as a whole.
The Facts in Home Depot
Between April 11, 2014 and September 13, 2014, Home Depot’s card payment system was hacked by criminals who used custom-built malware to access customer information at self-checkout terminals. In response to the data breach, Home Depot notified the privacy commissioners in Alberta, British Columbia, Quebec, and Canada. None of them found that Home Depot had violated Canadian privacy laws. Home Depot also issued press releases and directly notified 500,000 potentially affected customers. In these communications, Home Depot apologized for the breach, confirmed that it had removed the malware, and assured customers that they would not have to pay for any fraudulent charges to their payment account. Customers were also offered free credit monitoring and identity theft insurance.
Class actions against Home Depot were commenced in Ontario, Saskatchewan, British Columbia, Newfoundland, and Quebec. A national settlement agreement was reached on April 25, 2016. Under the terms of settlement, Home Depot agreed to create a $250,000 settlement fund to compensate any documented losses arising from the breach, up to a maximum of $5,000 per claimant, in exchange for class members releasing their claims. Home Depot also agreed to pay for credit monitoring up to a maximum of $250,000 and to cover the costs of notifying class members and administering the fund. The settlement terms also provided for honoraria for the representative plaintiffs totalling $11,000 and counsel fees of $406,800, inclusive of legal fees, disbursements, and HST. However, as discussed below, the court did not approve the honoraria or the counsel fees proposed in the settlement.
The Decision in Home Depot
Justice Perell approved the settlement agreement and assessed the maximum value of the settlement to the class at $400,000. He found that it was likely very little of the compensation under the settlement agreement would be paid out to the class because of the need to prove actual losses incurred. He reasoned that the damages would likely be low because class members would not be responsible for any fraudulent charges related to the breach. There was little risk of identity theft because the data stolen did not include key government-issued identification, such as a driver’s licence or social insurance number. He was also unconvinced that all of the funds would be distributed because of the short time period during which class members were required to file a claim.
However, Justice Perell declined to approve the honoraria, stating that compensation for the representative plaintiff is rare and “may only be awarded if he or she has made an exceptional contribution that has resulted in success for the class.” The counsel fees were also reduced to $120,000. He found that awarding a counsel fee of $406,800 would be disproportionate to the actual recovery the class would receive in light of the potential for poor take-up of the settlement and the risks undertaken by class counsel. In assessing these risks, he noted that the case against Home Depot was very weak. The breach was due to criminal hackers and not because of any wrongdoing by Home Depot. Home Depot openly and promptly notified customers and sought to lessen any potential harm arising from the breach, which resulted in little documented losses upon reaching a settlement. Justice Perell noted that while his award would not cover all fees incurred by class counsel, fees must be fair and reasonable in the circumstances and “the court should not approve the fee simply because a class counsel was prepared to take on the risk.”
Privacy breach class actions is still a developing area of law in Canada with little definitive judicial guidance. Home Depot is one of the rare court-approved privacy breach class action settlements. The case suggests that class members must be prepared to demonstrate actual harm suffered arising from a privacy breach in order to receive compensation. This may limit class members’ damages in cases where the harm alleged from a privacy breach is difficult to quantify. The court’s reduction of the counsel fee may also have a significant effect on class counsel’s willingness to take on a privacy breach class action, especially in circumstances where the evidence of harm is speculative or the defendant has not committed any wrongdoing.
Home Depot also offers guidance on steps companies can take upon discovering a privacy breach. Companies who are not at fault for a breach may mitigate their potential liability by adopting proactive measures to notify potentially affected individuals and to assist them in alleviating any harms arising from the loss of their data.