On November 4, 2010, Justice Guylène Beaugé of the Québec Superior Court handed down a decision without Quebec precedent, when she authorized a class action for invasion of privacy against the Banque Nationale du Canada (BNC).

Let's start by reviewing the facts.

During the night of September 18-19, 2008, three laptop computers were stolen from BNC's head office.

One of these laptops contained a database with the following information regarding 225,000 identifiable mortgage clients: names and personal addresses, bank account numbers, identification of bank branches, addresses and construction dates of the properties relating to the mortgage loans, lot and cadastre numbers, amounts and terms of the loans, outstanding balances, interest rates and amounts of monthly mortgage payments, tax information, insurance policy numbers and premium amounts.

The database did not contain the clients' social insurance numbers, credit card numbers or birth dates.

While the thief was caught and tried, the stolen computers were never recovered.

BNC took various measures to remedy the situation, including reporting the incident to the Privacy Commissioner of Canada, sending its clients a letter by regular mail, filing an incident notification with the credit bureaux TransUnion and Equifax, and making a note in the clients' banking profile. Several days after the incident, BNC also published the following press release:

National Bank Financial Group implements special measures to protect its clients

Montreal, 23 September 2008 –

Theft of a computer containing a database on mortgage loans

National Bank Financial Group announces it is taking special measures to protect its clients following the theft of a portable computer containing a database on mortgage loans. The theft of this secure computer occurred recently at the Bank's head office.

The database contains certain information about mortgage loans granted to the Bank's clients. Given the nature of information, the risk of fraud related to the use of this information by third parties is minimal.

Nevertheless, National Bank Financial Group intends to take every effort to protect its clients.

The Bank is putting the following measures in place:

  • Quickly write to each client to ask them to be vigilant and to report to the Bank's customer service if they notice any unauthorized transactions in their account.
  • Investigate any anomalies in its client accounts that are brought to its attention.
  • Compensate clients for any related damages if necessary.
  • Communicate with the different credit companies to have a note about this incident added to the file for each affected client.

The confidentiality of information provided by its clients is of the utmost importance to National Bank Financial Group. Many policies are in place to ensure data safety and protection. Additional measures will be taken to tighten these policies according to the results of the investigation into the recent theft.

The motion for authorization claims that BNC conducted itself wrongfully, both with regards to protection of personal information, and in its response to the theft.

The claim on behalf of the mortgage clients affected by this breach of confidentiality is based on the following alleged harm: processing delays for future credit applications, obligation to closely monitor their bank accounts, obligation to exhibit increased vigilance in communication of their personal information, obligation to advise their other financial institutions of the loss of their personal information, anxiety, pain, suffering, fear of falling victim to fraud or identity theft, expenses, possible increases in banking fees, penalties, lost time.

The decision provides few details about the arguments discussed during the hearing on the motion.

Without delving into all the issues surrounding class actions, it is notable that, following the hearing, the judge found colour of right with regards to the protection of personal information. Indeed, she held that the allegations of lack of prudence and diligence could lead a judge to find fault.

As for the question of harm, the judge found that there was more than simple fear of harm and that the allegations of potential usurpation of Plaintiff's identity could lead to an awarding of damages. In addition, the judge seemed to imply the possibility of exemplary damages being awarded for the allegations of gross fault.

The following questions were therefore authorized for adjudication as part of a class action:

Was Defendant negligent in the storing and safekeeping of the personal information of the Group Members?

Is Defendant liable to pay damages to the Group Members as a result of the loss of said information, including actual monetary losses incurred as well as pain, suffering, inconvenience, anxiety and other moral and/or punitive damages caused by the loss of said information?

Here in Quebec, we have been expecting instigation of a class action regarding breach of confidentiality for several years now. The issue that always arises in this type of case is of proving a causal connection between a harm suffered and a wrongful breach of confidentiality. In several North American jurisdictions, this appears to have been a significant stumbling block for actions claiming a violation of the duty to protect personal information.

Unfortunately, this initial decision leaves us thirsting for more, as the findings regarding colour of right and the possibility of the courts awarding real damages in the context of a breach of confidentiality are not entirely convincing.

We will be following this case with great interest, as the final decision, if the trial leads to such an outcome, will certainly be more instructive on this topic.

The complete decision is available on line, in French.