In May of 2019, Justice Belobaba of the Ontario Supreme Court of Justice issued his decision in Kaplan v Casino Rama, 2019 ONSC 2025 (“Kaplan”), concerning an application to certify a class action lawsuit. The decision raises important legal questions about consumers’ ability to recover damages when their personal information is made publicly available, and businesses’ exposure to liability following data breaches.

The Lawsuit

In 2016, a data breach occurred involving Casino Rama, a large casino operated by CHC Casinos Canada Limited under an agreement with the Ontario Lottery and Gaming Corporation. The data breach affected approximately 11,000 consumers who had used Casino Rama’s various services. Hackers responsible for the data breach attempted to hold the personal information for ransom, demanding payment in exchange for the hackers’ promise that the data would not be published. Casino Rama made no payments and a large volume of personal information was consequently published online. The appropriate authorities were notified, as were the affected consumers.

An important feature of this particular data breach was that while the information all came from Casino Rama, there was significant variance in the nature of the information that was lost and published. For some consumers, basic contact information or their status as members of the casino’s loyalty program was made available. Other consumers had information concerning their participation in the casino’s self-exclusion program lost and published.

The individuals affected by the data breach opted to retain counsel and proceed with a class action lawsuit in hopes of recovering damages from Casino Rama. The Court declined to certify the class action, thus preventing it from proceeding. The analysis that the Court provided to come to this conclusion offers important lessons for consumers and businesses.

Lessons for Consumers

One key lesson that the Kaplan decision offers consumers is that a class action lawsuit may not always be a feasible route to recover damage in the event of a data breach. As was the case in Kaplan, a large number of people may be affected by a single data breach however this does not necessarily mean there will be enough overlap in how each person is affected by the breach to allow a class action to proceed. For instance, in Kaplan the Court considered it impossible to make a general assessment as to whether Casino Rama was negligent because the different kinds of personal information required different levels of protection (standards of care). Additionally, the Court held that it could not determine whether there had been a breach of contract because there were so many different kinds of contracts in place between Casino Rama and the various plaintiffs, and there was no evidence as to what those contracts said about data protection. Similar issues arose in respect of the plaintiffs’ tort claim.

This decision raises two practical implications for consumers. The first is that consumers should pay close attention to what personal information they provide to businesses that they choose to associate with, and to the extent possible, understand how those businesses protect their personal information. This type of information can often be found in a business’ privacy policy, which may be posted online or available on request. In the future, consumers can also expect businesses to post certification marks meant to communicate the business engages in privacy best practices to protect consumer personal information. In this regard, Innovation, Science and Economic Development Canada recently launched the CyberSecure Canada program designed for this exact purpose.

The second practical implication for consumers is that if the worst happens and it becomes necessary to consider legal action against a business, the legal strategy for proceeding must be well thought out and capable of success. Failing to develop a strong legal strategy can prevent the class action from proceeding, and may undermine recovery altogether because in many cases, the amount of damages recoverable for each individual following a data breach may be modest, and the legal expense of pursuing those damages may exceed the benefit to be gained.

Lessons for Businesses

While the class action did not proceed in this case, some of the Court’s comments in Kaplan have implications for businesses’ liability exposure following data breaches. In particular, the Court considered whether Casino Rama could be held liable for the tort of intrusion upon seclusion. The tort requires a plaintiff to show:

  1. an unauthorized intrusion;
  2. that the intrusion was highly offensive to the reasonable person;
  3. the matter intruded upon was private; and
  4. the intrusion caused anguish and suffering.

Leading up to Kaplan, an underlying assumption of the intrusion upon seclusion tort was that only the party doing the intruding could be held liable for the tort. Understood in this way, only the hacker in Kaplan could be held liable for intrusion upon seclusion – not the casino. However, rather than confirming this view, the Court in Kaplan acknowledged that the intrusion upon seclusion tort was “still evolving”, and in light of recent case law, “could conceivably support a claim against defendants whose alleged recklessness in the design and operation of their computer system facilitated the hacker’s intrusion”. In other words, the Court held that Casino Rama could potentially be held responsible in tort for failing to take appropriate data protection measures.

This statement from the Court is illustrative of two related points. First and foremost, the appropriate rights of action for a breach of privacy in Canada is an issue that is still largely unsettled. Kaplan is an example of a court leaving open a new way of holding businesses accountable for failing to protect personal data of consumers. The second point is that the Court appears to be of the view that uncertainty in the space does not prevent findings of liability. Even if Casino Rama had done a survey of the legal landscape as it was prior to Kaplan, it likely would not have considered liability for intrusion upon seclusion as a risk it should prepare for. Nevertheless, the Court suggested such liability was possible.

The practical take away for businesses is that it is critical to have in place strong privacy policies and controls. In a legal landscape where even the most diligent businesses cannot be certain of how liability may arise, preparedness becomes critical. Not only do such initiatives reduce the risk of data breaches and help businesses earn and maintain consumer trust, they can help businesses avoid liability when data breaches inevitably occur.