Privacy class actions present challenges for plaintiffs
By Kirsten McMahon, AdvocateDaily.com Managing Editor
A recently denied certification motion — stemming from a cyberattack of a casino’s computer systems — is a cautionary tale about bringing privacy class actions that don’t have common issues, says Toronto class-action and appellate counsel Brian Radnoff.
“Class-action claims, particularly in cases of massive privacy breaches, raise many individual issues, and so they can be difficult to certify,” says Radnoff, partner with Dickinson Wright LLP. “There are similar privacy actions going on right now, and they can present many challenges for plaintiffs’ counsel.
“Even in cases where the government has been critical about what the defendant did or failed to do doesn’t mean certification is a slam dunk,” he tells AdvocateDaily.com.
He points to a recent Ontario Superior Court of Justice motion for certification involving a defendant casino targeted in a 2016 cyberattack. According to court documents, an anonymous hacker accessed the casino’s computer system and stole personal information relating to customers, employees and suppliers.
“When ransom demands proved futile, the hacker posted the stolen data on the internet. Just under 11,000 people had some personal information posted online,” the decision states.
“The casino contacted all appropriate authorities, took steps to close down the two websites that contained the stolen information, notified the thousands of customers, employees and suppliers potentially affected by the security breach and offered free credit monitoring services for one year to many of them,” it continues.
Even though the five class representatives did not suffer financial loss as a result of the breach, they advanced 30 proposed common issues (PCIs) under five heads: negligence, breach of contract, breach of confidence, privacy torts, and damages and administration.
Justice Edward Belobaba found the negligence, breach of contract and privacy tort to be possibly viable but found the other claims “doomed to fail.”
Section 5(1)(c) of the Class Proceedings Act requires that the claims or defences of the class members raise common issues.
“There is no dispute about the applicable law. For an issue to be common, it must be capable of being answered once for all class members,” Belobaba wrote.
“Further, many of the PCIs, particularly those that ask about duty of care or breach of a standard of care, require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments,” he states.
Radnoff, who was not involved in the matter and comments generally, says the problem was that none of the main PCIs dealing with liability could be certified as common issues.
“The majority of the claims, because of their nature, raise many individual issues, and this is the difficulty with privacy class actions,” he says. “Although the Information and Privacy Commissioner (IPC) released a report criticizing the security measures in place to prevent unauthorized access to the personal information of casino patrons, the judge found it ‘helpful to the plaintiffs but not determinative of legal liability.’”
Radnoff says privacy class actions involving breaches of personal health information tend to fare better at the certification stage.
“Those matters are generally more straightforward,” he says. “There have been some certified, for example, where a hospital releases a whole bunch of personal medical information about patients — not just their names and addresses,” he says.
“This decision demonstrates that privacy class actions are more difficult than they seem, and you do have to have the right facts to bring them,” Radnoff adds.