Privacy Breach Class Actions in Ontario – What’s Coming in 2015 (Updated)

Several new class actions for breaches relating to personal information have been commenced or certified in Ontario in 2014.  This continuing trend confirms that the tort of intrusion upon seclusion, also known as invasion of privacy, recognized by the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32 is alive and well, and that exposure to damages for privacy breaches can be significant. The class actions discussed below demonstrate that businesses and government agencies have to take the protection of personal information seriously.

Evans v. The Bank of Nova Scotia, 2014 ONSC 2135 is the first class action arising out of a privacy breach to be certified in Ontario.  In Evans, the representative plaintiff alleged that an employee of the Bank provided clients’ private information to his girlfriend who disseminated it to third parties for improper and fraudulent purposes.  The certified class consists of 643 customers of the Bank.

Hopkins v. Kay, 2014 ONSC 321 is an action involving claims of improper access to health records of some 280 patients at the Peterborough Regional Health Centre. The hospital’s motion to strike the plaintiff’s claim was dismissed earlier in 2014 based on the decision in Jones v. Tsige. That decision is currently under appeal to the Court of Appeal.  A larger class action launched on behalf of 14,450 patients of Rouge Valley Health System whose information was collected and sold to private companies, is on hold pending the outcome of the appeal in Hopkins. UPDATE: On February 18, 2015, the appeal was dismissed by the unanimous Court of Appeal (2015 ONCA 112). The Court of Appeal affirmed that the plaintiff (respondent) was not precluded from relying on the common law tort of intrusion upon seclusion in the Superior Court claim for breach of privacy.

Condon v. Canada, 2014 FC 250 is a federal court class action filed in Toronto that was certified in March 2014. This action arose out of a loss of a hard drive containing personal information of approximately 583,000 individuals in connection with the student loan program administered by the Human Resources and Skills Development Canada. The certification decision confirms that the tort of invasion of privacy, recognized in Jones v. Tsige, can be pleaded in the Federal Court.  This decision is currently under appeal to the Federal Court of Appeal.

Lozanski v. The Home Depot Inc., CV-14-51262400CP (Ont. Sup. Ct.), is the most recent class action launched in Ontario and one to watch out for, given the magnitude of the data breach in issue and a $500,000 million claim for damages (the Hopkins claim is for several million dollars, and the Evans and Condon claims are unspecified). The Lozanski action arose out of a credit card related security breach that affected approximately 56 million customers in Canada and the United States.  The Ontario action follows in the footsteps of several class actions filed against Home Depot in the United States.

There has yet been no judicial decision in Ontario awarding damages for privacy breaches in the context of a class action. However, based on the $10,000 damages awarded to an individual plaintiff in Jones v. Tsige, and the $20,000 cap on such damages set by the Court of Appeal, simple logic would suggest that even a nominal award could amount to a substantial risk in the context of a large class action. As seen in Lozanski, class actions for negligent data breach can potentially involve millions of individuals.  Court-approved settlements in class actions also provide some valuable insights into potential exposure.  In Canada, the settlements reported to date do not appear to have exceeded $1 million. Although modest compared to the U.S. settlements for breach of privacy claims, these amounts nevertheless represent a costly risk for companies doing business here.

Privacy is a fast-evolving area of law, and these litigation trends should continue to be closely monitored. In the interim, businesses and government agencies handling personal data can take protective measures to mitigate risk. Investing in a robust security system, timely software upgrades and mandatory employee training and updates could avoid the cost of litigation and exposure to damages later.