In August 2017, the British Columbia Supreme Court issued its decision in Tucci v. Peoples Trust Company, certifying a national class action lawsuit against Peoples Trust Company relating to a 2013 breach of customers’ personal information. The decision demonstrates how Canadian courts approach the certification of data breach class actions.
The Data Breach
In September 2013, cybercriminals gained unauthorized access to computer systems of Peoples Trust Company (“PTC”), a federally regulated trust company that provides financial products and services to customers across Canada. The criminals stole sensitive personal information collected by PTC through its online application portal, and then allegedly used the information to send fraudulent phishing text messages soliciting money or information from affected customers. PTC first learned of the data breach in early October 2013, and by the end of that month gave notice to law enforcement, the Privacy Commissioner of Canada and all potentially affected customers.
The Class Action Lawsuit
In November 2013, the plaintiffs commenced a putative, national class action lawsuit against PTC on behalf of an estimated 11,000 to 13,000 individuals affected by the data breach. The plaintiffs claimed that PTC failed to adequately secure customers’ personal information, and as a result cybercriminals were able to access the personal information and put customers at risk of identity theft, cybercrime and phishing.
The plaintiffs claimed compensation for various harms, including damage to credit reputation, mitigation costs, wasted time, inconvenience and anxiety, and future damage due to identity theft and phishing attempts.
The Certification Decision
The class action was brought pursuant to the British Columbia Class Proceedings Act, which specifies five requirements for certification of a class proceeding: (1) the pleadings disclose a valid cause of action; (2) there is an identifiable class of persons; (3) the claims raise common issues; (4) a class proceeding is a preferable procedure; and (5) there is an appropriate representative plaintiff.
The court noted that the Canadian approach to certification of class actions is different from the approach taken by United States courts. The court explained that a Canadian certification hearing does not involve a robust analysis of the merits of the proposed class action claims, and that certification of a class action will not be predictive of the outcome of the action at trial. The court noted that a claim will meet the applicable low threshold for certification unless, assuming all alleged facts are true, it is “plain and obvious” that the claim cannot succeed.
(a) Legal Claims
The court held that the plaintiffs had properly alleged claims based on breach of contract, negligence and breach of common law right to privacy (intrusion upon seclusion), and it was not plain and obvious that those claims were bound to fail. The court held that the plaintiffs’ claims for breach of confidence and unjust enrichment were either not properly alleged or were bound to fail.
The court rejected PTC’s argument that the plaintiffs’ claims were not valid because the Personal Information Protection and Electronic Documents Act (“PIPEDA”) is a complete code that precludes all common law claims for breach of privacy. The court reasoned that PIPEDA was not intended to abolish all common law claims that might overlap with the remedies provided by PIPEDA.
The court held that most of the plaintiffs’ claims for compensation could be maintained because they were not clearly bound to fail. The court held that the plaintiffs’ claims for compensation for mental distress and punitive damages could not be maintained.
(c) Other Certification Requirements
The court held that the proposed class action met all other requirements for certification – an identifiable class, common issues, preferable procedure and representative plaintiffs.
The court certified the class action, approved the proposed national class on an opt-out basis, and specified the common issues to be determined at trial based on the legal claims the court held could be maintained.
The Tucci decision is generally consistent with previous decisions certifying other Canadian data breach class proceedings, including the certification of class proceedings against the Canada Student Loans Program, Health Canada and Target.
It is instructive to note that the claims certified in the Tucci decision were not limited to claims based on privacy rights, but rather included claims based on generally applicable legal principles – breach of contract, negligence/breach of duty of care – that may well apply to any organization that collects and processes sensitive customer information.
Read more here.