Negligence class action lawsuits based on security breaches may be more likely in the future, but the issue of damages is still unclear, say privacy law practitioners.
Speaking at the recent Ontario Bar Association Institute, Mark Hayes, a partner at Blake Cassels & Graydon LLP and chairman of the OBA privacy law section, said there will likely be some negligence class actions based on security breaches, but “Until we have a better idea what the damages are, its unlikely there will be any class actions unless they are taken up by a public interest advocacy group.”
How to handle potential breaches of data and privacy has become a hot topic in the last few weeks, with announcements of breaches of sensitive customer data coming from companies such as TJX Cos., the parent company of Winners and HomeSense, as well as CIBC’s mutual fund arm, Talvest.
A statement of claim was recently filed on behalf of the Canadian customers of Winners and HomeSense, while another was filed two years ago in a case against CIBC that alleges faxes containing the personal information of RRSP investors and clients were sent to “unauthorized individuals” including a business operating in West Virginia.
Hayes added that to date, many statements of claim have been issued in various cases, but no one has actually gone to the certification motion because expenses can’t be justified.
According to a 2006 survey by the Ponemon Institute, “Cost of a data breach,” the average cost of a data breach was $182 per lost record, or $4.8 million per company on average, including $7 per record for legal costs.
Hayes adds that the common law area is also in transition in dealing with the question of a common law right to privacy. While he says that it is probably only a matter of time before there is a trial decision that recognizes the right to privacy, the problem is still the definition of the right to privacy itself. He says that while there have been a number of cases that have talked about breaches of privacy, they do not define it exactly.
“My best guess is if the court is sufficiently ticked off by what the defendant has done, I think the plaintiff will probably get a remedy. So, to some extent, I think it will really depend on what case comes,“ he said.
In terms of federal statutes, Hayes said s. 16(c) of the Personal Information Protection And Electronic Documents Act (PIPEDA) allows a claim for damages for humiliation, but there have not been any damages awarded under the section to date. He added that damages under PIPEDA would not likely be much more than those awarded under provincial privacy acts, usually less than $10,000.
“What I think is probably the case is it will depend when you actually get a case with damages on a claim, as to which case gets there first. If there is a case which is particularly egregious, it is possible that there could be a particularly high watermark set that might be higher than you would expect.
“If, on the other hand, there is no actual damage and there is a claim for humiliation or somebody worried about their personal information or something like that, you may end up with a precedent that is quite low.”
The question of the duty to notify clients in case of a potential breach has also been under consideration over the last few months in light of the government’s five-year review of PIPEDA, Jennifer Dolman, a partner at Osler Hoskin & Harcourt LLP, told the conference.
Dolman said there is currently no statute that requires companies to notify clients of data breaches, with the exception of personal health information under the Personal Health Information Privacy Act.
“Some people suggest that perhaps there’s an implicit duty under PIPEDA in light of the requirements to safely secure personal information. But aside from those thoughts and some people’s thoughts that maybe there’s a common law duty to notify, there’s certainly not a specific statutory provision,” she said.
She added that there is currently no consensus on the duty to notify issue, with some saying that from a public policy perspective, people have a right to know if their personal information has been jeopardized, with others fearing notification fatigue from too many notices of potential breaches.