Certification for a class action relating to a data breach was refused because, among other things, the Plaintiff was held not to have suffered a compensable loss. The Plaintiff failed to demonstrate a compensable loss such as actual fraud or identity theft and the fact that the Plaintiff may suffer such actual loss in the future is not enough.
Bourbonnière v Yahoo! Inc., 2019 Carswell Que 5830 (C.S.Qué.), per Tremblay, J.C.S.
Facts + Issues
Bourbonnière sought to have a class action certified on behalf of all Quebec residents whose personal and/or financial information was stolen from the Defendants (“Yahoo!”) as a result of cyber attacks after January 1, 2013 (the “Principal Victims”). She also sought to represent “all other persons, business, entities, corporations, financial institutions or banks that suffered damages or incurred expenses as the result of the data security incidents” (the “Collateral Victims”).
Yahoo! provides internet-based services to users worldwide. It collected and stored volumes of personal and/or financial information about its users, “including but not limited to users’ names, email addresses, telephone numbers, date of birth, passwords and security questions linked to a users’ account”. On September 22, 2016 Yahoo! announced that at least 500 million user accounts had been the subject of theft of sensitive personal account information in late 2014 (the “2014 Data Breach”). This information included “users’ names, email addresses, telephone numbers, date of birth, hashed passwords and in some cases, encrypted or unencrypted security questions and answers”. On December 16, 2016, Yahoo! advised its account holders that personal account information had been stolen from the Yahoo! network in August 2013 (the “2013 Data Breach”). On February 15, 2017, Yahoo! also advised its account users that the use of forged digital cookie files may have been used in 2015 or 2016 to access account information (the “Cookie Breach”).
There was a parallel class action in the Ontario Superior Court of Justice and the Plaintiffs in that proceeding sought to stay the Quebec proceeding if the application to certify the class action for the Collateral Victims failed.
Specifically, the Plaintiffs sought to institute a class action with respect to the following group:
All persons residing in Quebec whose personal and/or financial information was lost by and/or stolen from the Defendants as a result of data breaches that occurred in between January 1, 2013 to the present (hereinafter the “Data Breach”), and as all other persons, businesses, entities, corporations, financial institutions or banks who suffered damages or incurred expenses as a result of said Data Breach, or any other Class(es) or Sub-Class(es) to be determined by the Court.
[Emphasis by the Court]
The Plaintiff claimed to have had an email account with Yahoo! Canada. She alleged that the account had been compromised, but did not know what information was taken as a result of the 2013 Data Breach. She knew only that the thieves had been in possession of that information for the previous two years. The Plaintiff also argued that she was harmed “by having her financial and personal information compromised and faces the imminent and certainly pending threat of future additional hardship from the increased threat of identity theft and fraud due to her financial and personal information being sold on the Internet black market and misused by criminals”. She alleged that she had become required to take steps to protect her personal and financial information, including purchasing identity protection services such as credit monitoring which proved to be “highly inconvenient” and resulted in out-of-pocket costs. Finally, she alleged that once the theft occurred, her friends began receiving scam emails using her email information as the source of the scam, in attempts to extort money from her friends, which proved embarrassing to her. She testified that she has never been informed that any of her friends suffered any loss or negative consequences in connection with the spam emails.
HELD: For the Defendants; certification application dismissed.
The Court redefined the proposed Class from what the Plaintiff had proposed.
- The Court held that the proposed Class was excessively broad. There had been no demonstration to the effect that persons other than those whose accounts were subject to the data security breach suffered damages or incurred expenses as a result of the breaches. The Collateral Victim subclass was found to be artificial and non-existent.
- The Court redefined the Class as follows:
All persons residing in Quebec whose personal and/or financial information was lost by and/or stolen from Yahoo! Inc. or Yahoo! Canada Co. as a result of data breaches that occurred between January 1, 2013 and June 10, 2019.
The Court commented on the requirements for certification of a class action pursuant to article 575 of the Quebec Code of Civil Procedure
- The Court set out the five requirements that had to be met:
22 According to article 575 CCP, the court authorizes the class action and appoints the class member it designates as representative plaintiff if it is of the opinion that all the following criteria have been met:
- The claims of the members of the class raise identical, similar or related issues of law or fact;
- The facts alleged seem to justify the conclusions sought;
- The composition of the class makes it difficult or impracticable to apply the rules for mandates to take part in judicial proceedings on behalf of others or for consolidation of proceedings;
- The class member appointed as representative is in a position to properly represent the class members.
- The Court emphasized that the applicant Plaintiff must show an arguable case.
25 The Plaintiff must show an arguable case. It is sufficient for the Plaintiff to present a case with a good colour of right that has a chance of success, without needing to establish a reasonable possibility of success.
. . .
27 The Plaintiff must establish an arguable case against each and every defendant. Vague, general, and imprecise allegations are not sufficient to meet such a burden. Nor are hypothetical or purely speculative allegations.
28 When analyzing this criterion, the alleged facts must be considered as true, unless they appear to be clearly inaccurate or implausible, particularly in light of the relevant evidence adduced at the authorization hearing.
29 In addition, the court must distinguish factual allegations from arguments, opinions, unsupported inferences and hypotheses, as well as assertions that are implausible or false. The insinuations, opinions, and legal arguments set out in the authorization proceeding are not facts that the court must regard as true.
[footnotes omitted]
The Court held that the common issues purposed by the Plaintiff met the criterion for the required common issues for certification of a class action:
34 In the present instance, the Plaintiff fails to demonstrate that she has incurred a compensable injury as a result of the 2013 Data Breach.
35 As a matter of fact, the Plaintiff’s discovery demonstrates that she has no reason to believe that she has been the victim of identity theft or fraud as she has not identified any suspicious charges on either her debit or credit cards and she has not received a bad credit report. She continues using her Yahoo account and she admitted not having purchased any identity protection services such as credit monitoring . . .
36 In summary, the Plaintiff has not incurred any out-of-pocket costs associated with the protection of her personal and/or financial information.
37 The only prejudice suffered by the Plaintiff relates to the inconvenience of having to change her passwords in all of the accounts associated with her Yahoo email address and the alleged embarrassment suffered as a result of spam emails that were sent to her friends. The Court is of the view that such prejudice is insufficient to justify a class action.
38 In Mustapha [v. Culligan of Canada, 2008 SCC 27] the Supreme Court has provided guidance on the distinction between minor and transient upsets and compensable injury. Compensable injury must be “serious and prolonged” and rise above the ordinary annoyances, anxieties and fears that a person living in society may experience . . .
. . .
48 Plaintiff also testifies that following the incident, she was never informed that one of her friends suffered any loss or negative consequences in connection with the Spam Emails
. . .
49 In view of the above, the Court concludes that the Plaintiff did not demonstrate an arguable case with regard to the allege cause of action.
[footnotes omitted]
The Court agreed that the composition of a class made it difficult or impracticable to have individual Plaintiffs run their own cases or consolidate proceedings:
53 The common issues described in the Amended Authorization Application are as follows:
- Were the Defendants negligent in the storing and safekeeping of the personal and financial information of the Class Members whose information was ultimately lost and/or stolen between January 1, 2013 and the present?
- Are the Defendants liable to pay damages to the class Members as a result of the Data Breach, including actual monetary losses or expenses incurred, loss of time, inconvenience, moral damages, and/or punitive damages caused by the loss of said information, and if so in what amounts?
54 The Court is of the view that the above constitute common issues and that the issue of damages must not be decided on the particular facts of each case.
The Court held that the class member proposed to be the representative Plaintiff was not in a position to properly represent the class members because she did not suffer any compensable damages:
61 When analyzing this fourth criterion, the Court must be certain that the following three elements are present: (1) interest in the suit, (2) competence, and (3) absence of conflict with the class members.
62 Once again, this criterion must be given a liberal interpretation. No proposed representative should be excluded unless his or her interest or competence is such that the case could not possibly proceed fairly.
. . .
64 The Court of Appeal in Contat v. General Motors du Canada Limitée [2009 QCCA 1699] states:
33 Even though it is not necessary to have the “best possible representative”, appellant having a non-existent or extremely weak personal claim, could not adequately represent the whole group. On one hand, it is his claim which would normally be the basis for the Court to analyze and decide the case. On the other hand, the procedural vehicle of the class action was not designed to be a method of circumventing principles of civil law. Thus, it must be shown in a class action, just as in any action for damages, that there has been a fault, a damage and that there is a causal relationship between the two.
. . .
. . .
66 The Court is of the view that the Plaintiff is not in a position to adequately represent the Class as she did not suffer any compensable damages as a result of the data security incidents. Furthermore, the Plaintiff has not demonstrated any legal basis for a claim of punitive damages.
67 This lack of standing is sufficient to negate this criterion.
[Emphasis by the Court; footnotes omitted]
Commentary
This case follows a line of American decisions to the effect that a Plaintiff has no standing to sue merely because he/she has been the victim of a data breach. The Plaintiff must demonstrate a compensable loss such as actual fraud, identity theft, etc. The fact that the Plaintiff may suffer such actual loss in the future is not enough. Similarly, the fact that the Plaintiff has suffered some annoyance or inconvenience, and has had to take steps to protect themselves (such as undertaking credit monitoring) is insufficient. (There are U.S. cases which have watered down what is required for standing or gone the other way.)