Thursday, August 22, 2019

Another privacy class action dismissed due to lack of compensable damages

Privacy class actions seem to be having a bit of a rough time as of late.

“The need to change a password at a higher frequency cannot give rise to a serious compensable loss claim.”

Following a trend that has become reasonably well established in Québec and is expanding across Canada, the province’s Superior Court has refused to certify a privacy class action on the basis that the representative plaintiff did not experience any compensable harm. In Bourbonnière c. Yahoo! Inc., Justice Tremblay considered a certification application brought by a putative class of individuals affected by a range of data breaches suffered by Yahoo! Inc. and Yahoo! Canada Corp. Yahoo! had announced a number of incidents, including one that saw information about 500 million users stolen in 2014, another in 2013 which also involved information theft and unauthorized access to account data using a forged digital cookie file.

The representative plaintiff testified that she had no reason to believe that she had been a victim of identity theft or fraud as a result, and had not identified any suspicious financial transactions. In addition, she continues to use her Yahoo! mail account and has not signed up for any identity theft protection or credit monitoring products.

The Court summarized her harm at paragraphs 36 and 37:

[36] In summary, Plaintiff has not incurred any out-of-pocket costs associated with the protection of her personal and/or financial information.

[37] The only prejudice suffered by the Plaintiff relates to the inconvenience of having to change her passwords in all of the accounts associated with her Yahoo email address and the alleged embarrassment suffered as a result of spam emails that were sent to her friends. The Court is of the view that such prejudice is insufficient to justify a class action.

This conclusion was based on a growing line of authorities in Québec. The Court referred to Mustapha v. Culligan of Canada Ltd of the Supreme Court of Canada, standing for the proposition that “compensable injury must be ‘serious and prolonged’ and rise above the ordinary annoyances, anxieties and fears that a person living in society may experience”.

[42] Similarly, in Mazzonna, a case involving the loss of data tape, the Superior Court concludes that the anxiety felt by the plaintiff upon and after learning that her personal information had been lost and the modification of habits in the manner in which she managed her bank account, is not enough to meet the threshold, even on a prima facie basis, of the existence of compensable damages.

[43] The present case can be distinguished from other data security incident cases such as Zuckerman and Belley since, unlike these two other cases, Plaintiff has not incurred any expenses for credit monitoring services nor was she a victim of identity theft.

[44] The transient embarrassement [sic] and inconveniences invoked by the Plaintiff are of the nature of ordinary annoyance and do not constitute compensable damages recoverable under the applicable law. Indeed, the need to change a password at a higher frequency cannot give rise to a serious compensable loss claim.

The Court also had issues with the composition of the class, particularly a subclass referred to as the “Collateral Victims”, being “all other persons, businesses, entities, corporations, financial institutions or banks who suffered damages or incurred expenses as a result of the data security incidents”. As the plaintiffs had not identified any single “Collateral Victim”, the court concluded that this particular subclass was “artificial” and questioned its existence.

The application for certification was dismissed. It is notable that a parallel Ontario proceeding is ongoing.

A previous version of this was written for the Canadian Technology Law Association newsletter.