Quick and transparent response meant defendant avoided punitive damages
Quebec courts have dismissed two separate class actions aimed at the Investment Industry Regulatory Organization of Canada (IIROC) for losing the personal information of tens of thousands of Canadians. Lawyers say IIROC’s actions in the wake of the privacy breach should serve as a blueprint for organizations facing similar incidents.
After the first class action failed to pass the authorization stage, a Quebec Superior Court dismissed the second on its merits in 2021, and the Court of Appeal confirmed the ruling in May.
IIROC’s response to the breach allowed it to avoid punitive damages, says Anne Merminod, a partner at Borden Ladner Gervais LLP in Montreal.
IIROC launched an internal investigation and hired independent computer-security consultants to determine what information had been lost. They called the police, the Commission d’accès à l’information du Québec, and the Office of the Privacy Commissioner of Canada. IIROC also met with the brokerage firms whose information was lost, put out a press release, and sent letters to investors to inform them of the incident and of the measures IIROC was taking to address the exposure. These included hiring two credit-reporting agencies to help them monitor their financial activity, as well as retaining the services of a call centre to field their inquiries.
“You have to put into place measures to make sure that there’s no consequence suffered by the potential victims,” says Isabelle Vendette, a partner in McCarthy Tétrault’s litigation group in Montreal, who was not involved in the case. In this situation, the credit-monitoring was key, she says. “First, it’s going to provide free protection for the victim. And second, it’s going to ensure that, if there’s identity theft, then it’s caught quickly.”
That both the Superior Court and Court of Appeal dismissed the claim for punitive damages should incentivize companies to “act quickly and be transparent when there’s a data breach,” says Vendette.
“It’s kind of a blueprint case for a data-loss management for other companies,” says Merminod, who represented IIROC with BLG colleagues Stéphane Pitre and Alexis Leray. “It serves as an example of a good corporate response following a loss of personal information. And I think that institutions could take inspiration from the measures taken by IIROC to avoid punitive damages, but also to know what exactly they should do following a loss.”
In February 2013, an IIROC inspector forgot his laptop on a train. The computer held personal information on 50,000 investors, and while the data was password-protected, it was not encrypted.
Once IIROC informed the investors of the breach, one of them tried to bring a class action, seeking $1,000 for every person whose information IIROC lost. The Superior Court rejected Paul Sofio’s application for authorization, finding that he had failed to show any compensable harm. Following the threshold that the Supreme Court of Canada established in Mustapha v. Culligan of Canada Ltd., 2008 SCC 27, Sofio had not demonstrated his injury exceeded routine and ordinary annoyances, anxiety and fear, says Merminod.
Then in 2015, another impacted investor, Danny Lamoureux, brought his own class action. Lamoureux’s claim differed from Sofio’s in that it included damages for the unlawful use of his personal information – he had been the victim of identity theft – and Lamoureux provided more detail on the inconveniences suffered due to the loss of the data. Unlike Sofio’s, Lamoureux’s suit was authorized.
But In March of last year, Quebec Superior Court Justice Florence Lucas dismissed Lamoureux’s class action.
Lamoureux had to show he had suffered damages upon being alerted to the lost personal information, as well as a causal link between the lost information and the damages from the alleged identity theft resulting from the loss. Justice Lucas found that, like Sofio before him, Lamoureux could not demonstrate that the incident had caused anything more than the minor inconveniences and worries that any person in society should expect. The judge viewed the steps required from class members, which included closely monitoring their financial accounts to watch for fraud, were standard protective measures in the modern, digital financial system.
For Lamoureux, and those class members who argued the lost laptop had led to the unlawful use of their data, Justice Lucas found no evidence of causation. While no one ever found the laptop, an expert whom IIROC hired told the court that had fraudsters recovered the laptop, there would have been more fraud, and the fraud which did occur would have been more uniform.
The expert also testified that the information Lamoureux said his identity thief had used was not in the laptop, says Merminod.
“Nowadays, there are so many breaches of privacy,” she says, “that you can be the victim of a fraud, or of an attempted breach, but it’s not necessarily related to the event you believe. And so, it is the plaintiff’s burden to demonstrate that there’s a connection.”