This privacy class action resulted from a data breach by cybercriminals. In September 2013, the cybercriminals accessed the Defendant’s system, which contained personal information of customers and prospective customers.[1] The action, with an approximate class size of 12,000 people, was certified in August 2017 and included a claim in negligence.[2]
The Defendants sought to have the class action dismissed for want of prosecution, arguing that the Plaintiffs took insufficient steps to advance the litigation. The Defendants also sought to have the claim struck or decertified, asserting that the Plaintiffs failed to plead a type of loss capable of grounding a claim in negligence.
Neither of the Defendant’s applications were successful. This case offers important insight into the development of negligence law in the context of privacy breaches. The Court’s conclusions indicate that negligence claims may proceed in the absence of present loss. The Court signalled that the theft of sensitive, personal information may sufficiently qualify as an “injury to the person or property damage” for a claim in negligence.
Defendant’s Application to Dismiss for Want of Prosecution
The Court concluded that the roughly 22-month delay in this matter was not unreasonable. The Court found that the Plaintiffs took considerable steps to advance the case to the point of certification and that both parties had been actively litigating their respective interests since 2013.
The Court also held that the Defendant failed to prove that it was prejudiced, concluding that the Defendant’s overall strategy undermined its argument. Instead, the Court found that the Defendant’s strategy involved attrition, pointing to its application to strike at the early stages of litigation, the contested certification, and the appeal of the 2017 certification decision.
The Court’s approach illustrates that dismissals for delay will not be granted lightly. In dismissing the Defendant’s delay argument, the Court considered that the case raised important privacy concerns[3] and restated that class proceedings are typically more complex, which weighs against dismissal for want of prosecution.[4]
Defendant’s Application to Strike or Decertify
The Defendant argued that the compensable damages sought in respect of negligence were insufficient to ground a claim in negligence. The Defendant’s position was that the Plaintiffs’ sought damages were for the risk of future identity theft (future harm) or otherwise for out-of-pocket monitoring expenses that were pure economic losses and not permitted under the common law.
Future Harm
Relying on Campbell v Capital One Financial Corporation, the Court restated the principle that courts have accepted that a demonstrated and real risk of future harm may give rise to compensable loss even absent evidence that stolen data has been used.[5] The Court concluded that substantial risk of future identity theft may constitute compensable loss sufficient to sustain a claim in negligence. In the Court’s words, “[c]ourts routinely entertain novel legal issues in class proceedings; the threshold requirements of certification should not mean that the plaintiffs in class proceedings may not advance positions based on unsettled law.”[6]
Out-of-Pocket Expenses and Pure Economic Loss
The Plaintiffs argued that their out-of-pocket expenses were connected to the theft of personal information, which resulted in injury to person or property. In the alternative, they argued that the out-of-pocket expenses fell within the recognized exception to the rule against recovery of pure economic loss: this was negligent performance of a service and thus, the out-of-pocket expenses were sufficient to ground their claim.
Pure economic loss is economic loss that is not connected to a physical or mental injury to a person or physical property damage.[7] Pure economic loss is generally not recoverable in negligence, but there are exceptions where an injury has not yet materialized, including damages to remove a real and substantial risk of harm and in negligent performance of a service.[8]
The Court emphasized the growing recognition of the need for legal protection of informational privacy in concluding that sensitive personal information could constitute a compensable loss capable of sustaining a negligence claim, and that the out-of-pocket expenses pleaded by the Plaintiffs were not pure economic loss.[9]
In the event that the out-of-pocket expenses were pure economic loss, the Court concluded that the exception of negligent performance of a service could apply.[10]
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.