Recently, in Stewart v Demme, the Divisional Court overturned certification in a data breach class action, holding that it is appropriate to screen these cases out early if the evidence shows a data breach had little to no impact. The decision imposes a “high bar” on class action plaintiffs who advance intrusion on seclusion claims for data breaches that do not result in provable harm.
In the decade since the Court of Appeal first recognized the tort of intrusion on seclusion, courts have grappled with how to treat claims involving categories of information that are considered more sensitive (e.g., financial or health records). Even if the data breach had little to no impact on the individuals in question, courts often struggled to screen these claims out at the certification stage.
The Divisional Court held that only claims involving “serious” data breaches can survive certification, and the seriousness of a claim cannot be judged solely based on the type of information in question.