Data Breaches: Do class actions pose a viable remedy?

In 2014, data breach occurrences have increased by approximately 30%. As web-based services become more prominent, protection against and remedies for breaches of privacy will become necessary. Does class action litigation have a place in this shifting landscape?

Introduction

During the first half of September 2014, the following data breaches, among others, occurred or were discovered:

• approximately 56 million credit card numbers were stolen when hackers broke into Home Depot’s in-store payment systems;¹
• nearly 5 million Gmail addresses and passwords were found on a Russian security website;²
• up to 90 bank servers at JP Morgan were infiltrated by hackers, compromising the accounts of 76 million households and 7 million small businesses;^{3, 4}
• more than 31,000 patients at a Central Utah Clinic may have had their personal information accessed in a data breach;⁵ and
• the iCloud accounts of over 100 celebrities were hacked and nude photos were released in what Apple denies was an iCloud breach but rather a “very targeted attack.”^{6, 7}

Data breaches are on the rise. In the U.S., there have been 546 breaches this year to date, representing an increase of 28.4% over this time last year.⁸

The Home Depot Data Breach

The Home Depot data breach mentioned above is the largest data breach to date, affecting 56 million cardholders over a five month period. The next largest breach, Target, affected 40 million cardholders over a three-week period.⁹

On September 4, 2014, Home Depot customers filed a class action lawsuit in the United States District Court for the Northern District of Georgia, Atlanta Division (the “Customer Complaint”).¹⁰ On September 16, 2014, First Choice Federal Credit Union commenced a class action on behalf of financial institutions against Home Depot for damages suffered as a result of the data breach in the same Court as the Customer Complaint (the “Financial Institution Complaint”).¹¹

The Customer Complaint claims damages for negligence, breach of implied contract, bailment, and unjust enrichment. The harm stems primarily from what the plaintiffs and putative class members consider to be an “unreasonable delay by Home Depot in providing notice” of the data breach in violation of state data breach statutes. Similar claims have been commenced in Canada on behalf of Canadian customers.¹²

The Financial Institution Complaint alleges that financial institutions have and will continue to incur costs as a result of the data breach associated with notifying customers of issues related to the Home Depot data breach. For example, closing out and opening new customer accounts, reissuing customers’ cards, and/or refunding customers’ losses resulting from the unauthorized use of their accounts. The plaintiff Financial Institutions also claim for lost revenues, claiming that customers use their debit and credit cards less after a data breach.

Certifying a Privacy Class Action

Is a class action the preferable procedure?

Part of the analysis performed by the Court when deciding whether an action should be allowed to proceed as a class action under the Class Proceedings Act, 1992 involves assessing whether a class action would be the preferable procedure for the resolution of the common issues. Preferability must be examined in reference to the three principal goals of class actions: judicial economy, access to justice and behaviour modification.¹³

When assessing the goals of access to justice and judicial economy, the court will consider whether customers have access to “a fair process to resolve their claims” where they will receive a “just and effective remedy” without imposing on the limited resources of the legal system.¹⁴ The court’s findings in this regard will likely depend on the steps already taken by the company to remedy the data breach. A court is less likely to find that a class action is the preferable procedure where the company took immediate and comprehensive steps to remedy the breach.

For example, Home Depot is offering free identity protection services, including credit monitoring to any customer who used a payment card at a Home Depot store after April 2014.¹⁵ Additionally, any fraudulent charges made on customers’ cards will be refunded by the relevant financial institutions. In these circumstances, one could argue that the systems already established by Home Depot and the financial institutions provide a suitable and expeditious alternative to a class action for customers who require identify protection and/or suffered monetary damages. One could similarly argue that the goal of behaviour modification has been fulfilled by the stream of negative press attention that Home Depot has received since the data breach and the cost to Home Depot in offering free identity protection.

In the Home Depot scenario, a court might be more likely to find that a class action is the preferable procedure for claims by the financial institutions, who haven’t been made whole for their increased costs and lost revenues experienced as a result of the data breach.

Is there a cause of action?

A further part of the analysis performed by the Court when deciding whether an action should proceed involves assessing whether there is a cause of action.

Given that Home Depot has moved proactively to rectify the situation, the only remaining uncompensated claims are for emotional distress and inconvenience following the invasion of customers’ personal privacy.

Recently, the Ontario Court of Appeal established the tort of “Intrusion upon Seclusion” in the case of Jones v Tsige, 2012 ONCA 32 (“Jones”). This tort may occur in situations where an individual’s personal privacy has been breached. The Courts have recently certified at least two class actions based on the tort of intrusion upon seclusion.¹⁶

The key elements of the tort of intrusion upon seclusion are as follows:

1. The defendant’s conduct must be intentional, or reckless;
2. The defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and
3. A reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.¹⁷

Proof of harm to a recognized economic interest is not an element of the cause of action.¹⁸

However, as Justice Sharpe  stated in Jones, “[a] claim for intrusion upon seclusion will arise only for deliberate and significant invasions of privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded.”¹⁹ Intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence, may objectively be considered as highly offensive.²⁰

Further, damages for intrusion upon seclusion are capped at $20,000, not inclusive of aggravated or punitive damages.²¹ Although the defendant in Jones had accessed the plaintiff’s personal bank account approximately 174 times over four years, the plaintiff received $10,000.

It will be interesting to see how the Court will apply Jones to the facts of the Home Depot data breach.

Pending Hospital Privacy Cases

There are presently two similar cases being pursued against Ontario hospitals where patient information was unlawfully collected by rogue employees then unlawfully disseminated. The hospitals have fired the rogue employees and apologized to the affected patients.

The case of Hopkins v Kay, 2014 ONSC 321, involving 280 patients of a Peterborough Hospital, is scheduled to be heard by the Court of Appeal on December 15, 2014. A larger case, launched on behalf of 14,450 patients of Rouge Valley Health System whose information was collected and sold to private companies, is on hold until the Court of Appeal issues its ruling in Hopkins.²²

There is a strong argument that the hospital is vicariously liable for the privacy breaches committed by its employees, particularly where employee access to personal health information was not regulated or restricted.²³

The Future of Privacy Class Actions

As services become more digital and interconnected, consumers and corporations alike should be canvasing the various ways in which to protect themselves from and remedy against possible data breaches.

As Justice Sharpe commented in Jones, existing provincial legislation merely provides individuals with “a sweeping right to privacy,” which is left to the courts to define.²⁴ If the Courts ultimately find that data breaches are not actionable as class actions, the legislature could choose to create a statutory cause of action in order to provide victims of data breaches with a remedy.

The decision of the Court in the two hospital privacy cases referenced above will be highly influential on the future landscape of privacy class actions, legislation and the way companies protect their clients’ personal information.

¹ The Home Depot, Press Release, “The Home Depot Completes Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores – Provides Further Investigation Details, Updates Outlook” (18 September 2014) online: The Home Depot Media Centre.

² Kate Vinston, “Data Breach Bulletin: Gmail, Central Utah Clinic, JP Morgan, George Mason University”, Forbes (16 September 2014), online: Forbes.

³ Jessica Silver-Greenberg et al., “JPMorgan Chase Hacking Affects 76 Million Households”, New York Times (2 October 2014), online: DealBook

⁴ Estimates from earlier this month were significantly lower, stating that only a million customer accounts were affected (supra note 2).

⁵ Ibid.

⁶ Duane D. Stanford, “Celebrity Nude-Photo Hack May Be Breach of Apple’s ICloud”,  Bloomberg (1 September 2014), online: Bloomberg.

⁷ Daisuke Wakabayashi and Danny Yadron, “Apple Denies iCloud Breach”, The Wall Street Journal (2 September 2014), online: The Wall Street Journal.

⁸ 2014 Data Breaches (16 September 2014), online: Identity Theft Resource Center.

⁹ Jim Finkle, “Home Depot breach bigger than Target at 56 million cards”, Reuters (18 September 2014), online: Reuters.

¹⁰ Harris Penn Lowry LLP, News Release, “Class Action Suit Filed Against Home Depot For Consumer Data Security Breach” (4 September 2014) online: PR Newswire .   Solak et al v The Home Depot, Inc., ND Ga, Case no. 1:14-cv-02856-WSD. Filed 9 September 2014.

¹¹ First Choice Federal Credit Union v The Home Depot, Inc., ND Ga, Case no. 1:14-cv-02856-WSD. Filed 16 September 2014.

¹² Richard Blackwell, “Home Depot breach prompts class action”, The Globe and Mail (18 September 2014) online: The Globe and Mail ; Catherine Lathem, “Ottawa man taking on Home Depot in massive class action lawsuit”, CTV News Ottawa (23 September 2014) online: CTV News.

¹³ Hollick v Toronto (City), 2001 SCC 68; Pro-Sys Consultants v Microsoft Corporation et al, 2013 SCC 57 at para 137.

¹⁴ AIC Limited v Fischer, 2013 SCC 69 at para 24.

¹⁵ The Home Depot, Press Release, “The Home Depot Completes Malware Elimination and Enhanced Encryption of Payment Data in All U.S. Stores – Provides Further Investigation Details, Updates Outlook” (18 September 2014) online: The Home Depot Media Centre.

¹⁶ In Condon v Canada, 2014 FC 250, a class action was certified against the defendant, her Majesty the Queen, with respect to the loss of a hard drive that contained the personal information, SIN numbers and amounts of student loans of class members.
In Evans v Wilson, 2014 ONSC 2135, a class action was certified against the defendant, Bank of Nova Scotia, where an individual employee of the bank had admitted to accessing customer files for the purposes of facilitating third parties perpetrating acts of identity theft and fraud against the customers.
In Hopkins v Kay, 2014 ONSC 321, the Court dismissed the defendants motion to strike the Statement of Claim alleging the defendant intentionally and wrongfully accessed the hospital records of approximately 280 patients, allowing the class action to proceed.

¹⁷ Jones v Tsige, 2012 ONCA 32 at para 71.

¹⁸ Ibid at para 71.

¹⁹ Ibid at para 72.

²⁰ Ibid at para 72.

²¹ Ibid at para 87. In its reasons, the Court of Appeal neither excluded nor encouraged the award of aggravated and punitive damages. They intended to create a predictable and consistent tort where plaintiffs are held to the range unless there are “truly exceptional circumstances” (para 88).

²² Joel Eastwood, “Peterborough lawsuit to set precedent for Ontario patient privacy rights”, Toronto Star (3 September 2014) online: thestar.com.

²³ These hospital breach of privacy cases are very similar to the recently certified Evans v The Bank of Nova Scotia (supra note 8).

²⁴Jones v Tsige, 2012 ONCA 32 at para 54.