Security incidents involving consumers’ personal information are increasingly being reported in the media. Consumers are worried about fraud or identity theft and companies that have suffered such incidents are often the subject of class actions, with more than 80 class actions involving privacy breaches currently in progress across the country. The Superior Court of Québec recently reiterated that, even at the stage of authorizing a class action, the plaintiff must prove prima facie that compensable prejudice has occurred. This decision confirms the principle established by the Court of Appeal in Sofio v. OCRCVM2 that it is not sufficient to only demonstrate the fault of a corporation that is the subject of a loss or theft of personal information in order to obtain compensation. The existence of tangible and financially compensable prejudice (financial fraud or identity theft for example) must be demonstrated in order for a class action to be authorized. Simple ordinary and temporary inconvenience, psychological distress or embarrassment do not constitute damages that can be compensated. In contexts where most individuals affected by a security incident would not necessarily suffer any tangible prejudice (especially given that more organizations are offering credit monitoring services following the occurrence of such breaches), this decision provides an update on the types of class actions that might be rejected at the authorization stage.
Summary of facts
In 2016, Yahoo! informed its members that it had been the victim of a data theft affecting more than 500 million of its members. The applicant sought leave to institute a class action since she alleged that she had suffered psychological distress and various losses associated with the potential intrusion of her personal data, and suffered from the embarrassment of spam sent to her acquaintances on her behalf. The proposed class action sought to represent all individuals in Québec (1) who may have had their personal and/or financial information stolen as a result of a cyber-attack on Yahoo! since 2013 (2) or who have had to pay certain amounts to protect their identity following the breach. The applicant also alleged that the class members were entitled to an indeterminate amount as punitive damages.
In Bourbonnière v. Yahoo Inc., the Honourable Tremblay first redefined the proposed class action group to include only those who have been victims of data loss and/or theft from Yahoo! Inc. or Yahoo! Canada Co, between 2013 and 2019.
The Court then analyzed the second criterion of art. 575 of the Code of Civil Procedure3, namely the requirement that the alleged facts must appear to justify the conclusions sought. The Court noted that the only fault alleged against Yahoo! was its negligence in protecting the financial and personal information of its members. The Court then endorsed the Court of Appeal's comments in Sofio and confirmed that the demonstration of a fault does not presuppose the existence of a prejudice. Thus, despite the security breach, the applicant must also demonstrate that compensable prejudice resulted from the breach, which the applicant failed to demonstrate in this case.
More specifically, as to the alleged damages, the Court concluded that they consisted for the applicant in (1) changing her Yahoo! password; and, (2) the embarrassment of having to explain to her acquaintances that the spam sent from her Yahoo! account was the result of a security breach. Relying on the decision Mustapha v. Culligan of Canada Ltd4, Justice Tremblay concluded that the alleged damages are merely ordinary and temporary inconveniences, not grounds for compensable damages. As in Sofio, where the applicant alleged that he had had to monitor his bank accounts and credit cards as well as his mail to ensure that there were no irregularities, the Court considered that these acts were similar to those that are generally part of social life in the 21st century. The Tribunal also held that, in the absence of any legal basis to justify them, punitive damages could not be awarded.
Bourbonnière v. Yahoo! Inc. confirms the well-established principle that the fault of having lost or failed to protect the confidential information of its clients does not ipso facto cause prejudice. For a class action to be authorized, an applicant must demonstrate prima facie the existence of a real prejudice, namely prejudice that is “serious and prolonged and rise above the ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept”5 in order to be eligible for compensation. In other words, being the object of theft or loss of information is annoying, but not enough in itself to represent compensable prejudice.
1 2015 QCCA 1280 (Sofio).
2 CQLR c. C-25.01.
3 RLRQ c. C-25.01.
4  2 SCR 114.
5 Id, par. 9.