In August 2017, the British Columbia Supreme Court issued its decision in Tucci v. Peoples Trust Company, certifying a national class action lawsuit against Peoples Trust Company relating to a 2013 breach of customers’ personal information.
The Data Breach
In September 2013, cybercriminals gained unauthorized access to computer systems of Peoples Trust Company (“PTC”), a federally regulated trust company that provides financial products and services to customers across Canada. The criminals stole sensitive personal information collected by PTC through its online application portal, and then allegedly used the information to send fraudulent phishing text messages soliciting money or information from affected customers. PTC first learned of the data breach in early October 2013, and gave notice to law enforcement, the Privacy Commissioner of Canada and all potentially affected customers before the end of October. PTC informed potentially affected customers of the security breach and the steps taken by PTC to mitigate the risk of fraud and theft.
In January 2014, the Privacy Commissioner of Canada conducted an investigation and concluded that PTC had not implemented sufficient safeguards to protect customers’ personal information. As a result of the investigation, PTC took additional steps to help customers affected by the data breach and implemented new measures to reduce the risk of future breaches.
The Class Action Lawsuit
In November 2013, the plaintiffs commenced a putative, national class action lawsuit against PTC on behalf of an estimated 11,000 to 13,000 individuals affected by the data breach. The plaintiffs claimed that PTC failed to adequately secure customers’ personal information, and as a result cybercriminals were able to access the personal information and put customers at risk of identity theft, cybercrime and phishing.
The plaintiffs claimed compensation for various harms, including damage to credit reputation, mitigation costs, wasted time, inconvenience and anxiety, and future damage due to identity theft and phishing attempts.
The Certification Decision
The class action was brought pursuant to the British Columbia Class Proceedings Act, which specifies five requirements for certification of a class proceeding: (1) the pleadings disclose a valid cause of action; (2) there is an identifiable class of persons; (3) the claims raise common issues; (4) a class proceeding is a preferable procedure for the fair and efficient resolution of the common issues; and (5) there is an appropriate representative plaintiff.
The court noted that the Canadian approach to certification of class actions is different from the approach taken by United States courts. The court explained that a Canadian certification hearing does not involve a robust analysis of the merits of the proposed class action claims, and that certification of a class action will not be predictive of the outcome of the action at trial. The court noted that a claim will meet the applicable low threshold for certification unless, assuming all alleged facts are true, it is “plain and obvious” that the claim cannot succeed.
(a) Legal Claims
PTC argued that the plaintiffs’ claims were not valid because the Personal Information Protection and Electronic Documents Act (“PIPEDA”) is a complete code that precludes all common law claims for breach of privacy. The court rejected that argument, reasoning that PIPEDA was not intended to abolish all common law claims that might overlap with the remedies provided by PIPEDA.
The court held that the plaintiffs had properly alleged claims based on breach of contract, negligence and breach of common law right to privacy (intrusion upon seclusion), and it was not plain and obvious that those claims were bound to fail. In particular, the court noted as follows:
- Proof of damage is not a required element of a breach of contract claim.
- The facts alleged by the plaintiffs (including PTC’s policies and contracts, reasonably foreseeable harm, and a close and direct relationship between PTC and its customers) could be sufficient to give rise to a duty of care owed by PTC to its customers that was not negated by countervailing policy concerns.
- It was not plain and obvious that there is no federal common law tort of intrusion upon seclusion.
The court held that the plaintiffs’ claims for breach of confidence and unjust enrichment were either not properly alleged or were bound to fail.
With respect to the plaintiffs’ claims for various kinds of damages, the court held as follows:
- Most of the plaintiffs’ claims for compensation (e.g. damage to credit reputation, costs incurred to prevent identity theft, time and inconvenience to prevent harm, the risk of identity theft and cost of credit monitoring services) could be maintained because they were not clearly bound to fail.
- The plaintiffs’ claims for compensation for “mental distress” (including anxiety and frustration) could not be maintained, because the distress was not alleged to be sufficiently serious and prolonged or more than ordinary annoyances.
- The plaintiffs’ claims for punitive damages could not be maintained, because the plaintiffs did not allege that PTC engaged in misconduct that was high-handed, malicious or otherwise merited condemnation through punitive damages.
(c) Other Certification Requirements
The court held that the proposed class action met all other requirements for certification – an identifiable class, common issues, preferable procedure and representative plaintiffs.
The court certified the class action, approved the proposed national class on an opt-out basis, and specified the common issues to be determined at trial based on the legal claims the court held could be maintained.
The Tucci decision is generally consistent with previous decisions certifying other Canadian data breach class proceedings, including the certification of class proceedings against the Canada Student Loans Program, Health Canada and Target.
It is instructive to note that the claims certified in the Tucci decision were not limited to claims based on privacy rights, but rather included claims based on generally applicable legal principles – breach of contract, negligence/breach of duty of care – that may well apply to any organization that collects and processes sensitive customer information.
It is also notable that the court refused to certify the claim for punitive damages, because the plaintiffs did not allege misconduct by PTC that would justify an award of punitive damages. In contrast, in the recent Target certification decision the court allowed the plaintiffs to claim punitive damages