Introduction
On March 26, 2021, the Superior Court rendered a landmark judgment dealing with the loss of personal information, Lamoureux c. OCRCVM, 2021 QCCS 1093. Madam Justice Florence Lucas, J.C.S. dismisses the class action filed by the plaintiff, Danny Lamoureux in its entirety in the first judgment rendered at the merits stage for a matter involving a of loss of personal information in Québec and in Canada.
On February 22, 2013, an inspector working for the Investment Industry Regulatory Organization of Canada (the IIROC) forgot his laptop computer on a train. The missing computer contained certain personal information relating to individuals collected from securities brokers who were under inspection. Despite IIROC’s best efforts, the computer was never found.
In the wake of that loss, a class action was first brought by Mr. Sofio. His suit was dismissed at the authorization stage, there being no right to compensation, as the petitioner had failed to demonstrate a compensable injury1. The Court of Appeal affirmed the judgment2. Following this setback, Mr. Lamoureux started his own class action, which was authorized in October 2017. Contrary to Mr. Sofio, Mr. Lamoureux pleaded that he had indeed been victimized by the theft of his personal information.
Analysis
The Court dismissed the action in its entirety, for want of preponderant evidence of all the elements of civil liability. Her judgment clarifies and confirms the circumstances that can give rise to damage awards for personal information losses:
- The principle governing class actions for loss of personal information: At the outset, Justice Lucas held that (translation) “It is not necessary for the class members to have been victims of any unlawful use of their information to support their claims”, provided that some compensable injury is proven by a preponderance of evidence.3
- Normal inconveniences of life in society are not compensable : Affirming the Court of Appeal in Sofio and in Fortin c. Mazda, and relying on the holding of the Supreme Court in Mustapha, Lucas, J.C.S. confirmed that mere fears, annoyances, stress and worries experienced by the class members concerned, relating to the loss of their personal information (the monitoring of their accounts, the measures taken by credit agencies, the shame they felt) were all (translation) “normal inconveniences that anyone living in society encounters and should be obliged to accept”.4 The testimony of the class members provided (translation) “few details, concrete facts or significant manifestations of their psychological states”. Moreover, no documentary or medical evidence had been adduced to prove the extent of their sufferings. Consequently, the minimal evidentiary threshold for moral damages to be compensable had not been reached.
- Credit protection services provided free of charge: M. Lamoureux’ case differed from similar loss of personal data claims where the petitioners themselves had taken steps to protect their identity and had incurred costs in doing so.11 In this case, the IIROC had provided all necessary protective measures via credit agencies, free of charge.
In addition, it was unreasonable to expect to obtain credit instantly given that unauthorized access and data thefts occur more and more frequently. Accordingly, certain delays resulting from the need to check identities did not constitute compensable damages.
- No evidence of wrongful use of the lost personal information: The Court concluded that the plaintiff failed to prove by preponderant evidence that the personal information contained in the lost computer had been used unlawfully by anyone. The defence adduced uncontradicted expert evidence that the identity thefts alleged by Mr. Lamoureux and some of the other class members were unconnected, and thus had no causal link, with the loss of the laptop.
- IIROC’s diligent behaviour barred punitive damages: Finally, the learned judge dismissed the claim for punitive damages, because IIROC had (translation) “reacted diligently, in accordance with standards expected in similar circumstances”.6 IIROC’s fault was unintentional and the Organization had taken the required measures, in timely fashion, in accordance with applicable standards in such circumstances, as the expert evidence abundantly proved.
Comment: A “blueprint” for data loss management?
This judgment is especially significant because it provides an example of an appropriate corporate response in a context where class actions are increasingly filed following the loss or theft of personal data. In this particular case, IIROC had notably:
- conducted investigations and carried out intensive internal checks;
- promptly informed the police of the loss of the laptop computer;
- retained a firm of consultants as quickly as possible to perform a “computer forensic and investigative analysis”, so as to determine what specific information was contained in the lost laptop, as well as to design a “privacy risk management” strategy to coordinate a response and manage the risks to potentially affected individuals connected with the loss of the personal information in question;
- notified the privacy commissions concerned of the loss;
- notified the brokerage firms having investors concerned about the situation;
- notified the class members concerned of the loss of their personal information, by means of bilingual letters containing:
- details of the lost personal information;
- a reminder of measures that could be taken to protect their personal data;
- notification that a call centre was being set up to answer class members’ questions;
- an offer to a free and automatic flagging (alert) service via Equifax and TransUnion, for a period of 6 months;
- the availability, upon request, of a free, one-year credit monitoring service.
- published a press release announcing the loss of the computer;
- informed class members that it was unaware of any identity theft.
The judgment establishes that where evidence establishes a rapid and diligent response, in compliance with applicable standards in such circumstances, the plaintiff would not be entitled to receive punitive damages.
1 See Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061.
2 Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2015 QCCA 1820.
3 Paras. 46, 60-61.
4 Para. 7.
5 See Lévy c. Nissan Canada inc., 2019 QCCS 3957; Zuckerman c. Target Corporation, 2017 QCCS 110.
6 Para. 7.