Skip to content

Cybersecurity class actions against database defendants persist, but hurdles for plaintiffs remain

By Sarah Dever Letson, CIPP/C, Meaghan McCaw and Bertina Lou[1]

Two decisions earlier this month from the Court of Appeal for British Columbia left open the question as to whether so-called “database defendants” can be held liable in negligence or statutory privacy torts where, due to their inadequate security, a third-party hacker accesses a person’s private information in the database defendant’s possession.[2]

In both cases, the Court of Appeal concluded that class actions based on negligence and statutory breach of privacy claims were “not bound to fail.”

These cases arguably broaden the potential application of statutory privacy torts to database defendants. Both statutory and common law privacy torts do not require proof of actual damage. However, plaintiffs will still face challenges on proving damages for those claims, such as negligence, that require proof of pecuniary loss.

G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252

In 2020, TransLink was the subject of a cyberattack. Third-party hackers gained access to TransLink’s network drives and were able to view and extract employee personal information. Former employees of TransLink sought to be appointed as the proposed representative plaintiffs in a class proceeding.

The original claim for certification was denied. The statutory tort based on British Columbia’s Privacy Act required that the defendant: (i) wilfully, and, (ii) without a claim of right, (iii) violated the privacy of the plaintiff. The chambers judge concluded that a data custodian cannot be liable under the Privacy Act in the event of a data breach caused by a third-party hacker because this “willful” component would be lacking.

On appeal, the Court concluded that the use of the word “wilfully” will be interpreted differently depending on the statutory purpose and context. The Court found that it is arguable that a person’s reasonable expectation of privacy may include an expectation that their personal information will be safeguarded and protected by the database defendant to whom they entrusted it, so as to protect the privacy in the information. Therefore, depending on the circumstances, it is at least arguable that a database defendant, who has collected plaintiffs’ private information but failed to safeguard it from an unrelated cyber attacker, has committed the statutory tort of “wilful violation of privacy”.

The Court of Appeal also overturned the chambers judge’s denial of certification in negligence. The chambers judge had decided that the claim in negligence amounted to a claim for negligent breach of a statutory duty, a claim that is not permissible at law. On appeal, the Court concluded that it is not plain and obvious that TransLink owed no duty of care in negligence to the appellants whose private information it collected and stored, or that for policy reasons this Court ought to find TransLink should owe no such duties of care.

However, the Court noted that every negligence claim must include the element that the plaintiff suffered harm. It remains an open question whether harm to the class can be properly assessed in the aggregate, in cases where only some of the plaintiffs claim this risk has materialized in that they have been subject to fraud.

Campbell v. Capital One Financial Corporation

Campbell v Capital One Financial Corporation[3] was certified as a multi-jurisdictional class proceeding before the Supreme Court of British Columbia in 2022. The case concerns a hacker’s downloading of the personal and financial information of roughly six million Canadian customers and 100 million American customers of Capital One bank.

The hearing judge had certified the class action for the claims of negligence, breach of contract, breach of statutory privacy torts, and breach of consumer protection legislation, and disallowed five of the other claims: breach of warranty, breach of contractual duty of honest performance, breach of confidence, intrusion upon seclusion, and breach of the Civil Code of Québec.

The appellant appealed the chambers judge’s findings with respect to the claim for breach of confidence based on the wrongful retention of confidential information, and the claim under British Columbia’s Negligence Act assigning joint and several liability to Capital One for the tort of intrusion upon seclusion committed by the hacker.

The Court concluded that the claim of breach of confidence was not made out in the pleadings on the basis that the unauthorized use of the information and any ensuing detriment from that use was attributable to the hacker only, and not to Capital One.

However, consistent with the decision in G.D. v. South Coast British Columbia Transportation Authority, the Court of Appeal did not disturb the finding of the chambers judge that a claim against the database defendant based on the statutory tort found in the Privacy Act was “not bound to fail.”

On the claim under the Negligence Act, the Court of Appeal held that the Negligence Act does not extend to circumstances wherein the conduct of different tortfeasors gives rise to different kinds of damage. The tort of intrusion upon seclusion allows for the recovery of “moral” or “symbolic” damages, where there is no pecuniary loss. To the contrary, in order to be successful, a claim in negligence requires actual loss.

The “intrusion” was committed by the hacker, not Capital One, and the Court held that the Negligence Act cannot be used to hold a negligent party jointly and severally liable for the kind of damage for which it could never have been responsible if acting alone.

How this may affect you

These cases highlight a key distinction between those provinces that have statutory privacy torts (including, notably, Newfoundland and Labrador) and those that do not.

In provinces where there is no statutory privacy tort, such as Ontario, the Ontario Court of Appeal has been clear that if a data custodian was to be liable for the “intrusion” actions of an independent third-party hacker, this would be a “drastic” extension of liability beyond the parameters of the “intrusion upon seclusion” common law tort (see, most recently, Del Giudice v. Thompson, 2024 ONCA 70 at para. 35).

This pair of decisions from the British Columbia Court of Appeal make it clear that the statutory privacy law torts and the common law tort of intrusion upon seclusion are not identical; therefore, the result may vary depending on the facts and jurisdiction of a particular breach.

Lawyers from our Privacy Group are always available to discuss and help you decide on the best strategic approach for your legal issues.


This client update is provided for general information only and does not constitute legal advice. If you have any questions about the above, please contact the authors or a member of our Privacy Group.

Click here to subscribe to Stewart McKelvey Thought Leadership.

[1] At time of publication, Bertina Lou was employed with the Firm as a summer law student.
[2] Campbell v. Capital One Financial Corporation, 2024 BCCA 253 (CanLII) G.D. v. South Coast British Columbia Transportation Authority, 2024 BCCA 252
[3] Campbell v Capital One Financial Corporation, 2022 BCSC 928 (CanLII)

SHARE

Archive

Search Archive


 
 

Bill C-365 calls for plan for implementation of open banking in Canada

November 17, 2023

By Kevin Landry On November 9 2023, Bill C-365, An Act respecting the implementation of a consumer-led banking system for Canadians (“C-365”), short titled as the ‘Consumer-led Banking Act’ was read in the House of…

Read More

More limits: NSCA tightens the test for disallowing a limitations defence

November 15, 2023

By Jennifer Taylor The Nova Scotia Court of Appeal (“NSCA”) has issued an important decision clarifying the test to disallow a limitations defence. The decision, Halifax (Regional Municipality) v Carvery (“Carvery”), has real implications for personal…

Read More

Anticipating changes to the Competition Act: what businesses need to know

November 1, 2023

By Deanne MacLeod, K.C., Burtley Francis & David Slipp On September 21, 2023, the Federal Government introduced Bill C-56: An Act to amend the Excise Tax Act and the Competition Act (“Bill C-56”), with the…

Read More

Powering the future: Green choice program regulations

September 22, 2023

By Nancy Rubin, K.C. and Lauren Agnew The long-awaited Green Choice Program Regulations (N.S. Reg. 155/2023) were released by the provincial government on September 8, 2023, offering some clarity into the practical implementation of Nova…

Read More

Privilege protected: Court of Appeal rules NL’s Information and Privacy Commissioner barred from reviewing solicitor-client privileged information

September 20, 2023

By Koren Thomson, John Samms, and Matthew Raske The Newfoundland and Labrador Court of Appeal has held that the Information and Privacy Commissioner for this province (the “Commissioner”) does not have the authority to order…

Read More

Amendments required for Prince Edward Island code of conduct bylaws

September 18, 2023

By Perlene Morrison, K.C. Municipalities are required to pass code of conduct bylaws in accordance with section 107 of the Municipal Government Act (the “MGA”). Subsection 107(1) of the MGA specifically states that a municipality’s…

Read More

Professionally speaking: Ontario Superior Court upholds professional regulators’ right to moderate speech

September 14, 2023

By Sheila Mecking and Kathleen Starke On August 23, 2023, the Ontario Superior Court (“ONSC”) upheld a complaints decision which ordered a psychologist to complete a continuing education or remedial program regarding professionalism in public…

Read More

One-year reminder for federal employers: Pay equity plans due September 3, 2024

September 5, 2023

By Dante Manna As we advised in a previous podcast, all federal employers with at least ten employees[1] have been subject to the Pay Equity Act [2] (“PEA”) and Pay Equity Regulations [3] (“Regulations”) since…

Read More

Charging to net-zero: Government releases draft Clean Electricity Regulations

August 23, 2023

By Nancy Rubin, K.C. Environment and Climate Change Canada (ECCC) recently published a draft of the Clean Electricity Regulations (CER). The proposed Regulations work toward achieving a net-zero electricity-generating sector, helping Canada become a net-zero…

Read More

Supreme Court of Newfoundland and Labrador rejects developer’s constructive expropriation claim

August 18, 2023

By Stephen Penney & Matthew Raske In the recent decision Index Investment Inc. v. Paradise (Town), 2023 NLSC 112, the Supreme Court of Newfoundland and Labrador validated the Town of Paradise’s decision to rezone lands…

Read More

Search Archive


Scroll To Top