Karasik Park, or, a tour of the data breach class action settlement landscape

In 2021, Justice Perell of the Ontario Superior Court considered whether to approve the settlement in Karasik v Yahoo Inc., a class action resulting from cyber attacks that compromised Yahoo users’ account information.^[1] As discussed in "Data breach class actions: Canadian Courts taking a harder look," this case (which remains unpublished) provided valuable insight into the state of privacy breach class actions, with Justice Perell conducting an in-depth review of approved settlements for such actions. Three years later, we consider whether the pattern of modest settlement amounts Justice Perell uncovered has continued or changed.   

Karasik’s summary of settlements to 2021

To inform his evaluation of the settlement before him in Karasik, Justice Perell reviewed the history of data breach class action settlements up to 2021. Of the 36 actions he considered, 27 had been certified and 11 had approved settlements. The per capita value for an individual class member was modest in nearly every case:

• In five decisions, the value per class member was less than $5 (including amounts of $1, $2.20, $0.64, "cents on the dollar" and $4).
• In two decisions, the value per class member was $13.78 and $31 plus uncapped individual claims.
• In two decisions, the value per class member was between $100 - $500. Notably, these cases also involved relatively small class sizes (333 class members and 8,525 class members, respectively).
• The individual per capita value could not be calculated for three of the settlements, two of which involved an uncapped claims process and the other provided for claims capped at $2,500.

Three years and a few new decisions later, the pattern shows no sign of altering.

The jurisdictional landscape post-Karasik

McLean v Cathay Pacific Airways Ltd^[2]

In 2021, the Supreme Court of British Columbia approved a $1.55-million settlement for 230,000 class members who could show direct, provable harm from the data breach involving Cathay Pacific Airways. The breach impacted 9.4 million passengers, whose personal information, including full names, passport numbers, and credit card numbers, was compromised. Justice Kent ultimately approved the settlement amount given that, among other reasons, recent Canadian court decisions have dismissed data breach class actions, and as such, there was a risk that class members could go through years of litigation only to have their case dismissed.

Bannister v Canadian Imperial Bank of Commerce^[3] and Mallette v Bank of Montreal^[4]

In a joint decision, the Ontario Superior Court approved settlement for class actions arising from data breaches at BMO and CIBC. In 2018, hackers accessed sensitive customer information from both banks, including names, addresses, phone numbers, account numbers, SINs and birth dates. Of the 113,151 BMO clients impacted, hackers posted the personal information of 100 customers online.

The Court approved a $23-million settlement for affected class members. Compensation varied depending on the extent of the breach, ranging from $90 to $1,000 per person. Class members were grouped according to the nature of their exposed information, the sensitivity of the data involved, and whether unauthorized transactions occurred on their accounts. In evaluating the reasonableness of the settlement, Justice Smith recognized the challenges faced by the class, citing Broutaz v Rouge Valley Health System, where Justice Perell held that class members did not have an expectation of privacy in contact information alone. Justice Smith also referred to Condon v Canada, a Federal Court decision that underscored the unpredictability of damages in privacy breach cases.

Carter v LifeLabs Inc^[5]

In 2023, Justice Perell approved a $9.8-million settlement for class members affected by the breach of LifeLabs’ IT systems, which compromised the personal health information of 8.6 million customers, including provincial health card numbers. The court did not find any evidence that class members’ personal information had been misused, and consequently deemed the settlement to be fair and reasonable under the circumstances. Initially, class members were expected to receive a minimum payout of $50 each, with a potential ceiling of $150 each, depending on the number of claims. However, due to the high volume of valid claims, the actual compensation was reduced to only $7.86 per claimant, or $5.86 after deducting a $2 processing fee.

The evidence problem

To put these more recent awards—ranging from $5.86 to $1,000 per person—in perspective, an individual claim in small claims court for the tort of intrusion upon seclusion (which does not require proof of loss) has been valued by courts, depending on the sensitivity of the data and other factors, at up to $20,000. However, several certification decisions since 2021 have narrowed the reach of the tort to those who directly carry out the act of intrusion. In most cases, this restricts liability to the actual hackers, nosey employees, etc., and not the companies responsible for collecting or storing personal data. This appears to have effectively closed the door to plaintiffs assorting the tort in the class action setting, at least for now.

The pre- and post-Karasik decisions align in significantly discounting potential claims to account for the evidentiary obstacles faced by class action plaintiffs in establishing actual harm, demonstrably caused by the particular breach for which they are suing. Certification decisions affirm that the risk of future harm isn’t enough to ground a viable claim, and that the annoyance, worry and extra administrative burden breaches impose on class members doesn’t rise to the level of compensable damage. Absent a legislative change or new tort allowing class members to successfully sue companies without proof of loss, this trend appears unlikely to reverse.

Beyond class actions

At the same time class actions appear to be providing only nominal compensation to individuals affected by data breaches, the spectre of civil liability (recalling that it costs millions to defend class actions, and that settlements often include paying for credit monitoring and the creation of multi-million dollar settlement funds even where little actual cash trickles down to class members) creates perverse economic incentives to delay or avoid disclosing when breaches occur when possible, to avoid reporting to police (which is voluntary), and to refrain from sharing data from forensic investigations of breaches that might assist the larger cyber and law enforcement communities in preventing and combatting cyber crime.

Recognizing this, a recent opinion piece by the Canadian Cybersecurity Network, David Shipley (CEO, Beauceron Security) and Robert Gordon (Strategic Advisor, Canadian Cyber Threat Exchange) puts forth an intriguing proposal: a national civil liability shield for organizations that voluntarily cooperate with law enforcement and federal cyber agencies in responding to cyber crimes. This would incentivize businesses to collaborate in order to reduce their civil liability costs without lowering regulatory costs for negligence in the absence of due diligence.^[6] (The proposal would exclude federal and provincial government agencies, which should be mandated to cooperate through appropriate legislation.)

The authors also recommend extending this liability shield to encourage voluntary information sharing between organizations, allowing them to quickly exchange vital threat data and best practices. He points to the U.S. Cyber Incident Reporting for Critical Infrastructure Act of 2022 as a precedent, which offers liability protections to organizations reporting cyber incidents and has led to increased disclosures of previously hidden breaches.

He suggests that, in Canada, such a liability shield would complement proposed mandatory cyber reporting laws, fostering greater transparency and collaboration. This would lead to faster improvements in overall security and strengthen government efforts to combat cyber threats from hostile states and organized crime.

Conclusion

Given the modest return for class members in data breach class actions, balanced against the value of securing greater cooperation and collaboration between organizations experiencing cyber attacks, it seems worth considering a regime that provides more carrot and less stick. Given the likelihood of a federal election in the next few months, this would be a worthy priority for a new government, regardless of which party takes office.