The recent Ontario decision in Karasik v. Yahoo! Inc.,[1] suggests that while many plaintiffs' lawyers anticipated a future of massive payouts for data breach class actions in Canada, recent court decisions predict a different course. The beginning of what may be an emerging consensus across provinces and levels of court about the value and even the viability of these actions suggests that, absent tangible, quantifiable harm, the game may not be worth the candle for plaintiffs' counsel.

Karasik v Yahoo!—Justice Perell Takes Stock

The Karasik Settlement

Karasik involves a national class action alleging that user account information was stolen in multiple cyberattacks against Yahoo's worldwide user database. Parallel class actions were commenced in British Columbia, Alberta, and Saskatchewan. In this decision, Justice Perell was asked to approve a settlement of the Ontario action, which had been certified for the purposes of settlement. The settlement was supported by counsel in the parallel British Columbia and Alberta actions, but opposed by the representative plaintiff in the parallel Saskatchewan action and her counsel.

Because of the objection of the Saskatchewan representative plaintiff, Justice Perell undertook a "deep dive" into case law about privacy breach class actions. This was necessary to determine whether the proposed settlement was a good settlement, considering the risks and rewards associated with privacy class actions generally.

Justice Perell ultimately approved the settlement of approximately CAD$20.3 million with a net settlement fund of approximately CAD$16.1 million available to the estimated 5 million Canadian class members.

General Damages in Data Breach Actions

Justice Perell's review of settlement agreements in prior privacy breach class actions revealed that the general (moral or symbolic) damages awards tended to be "miniscule".

Of the 36 actions reviewed by Justice Perell, 27 had been certified and 11 had approved settlements. Justice Perell compared the settlements in these prior decisions with the settlement in the present case. The per capita value for an individual class member was modest in nearly every case:

  • In five decisions, the value per class member was less than $5.00 (including amounts of $1.00, $2.20, $0.64, "cents on the dollar" and $4.00)
  • In two decisions, the value per class member was $13.78 and $31.00 plus uncapped individual claims
  • In two decisions, the value per class member was between $100.00-$500.00. Notably, these cases also involved relatively small class sizes (333 class members and 8,525 class members, respectively).
  • The individual per capita value could not be calculated for three of the settlements, two of which involved an uncapped claims process and the other provided for claims capped at $2,500.

In multiple cases, class members would only be entitled to damages for expenses incurred as a direct result of the cyberattack or for time spent remedying issues relating to the cyberattack, i.e. for actual costs incurred. In some cases, credit monitoring was also provided to class members.

Justice Perell determined that the sample settlements reflected very modest per capita recoveries and found that there was an aura of "nuisance value settlements" or settlements designed to maintain good commercial relationships.

Hurdles for Plaintiffs in Data Breach Cases

Justice Perell identified three significant hurdles that plaintiffs face in proving damages in privacy breach actions: (1) demonstrating actual harm as opposed to risk of harm, (2) establishing specific causation, and (3) establishing a mental element of intent.

  1. Actual harm vs. risk of harm

A main reason for the strength of the defendants' cases in the reviewed settlement decisions was that the risk of harm to the plaintiffs from the lost, stolen, or misused personal information had not been actualized. Justice Perell noted that the extent of potential and actual harm from cyber attacks is "unknown, unknowable, or capable of being proven only with considerable difficulty."

  1. Harm must be a consequence of the breach

Justice Perell emphasized that another significant difficulty that plaintiffs face in succeeding in a privacy breach class action is the "ultra-enormous difficulty" in establishing specific causation. Even if a class member suffers actual harm, they may have difficulty in proving that the harm was a consequence of the breach and did not have some other explanation.

  1. Mental element

The objection of the Saskatchewan representative plaintiff to the settlement was largely based on the fact that statutory privacy torts were pleaded in the Saskatchewan action but not in the Ontario action. Under these statutes, whether the plaintiff had a reasonable expectation to privacy and whether there had been an invasion of privacy is a fact specific inquiry. Justice Perell observed that plaintiffs must also demonstrate that a defendant's conduct was a purposeful violation of their privacy, which is a "significant and difficult to prove mental element" of the statutory privacy torts.

Modest settlements here to stay?

It appears that these low settlement amounts are here to stay. Although Justice Perell commented that the law surrounding privacy breach class actions was "nascent" because none had yet proceeded to trial, a running theme throughout the Karasik decision is the strength of the defendants' bargaining position in privacy breach class actions. Justice Perell commented that the sample of reviewed decisions revealed that "class counsel's aspirations for enormous per capita awards of general damages (moral or symbolic damages) for intrusion upon seclusion or breach of privacy statutes have been rebuffed by settling damages."

Setoguchi v Uber—The Gates Close in Alberta

While the evidentiary difficulties inherent in data breach class actions have depressed the value of settlements, they are increasingly becoming an existential threat to class actions at the certification stage as well.

A recent Alberta certification decision has sharpened the sword dangling over precarious data breach class actions. In denying certification of a case against a ride share service, the motions judge drew inspiration from the "spirit of Hryniak v. Maudlin," the Supreme Court of Canada case in which courts were instructed to be bullish about granting summary judgment, rather than passing decidable cases through to trial.[2] There was no evidence of actual loss suffered by class members in the record before the motions judge. This proved fatal to certification:

Ultimately there must be some evidence, and at any common issues trial, real proof of actual harm, whether of first instance loss or post-breach enhanced loss. Absent that proof at the common issues trial, this case cannot succeed. However, on this record, I find that there is no evidence of even the first loss, never mind post-breach or enhanced loss. …In the face of no such evidence, and in the spirit of Hryniak v. Maudlin, 2014 SCC 7, I believe that it is time for the Court to take its gate keeping function seriously, and end this litigation as a class proceeding now, leaving Setoguchi or any other member of the class to pursue a personal action if they so wish. …There is only speculation about a future possibility of loss or harm. Were this case to be certified at this stage, it would go to trial in the mere hope that evidence of loss or harm might at some point arise.[3]

If this decision stands, a broadly adopted refusal to pass a matter along to trial based on the plaintiffs' "mere hope" that proof of loss would materialize would likely prevent many such actions from reaching trial, thereby avoiding considerable time and expense associated with claim where the plaintiffs have not suffered any damages.

Tsao v. Captiva MVP Restaurant Partners, LLC—The Eleventh Circuit Tips the Scales

Canada is not alone in seemingly shifting away from certification-as-foregone-conclusion in the data breach sphere. In February 2021, the Eleventh Circuit became the latest U.S. federal court (following the Second, Third, Fourth, and Eighth Circuits) to find that a plaintiff cannot sue based on the risk of future identity theft, without alleging that some putative class members' data has already been misused. The court in Tsao v. Captiva MVP Restaurant Partners, LLC noted that:

without specific evidence of some misuse of class members' data, a named plaintiff's burden to plausibly plead factual allegations sufficient to show that the threatened harm of future identity theft was "certainly impending"—or that there was a "substantial risk" of such harm [the test to be satisfied for certification under U.S. law]—will be difficult to meet. … As the case law discussed above confirms, most plaintiffs that have failed to offer at least some evidence of actual misuse of class members' data have fared poorly in disputes over standing.

Notably, the court also reaffirmed that efforts taken by a plaintiff to prevent future identity theft resulting from the breach—efforts that are frequently advanced in Canadian courts to ground claims for damages—are not sufficient to confer standing to bring a class action, based on a principle in U.S. law that "a plaintiff cannot conjure standing by inflicting some direct harm on itself to mitigate a perceived risk."

In other words, time spent shredding receipts, inconvenience from cancelling credit cards (as the plaintiff did in this case), or, arguably, reviewing credit card and bank statements and monitoring one's own credit doesn't amount to damages when a plaintiff does it voluntarily to protect against identity theft that might be occasioned by a data breach. If Canadian courts were to follow suit on this point, the damages claimed in cases where there was no proof of loss at the hands of fraudsters would disappear, as would the loss component required to make out a claim for negligence at "cause of action" stage of the certification test.

Conclusion

It is increasingly apparent that plaintiffs without proof of real losses, or evidence linking losses to data breaches, will not be seeing the paydays they have hoped for in Canadian courts. In fact, they may increasingly find that their actions don't survive the courts' increasingly critical eyes at the certification stage.


[1] 2021 ONSC 1063.

[2] Hryniak v. Mauldin, 2014 SCC 7, [2014] 1 SCR 87.

[3] Setoguchi v Uber B.V., 2021 ABQB 18 at paras 22-23 [emphasis added].