The Federal Court of Appeal’s decision in Condon v. The Queen, 2015 FCA 159 (“Condon“), released July 6, 2015, has significant implications for organizations that have experienced large scale data breaches. The Federal Court of Appeal upheld the decision by the Federal Court to certify a class action lawsuit based on the recently developed tort of intrusion upon seclusion (i.e. breach of privacy) and breach of contract and warranty. However, the Federal Court of Appeal also expanded the certification to include claims of negligence and breach of confidence. The lower court had found the failure to allege specific damages arising from the data breach to be fatal to the negligence and breach of confidence claims, but the Federal Court of Appeal reversed the lower court on this point.
The case arises out of the loss by the federal government of the personal information of approximately 583,000 students. These are students who received student loans through the Canada Student Loans Program and who had provided personal information as part of the approval process for receiving loans. The personal information was being held temporarily on a hard drive in a federal government employee’s office when it went missing.
At the certification hearing, the lower court judge certified the claim on the basis of the tort of intrusion on seclusion. This tort requires either intention or recklessness on the part of the defendant and does not necessarily require the plaintiff to prove that he/she (or they) suffered damages as a result of the breach. In Jones v. Tsige, the 2012 Ontario Court of Appeal decision that firmly established the tort in Ontario law, Ontario’s Court of Appeal found that nominal damages of up to $20,000 may be awarded to a plaintiff even where no specific damages are shown. In Condon, while certifying the breach of privacy, contract and warranty allegations, the lower court judge rejected the breach of confidence and negligence claims on the basis that the plaintiffs had not alleged that they had suffered any specific damages. The Federal Court of Appeal disagreed on this point, and held that an allegation that the plaintiffs suffered out-of-pocket expenses (which were alleged), will suffice for the purpose of a certification hearing, allowing the negligence and breach of confidence claims to proceed.
- Data breaches can expose organizations to potentially large damage awards (even an award of $10,000 to each of the 583,000 members of the class would result in a damages award of over $5 billion).
- For actions involving data breaches, specific tangible damages are not necessarily required to ground class action claims based on negligence and breach of confidence ‒ general, intangible damages may suffice.
- An allegation of recklessness will likely be enough to certify a data breach class action. Therefore, adequate protective measures and protocols, with the goals of reducing data breaches and demonstrating due diligence, are an important and necessary step for all major organizations to establish.
We will be paying close attention to the Condon case and any further impacts it may have in the data privacy and class action space.
The author would like to thank Kesley MacKay, student-at-law, for her assistance with this post.