First third-party database hacking class action launched against federal government

By Elizabeth Raymer

Law360 Canada (August 30, 2022, 5:37 PM EDT) -- A plaintiff has succeeded in getting a class action lawsuit against the federal government certified in what is believed to be the first third-party hacking database case against it.

In Sweet v. Canada, the Federal Court found in favour of the plaintiff, “one of a potential class of what appears to be thousands of people whose online” government accounts, including for the Canada Revenue Agency and My Service Canada accounts, “were vulnerable to hackers from approximately June to August of 2020, due to what the Plaintiff alleges were operational failures by the Defendant to properly secure the portals providing access to these accounts,” the Federal Court noted in its reasons.

Although privacy breach lawsuits have been brought before the Canadian government before, “this the first third-party hacking database case against the federal government, and in our view it correctly follows cases that have been advanced against private database defendants, which have been certified,” Anthony Leoni, a litigation partner at Rice Harbut Elliott LLP and counsel for the plaintiff, told The Lawyer’s Daily.

“What Justice [Richard F.] Southcott here did, rightly, is that he directed himself to whether the causes of action advanced were not plain and obvious to fail,” Leoni said, “which is the correct test of certification, and it was correctly applied in this decision and … followed appropriate precedence, in our view, from the British Columbia and the Federal Court.”

The decision may have implications for other data breach cases currently before the courts, he added, such as Setoguchi v. Uber B.V., 2021 ABQB 18, which was refused certification and has not yet been heard by Alberta’s appellate court.

In the case at bar, the Federal Court determined that plaintiff had satisfied the requirements of Rule 334.16 of the Federal Courts Rules and was an appropriate plaintiff.

The plaintiff’s motion sought an order certifying the action as a class action and granting an order under Rule 334.17 in connection with such certification. It advanced causes of action against the defendant Crown of systemic negligence, breach of confidence, intrusion upon seclusion and damages.

The plaintiff, Todd Sweet, pleaded that “he and the other class members have suffered damages including: costs incurred in preventing identity theft; identity theft; increased risk of future identity theft; damage to credit reputation; mental distress and comparable effects; monies withdrawn from their bank accounts without their consent; loans applied for in their names without their consent; credit card fraud; inability to access benefits and payments they were entitled to and other losses resulting therefrom; out-of-pocket expenses; time lost in communication with the CRA, ESDC and other Crown agencies to address the data breaches; and time lost in precautionary communications with third parties such as credit agencies to inform them of the potential that personal and financial information may have been compromised.”

The defendant Crown argued that the request for certification should be denied, as none of the requirements for certification had been met. The Crown also filed motions asking that the court strike an affidavit of one of the plaintiff’s factual witnesses “and strike certain paragraphs of the report of one of the Plaintiff’s experts … or alternatively ascribe little weight to such evidence. These motions were argued at the commencement of the hearing of the certification motion and are addressed in these Reasons.”

The plaintiff was successful on three of the common questions and unsuccessful on the last: punitive damages.

Systemic negligence

The Federal Court was asked to certify several proposed common questions, namely whether i) the defendant owed the class a duty of care; ii) what was the applicable standard of care, if so; iii) whether the defendant breached that standard of care; and iv) if the defendant’s breach of duty caused damage to the class.

The plaintiff’s third and fourth Amended Statement of Claim (SOC) alleged that the defendant “owed a common law and non-delegable duty to the Plaintiff and other Class Members to use reasonable care in the collection, storage, and retention of their personal and financial information and a duty to ensure that this personal and financial information was safe, kept private, and protected and that it would not be subject to unauthorized disclosure to a third party.”

The defendant Crown submitted that the plaintiff “failed to plead any facts to support a relationship of proximity necessary to establish a prima facie duty of care; that the negligence claim cannot succeed because it challenges a core policy decision that is immune from liability; and that the claim should fail because it seeks to impose a duty of care in circumstances that would result in indeterminate liability to an indeterminate class,” according to the decision.

The court found the reasoning of the Supreme Court of British Columbia in Tucci v. Peoples Trust Company, 2017 BCSC 1525, to be “persuasive.”

That case “addressed a certification motion in an action alleging that the defendant trust company did not adequately secure personal information collected on its online application portal and stored in online databases,” and concluded “that the allegations of negligence were arguably sufficient at law to create a relationship giving rise to a duty of care, such that it was not plain and obvious at the certification stage of the proceeding that a negligence claim cannot succeed.”

Breach of confidence

The Federal Court was asked to determine whether the defendant was liable for the tort of breach of confidence vis-à-vis class members. To succeed in such a claim, “a plaintiff must prove: (a) that the plaintiff conveyed confidential information to the defendant; (b) that the information was conveyed in confidence; and (c) that the defendant then misused the information to the plaintiff’s detriment.”

Although “Tucci BCCA (Tucci v. Peoples Trust Company, 2020 BCCA 246) represents another authority supporting the Defendant’s position that the tort of breach of confidence does not apply to the circumstances of the case at hand,” Justice Southcott wrote, “there must be a decided directly on point, from the same jurisdiction, demonstrating that the very issue has been squarely dealt with and rejected.”

Intrusion upon seclusion

The court was charged with determining if the defendant was liable for the tort of intrusion upon seclusion vis-à-vis class members. This tort finds that “the defendant’s conduct must be intentional or reckless; (b) that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and (c) the invasion must be such that a reasonable person would regard it as highly offensive, causing distress, humiliation or anguish.”

The court found “jurisprudential support” for the defendant’s position, as found in recent decisions from the Ontario Superior Court of Justice, such as Owsianik v. Equifax Canada Co., 2021 ONSC 4112, in which “the Divisional Court held that the tort of intrusion upon seclusion has nothing to do with a database defendant,” as in the case at bar. It noted that the decision in Owsianik had been followed in other Ontario decisions such as Del Giudice v. Thompson, 2021 ONSC 5379.

But other authorities, including from Ontario, diverged from that position, the plaintiff argued, and ultimately the Justice Southcott found that he was “unable to conclude that the Plaintiff’s cause of action in intrusion by seclusion is bound to fail.”

Damages

Regarding punitive damages, the court had to decide if it could “make an aggregate assessment of all or part of the damages suffered by Class Members and, if so, in what amount?” and whether “the conduct of the Defendant merit[s] an award of punitive damages and, if so, in what amount?”

The defendant opposed “certification of this question on the basis that the Plaintiff does not allege malice on the part of the Defendant or plead any facts to support a basis for awarding punitive damages,” the judge noted, adding that “[t]he Plaintiff has provided little in the way of submissions in support of this proposed question, and deciding that it would “therefore … be inappropriate to certify this question.”

Plaintiff’s counsel Leoni said he was “especially pleased with the [decision’s] analysis of law in B.C., Ontario, and the Federal Court,” noting that the judge “seemed to accept what we think is self-evident, which is that a database manager has at least a prima facie duty to ensure those databases are secure.”

In an e-mail to The Lawyer’s Daily, a Canada Revenue Agency spokesman said that the agency “regularly adjust[s] and improve[s] our security measures in response to this ever-evolving threat environment and continuing intrusion attempts.”

As well, “additional security measures have been implemented to protect [Canadians’] personal information, including multifactor authentication, and proactively revoking user IDs and passwords suspected to be compromised to prevent unauthorized activity to taxpayer accounts,” Christopher Doody wrote. “We continue to investigate all relevant options in this regard.”

The plaintiff was represented by Anthony Leoni and Matthew Burtini of Rice Harbut Elliott LLP in Vancouver.

Sharon Johnston, Stephen Kurelek and Jamie Hansen of the Department of Justice Canada in Vancouver represented the Crown.

If you have any information, story ideas or news tips for The Lawyer’s Daily on corporate-commercial law and related litigation, including class actions, please contact Elizabeth Raymer at elizabeth.raymer@lexisnexis.ca or 905-415-5888.