November 24, 2016 by Greg Meckbach, Associate Editor
How companies respond to data breaches in which criminals obtain sensitive customer data is “hugely important” in reducing the risk of a class-action lawsuit, a lawyer suggested Wednesday to insurance professionals.
At the November luncheon of the Property Casualty Underwriters Club, guest speaker Patrick Hawkins discussed several recent court cases, including a class action lawsuit – now settled in Ontario – against Home Depot Inc.
Court records indicate that in 2014, Home Depot’s payment card system was hacked by criminals.
Class action lawsuits were filed in Saskatchewan and Ontario. A settlement in the Ontario lawsuit was approved this past August by Mr. Justice Paul Perrell of the Ontario Superior Court of Justice.
“Home Depot acted hugely proactively on this,” said Hawkins, a lawyer for Borden Ladner Gervais LLP, during the PCUC luncheon in Toronto. “They apologized. They immediately offer a full credit monitoring service.”
As part of the settlement, Home Depot agreed to create a fund of $250,000 to compensate plaintiffs for the risk of a fraudulent charge on credit cards, the risk of identify theft and the inconvenience for checking their credit card statements.
Justice Perrell noted that Home Depot apologized in press releases and assured its customers that they would not be responsible for fraudulent charges on their accounts
As of August, there was “no evidence that a Class Member absorbed a fraudulent charge,” Justice Perrell wrote at the time.
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak,” Justice Perrell wrote. “The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification. Home Depot’s voluntarily-offered package of benefits to its customers is superior to the package of benefits achieved in the class actions.”
Justice Perrell “commented positively,” Hawkins said Wednesday, adding that if a corporation hit by a privacy breach were to offer services such as credit monitoring and identity theft insurance in, “where there is a risk,” they are “significantly limiting the chances of a successful class action.”
Noteworthy was the refusal of Justice Perrell to approve costs to plaintiff counsel of more than $400,000, Hawkins suggested at the luncheon, held at the DoubleTree Hotel north of Toronto City Hall.
In Home Depot, Justice Perrell valued the settlement to be $400,000.
“The judge said, ‘and the plaintiffs’ class counsel want $400,000 as well?'” Hawkins noted. “The court said that’s a bit much in these circumstances and they reduced it to $120,000.”
That case “was settled on incredibly favourable terms I am going to say, to Home Depot,” Hawkins told PCUC members.
Another class action settlement the Hawkins referred to was Evans v. The Bank of Nova Scotia.
Michael and Crystal Evans filed a lawsuit in Ontario against Richard Wilson and his employer, the Bank of Nova Scotia. They applied to have it certified as a class action suit. Court records indicate that Wilson, a mortgage administration officer, provided “private and confidential information of Bank customers to his girlfriend, who then disseminated the private information to third parties for fraudulent and improper purposes.” A “substantial number of the Bank’s customers became victims of identity theft and fraud, which has negatively affected their credit rating,” Mr. Justice Robert Smith of the Ontario Superior Court of Justice wrote in 2014.
Bank of Nova Scotia identified 643 customers whose files were accessed by Wilson from July, 2011 through May, 2012.
In court, the bank argued it “cannot be held vicariously liable for the tort of intrusion upon seclusion for a deliberate breach of customers’ privacy rights by one of its employees.”
The Evans case was settled, Hawkins said Nov. 23, adding 165 class members, who were victims of identity theft, received $7,000 each.
“Everyone else, who just got notified and nothing happened to them – they got no money,” Hawkins said.
The tort of “intrusion upon seclusion” was recognized by the Court of Appeal for Ontario in 2012 in its ruling in Jones v. Tsige. Winnie Tsige, an employee of Bank of Montreal, was sued by Sandra Jones, a co-worker and also a bank customer. Tsige viewed Jones’ bank records. Initially the Ontario Superior Court of Justice dismissed the lawsuit but that was overturned on appeal.
The Supreme Court of Canada “has consistently interpreted” section 8 of the Canadian Charter of Rights and Freedoms “as protecting the underlying right to privacy,” Mr. Justice Robert Sharpe wrote on behalf of the Court of Appeal for Ontario in Jones v. Tsige.
“It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form,” Justice Sharpe added. “Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.”
Concurring were then-Chief Justice Warren Winkler and then-Associate Chief Justice Douglas Cunningham.
In awarding damages, a court must take into account the circumstances, including “any distress, annoyance or embarrassment suffered by that person or his family arising from the violation of privacy” and “the conduct of that person and the defendant, both before and after the commission of the violation of privacy, including any apology or offer of amends made by the defendant,” Justice Sharpe wrote.
“There is a whole list of factors that the Court of Appeal talks about in assessing the level of damages and amontst those factors- and this was in an individual action – they said it is important to know how someone responds to the beach,” Hawkins noted during the PCUC luncheon. “Has there been an apology? Has it stopped?”
More coverage of the Property Casualty Underwriters Club November luncheon