Some causes of action viable, but application fails on commonality of claims across the proposed class

The Ontario Superior Court of Justice has refused to certify a proposed class action against a casino that was a victim of a cyberattack that saw personal information of about 11,000 customers posted online. In Kaplan v. Casino Rama, the application mainly failed on the question of “commonality” among the proposed class members, but the judge commented upon other important elements of the case put before him.

The facts are summarized by the judge:

[1] Two and a half years ago, in November 2016, Casino Rama was targeted in a cyber-attack. An anonymous hacker accessed the Casino’s computer system and stole personal information relating to customers, employees and suppliers. When ransom demands proved futile, the hacker posted the stolen data on the internet. Just under 11,000 people had some personal information posted online.

[2] The Casino contacted all appropriate authorities, took steps to close down the two websites that contained the stolen information, notified the thousands of customers, employees and suppliers potentially affected by the security breach and offered free credit monitoring services for one-year to many of them.

[3] Fortunately, some two and half years later, there is no evidence that anyone has experienced fraud or identity theft as a result of the cyber-attack. There is no evidence that anyone has sustained any compensable financial or psychological loss.

The plaintiffs sought certification in negligence, breach of contract, intrusion upon seclusion, breach of confidence and publicity given to private life. The judge concluded that the claims related to breach of confidence and publicity given to private life are “doomed to fail and should be struck.” It must be noted that this test is solely based on what is in the pleadings, rather than anything that is proven in law. 

Interestingly, the judge did find that certain representations in the casino’s privacy policy could create contractual representations, the breach of which could create a contractual claim:

[25] Breach of contract. Nor am I prepared to find that the breach of contract claim as pleaded is doomed to fail. I agree with the defendants that a company’s recitation of a privacy policy whose scope and content is determined solely by federal or provincial privacy law does not generate an enforceable consumer agreement. As recognized in John Doe and Broutzas, courts generally do not enforce agreements that simply repeat without more pre-existing statutory duties.

[26] Here, however, there is more. The plaintiffs allege breach by the defendants of their own privacy policy (not just the one that was statutorily-mandated) and breach of “industry standards” whatever that may mean.

[27] I am therefore inclined to find that the breach of contract claim discloses a viable cause of action under s. 5(1)(a) of the CPA. [footnotes omitted]

For the breach of confidence claim, the Court concluded that a failure to secure the plaintiffs’ confidential and personal information was not a “misuse” of that information, so this claim was doomed to fail. 

While some of the claims may have been viable individually, the Court concluded that there was no commonality that could permit the certification:

[55] Section 5(1)(c) of the CPA requires that the claims or defences of the class members raise common issues. There is no dispute about the applicable law. For an issue to be common, it must be capable of being answered once for all class members. As noted in the leading class actions text:

[I]f an issue can be resolved only by asking it of each class member, it is not a common issue …An issue is not “common” simply because the same question arises in connection with the claim of each class member, if that issue can only be resolved by inquiry into the circumstances of each individual’s claim … The fact of a common cause of action asserted by all class members does not in itself give rise to a common issue since the actual determination of liability for each class member may require individualized assessments.[37]

[56] The problem here, with almost all of the PCIs [proposed common issues], is that there is no basis in fact for either the existence of the PCI or its overall commonality or both. Further, many of the PCI’s, particularly those that ask about duty of care or breach of a standard of care, require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments.

With the explosion of privacy class action lawsuits following the Ontario Court of Appeal decision in Jones v Tsige, we are beginning to have a body of caselaw refining how courts will at least address certification questions, particularly where there has been no tangible harm to the individual proposed class members.