In Kaplan v. Casino Rama, released May 7, 2019, Justice Belobaba dismissed the plaintiffs’ motion to certify a class action arising from the 2016 cyber-attack on Casino Rama.
In November 2016 Casino Rama’s computer system was hacked and a variety of personal information relating to the casino’s employees, customers and suppliers was stolen. The hacker made a ransom demand, which was not paid, following which the hacker posted the personal information of close to 11,000 people online.
The representative plaintiffs included employees of the Casino, members of the Casino’s loyalty program, and people who had joined OLG’s self-exclusion program.
In considering whether to certify the class action, Justice Belobaba made specific reference to the steps taken by the Casino, including notifying the authorities, notifying thousands of people potentially affected by the breach, taking steps to shut down the websites containing the stolen information and providing free credit monitoring for a year to many of the people affected. He also noted that there was no evidence that anyone had experienced fraud or identity theft or that anyone had suffered financial or psychological loss because of the attack.
In reviewing the five requirements for certification, as set out in s 5(1) of the Class Proceedings Act, Justice Belobaba concluded the class action “collapse[d] in its entirety at commonality” [5(1)(c)]. Despite this finding, Justice Belobaba also made substantive comments with respect to 5(1)(a) and (b), which are summarized below.
5(1)(a) Cause of Action
The plaintiffs asserted five causes of action: negligence, breach of contract, intrusion upon seclusion, breach of confidence and publicity given to private life.
Of note, the hacker remained unidentified and was not a party to the action. Traditionally, some of the causes of action pleaded are aimed at recovery from the party who breached the plaintiff’s privacy (i.e. the hacker). Justice Belobaba commented that this left class counsel “trying to force square (breach of privacy) pegs into round (tort and contract) holes”.
The Court found the claims for breach of confidence and publicity given to private life were doomed to fail and should be struck. It is also questioned whether intrusion upon seclusion could be sustained against the defendants on the basis of their alleged recklessness. However, considering the infancy of the tort of inclusion upon seclusion, Justice Belobaba was not prepared to find that the claim was bound to fail. He found the same with respect to the claims in negligence and breach of contract.
5(1)(b) Class Definition
The Court found the proposed class was overly broad and imprecise. Justice Belobaba made a point of agreeing with the defendants, that the class definition could not include the Casino’s unionized employees. The Court lacked jurisdiction over their complaints for the privacy breach, whether in negligence or contract, as they fell within the ambit of the collective agreement. Such matters fall within the exclusive jurisdiction of the Ontario Labour Relations Board.
5(1)(c) Common Issues
Justice Belobaba deliberated on the appropriate test under s. 5(1)(c), which for years required satisfying two inquiries: (1) whether there was some evidentiary basis that the proposed common issue actually existed; and, (2) whether there was some evidence that the proposed issue could be answered in common across the entire class. However, in the 2013 decision of the Supreme Court of Canada, ProSys Consultants Ltd v. Microsoft Corp, the first part of the test was eliminated, no longer requiring evidence that the alleged acts occurred. Justice Belobaba found himself to be bound by the SCC’s direction; however, he performed the two-step analysis, noting that an appeal was likely forthcoming.
Getting to the heart of the common issues analysis, Justice Belobaba made the following comments at paragraph 56 of the decision:
The problem here, with almost all of the PCIs [proposed common issues] is that there is no basis in fact for either the existence of the PCI or its overall commonality or both. Further, many of the PCIs require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments.
Justice Belobaba found that the proposed causes of action that could possibly proceed –negligence, breach of contract, and intrusion upon seclusion – could not serve as the basis for common issues. His conclusion hinged on a not so subtle finding that privacy breach cases are inherently individual in nature. In this case, the stolen information varied amongst the victims; ranging from mundane information (e.g. addresses) to more sensitive data (e.g. bank records). Justice Belobaba found that, whether each of the alleged causes of action could be made out, required a look at the individual circumstances of each plaintiff. For instance, the standard of care in data breach cases is a sliding scale based on the sensitivity of the stolen information. Intrusion upon seclusion also requires consideration as to whether the breach is “offensive” to the specific plaintiff. Finally, there was no evidence of any class-wide contractual terms or conditions to support a common issue in that regard.
The Court acknowledged that it should not refuse certification merely because the damages would require individual assessments. However, Justice Belobaba found that there were no common liability issues, which made the issue of damages moot.
Finding that there was a lack of commonality, the Court dismissed the motion for certification.
See Kaplan v. Casino Rama, 2019 ONSC 2025 (CanLII)