As one of the largest industries in the country, it is not surprising that the automotive industry is the frequent target for cyber and privacy breaches. Automotive manufacturers and dealerships collect and handle an exorbitant amount of data about its customers. For instance, when purchasing or leasing a vehicle, a dealership will likely collect, among other things, names, addresses, income information, credit scores, and banking information. Some of this data is considered sensitive personal information. Regardless of the classification of the data, it is clear that businesses face a serious risk of a class action following a breach. The opening paragraph of the Court’s recent decision in Grossman v Nissan illustrates this point.
Data breaches involving the theft of personal information coupled with a ransom demand are becoming commonplace. In some cases, the loss of privacy and actual harm sustained is significant; in other cases, it is slight. But in almost every case a class action is sure to follow.
In this case, the Court was faced with a motion for the class action certification arising from a data breach at Nissan Canada. The breach occurred in December 2017, when an unknown employee accessed the company’s database which contained the personal information of thousands of customers who leased or purchased their vehicle. The employee emailed a “sample” of stolen data to company executives and demanded a ransom payment.
The Court noted that the stolen data involved four categories of personal information. The first three – names and addresses, vehicle models and VINs, and lease or loan terms – could not be described as private information. The fourth category – the customer’s credit score – was considered private information.
The Court found that the five procedural requirements for class action certification were met and the action was certified. First, the Court concluded that there was a satisfactory cause of action. Assuming the facts as pleaded were true, each of the three main claims – vicarious liability (for intrusion), negligence, and breach of contract – were sufficiently pleaded and disclosed a cause of action.
Second, the Court found that there was sufficient evidence of an identifiable class of two or more persons. The class was defined as:
All persons resident in Canada, including their estates, executors or personal representatives but excluding persons resident in Quebec, who (1) provided personal information to one or more of the defendants (or any of their affiliates or subsidiaries) when financing a lease or purchase of a Nissan vehicle over the five years ending on December 11, 2017 and (2) received a notice letter from Nissan about the December 2017 data breach.
Third, the Court found that there were four issues to be certified as common issues – vicarious liability for intrusion upon seclusion, duty and standard of care, aggregate damages, and the entitlement to punitive damages.
Fourth, the Court held that a class action was a preferable procedure as it would allow both the vicarious liability and the aggregate damages issues to be decided “once and for all on a class-wide basis.” It was also preferable from an access to justice and judicial economy perspective.
Finally, the Court concluded that the proposed representative Plaintiffs were suitable.
Privacy and cyber breaches are here to stay. Companies need to be cognizant of the risks that result from breaches. These include negative press, lost revenue, damages payable to customers and significant legal fees. In light of this, organizations must take proactive measures to limit their liability before a breach occurs. Most notably, businesses should restrict access to sensitive data; create policies and procedures restricting usage; and, enact a data retention policy. Finally, insurance plays a key role in minimizing an organization’s risk exposure.
See Grossman v. Nissan Canada, 2019 ONSC 6180 (CanLII
