IIROC Security Breach : Class Action Not Authorized

The Investment Industry Regulatory Organization of Canada (IIROC or in French OCRCVM) who monitors all trading activity across the country suffered a security breach which was reported in April 2013. It was revealed that an employee lost a USB drive containing the personal information of more than 52,000 individuals with accounts at more than 30 brokerage firms.

After the incident, a class action was filed against IIROC, claiming 1,000$ for each individual. In August 2014, the class action was not authorized. One of the reasons that this class action was not authorized was the lack of evidence of any real damages sustained by the class representative.

What Are the Damages Following a Security Breach?

The Court in the IIROC case articulated the view that while the doctrine and jurisprudence recognize that the type of moral damage such as stress, emotional trauma, trouble, hassle and inconvenience can be compensated for, in this case, the Court considered that the disadvantages that the applicant alleged were those that are usually part of life in our twenty-first century society.

The type of damages that were claimed amounted to the time spent by the representative, such as doing a monthly check of his bank accounts and credit cards. This was not considered as being burdensome by the Court given that this data is easily accessible via the Internet and since that it is not unusual to make such verification several times a month at a time when the theft and misuse of personal information is reported in the news almost on a daily basis. While the applicant also claimed to have suffered stress following the incident, the request for authorization offered no details in this regard.

The Court also considered the fact that to date, no identity theft or fraud resulting from the loss of the computer by IIROC had been reported. In this context, the Court considered that the stress of the events alleged in the motion for authorization was not a compensable injury (failing to meet the criteria set forth by section 1003 b) of the Quebec Code of Civil Procedure).

The Court refers to the case Mustapha c. Culligan du Canada Ltée in which it was discussed that psychological distress suffered must be more important than mere annoyance in order for this type of damage to be compensated for.

In a similar breach incident involving the National Bank of Canada which triggered a class action in Larose c. Banque Nationale du Canada, the Court had authorized the class action. In that case, the National Bank of Canada had been robbed of three computers, one of which contained personal information of about 225,000 mortgage customers. In their motion for authorization to institute a class action, the applicants alleged, in essence, the same mistakes as those alleged in the IIROC case: negligence in the protection of their personal information and undue delay in notifying customers. The damages claimed also showed some similarity to those alleged in the IIROC case: additional delays when making credit applications, obligation to monitor bank accounts, increased vigilance in providing information personal, obligation to inform other financial institutions, loss of time and anxiety. The Court nevertheless highlighted an important fact alleged in the motion for authorization, and which clearly distinguishes that case from the IIROC case, which is the evidence of identity theft. Unlike in the IIROC case, it was alleged that the identity of at least one member of the group had been stolen, triggering the assumption that this situation may also apply to others.

The Court also took into account the case of Mazzonna c. DaimlerChrysler Financial Services to determine if authorization should be granted. In the Mazzonna case, a record containing personal information of DaimlerChrysler customers had been lost by a courier while delivering it to a credit agency. In its motion for authorization to institute a class action, Mazzonna criticized DaimlerChrysler in a similar way than in the IIROC case. In Mazzona, since no identity theft or fraud associated with the loss of the record had been reported, the Court did not authorize the class action, since the damages alleged by the Petitioner were prima facie the kind of ordinary annoyances and anxieties (and therefore did not constitute “compensable” damages).

Takeaways for Businesses

The decision in the IIROC case will make it more difficult for privacy class actions to be authorized following a security breach, unless it can be proven that the damages caused were more than the Petitioner having suffered stress following the incident and having spent time verifying their bank accounts and credit card statements. The fact that there is evidence that following the security breach, the identity of one of the class member was stolen will usually play in favor of an authorization.

While not all security breaches will lead to the authorization of a class action, organizations can’t ignore the reputational damages resulting from a security breach. Also, they should take into account the fact that following a security breach, the fact that individuals are properly notified and that measures are quickly taken to protect the individuals (free credit monitoring, fraud alerts, etc.) will usually be taken into account by the Court. In the IIROC case, there was a publication of a press release, a letter was sent to customers informing them of the theft and asking for their vigilance, a notice of incident was reported to both Equifax and TransUnion and the Privacy Commissioner was informed.

 

This content has been updated on September 12, 2014 at 13 h 31 min.