At one time or another, many people have had to deal with the inconvenience of losing their wallet and the stress associated with unauthorized individuals having the potential to access the personal information they may contain. Not to mention the hassle and concern of having to replace their identification and bank cards.
However, what happens when this personal and confidential information is accessed by third parties after an organization is hacked? Can that organization be held liable for the inconvenience of credit card cancellations and the psychological stress caused by knowing that your personal information may be in the hands of an ill-intentioned third party?
An important decision was rendered by the Superior Court of Québec in Equifax1 on this very issue. The Court ruled that these inconveniences are part of the annoyances, fears and stress that people living in society must accept.
The facts
Between May and July 2017, hackers launched a cyberattack against Equifax’s databases and obtained personal and credit information that Equifax had collected from its clients and stored electronically.
After Equifax informed its clients of the attack, the Privacy Commissioner of Canada launched an investigation and concluded that Equifax must implement improved security measures to protect the personal information it holds.
Mr. Daniel Li, one of Equifax’s clients whose personal data had been accessed by hackers, applied to the Court for authorization to institute a class action against Equifax on behalf of all the individuals in Quebec whose personal information had been hacked and who were at risk of identity theft and credit damage. Mr. Li was seeking to recover monetary damages for the annoyance associated with cancelling credit cards and setting up credit monitoring services, as well as for the mental distress stemming from the fear of becoming a victim of fraud in the future.
The Court’s opinion
In its decision dismissing Mr. Li’s motion to institute a class action, the Court found that while Equifax had not adequately protected its clients’ personal and confidential information, the plaintiff was not entitled to the damages claimed.
According to the Court, since there was no evidence either that the personal information had actually been used by the fraudsters or that Mr. Li’s identity had been stolen, and since Mr. Li had not incurred any expenses to replace his bank cards and set up credit monitoring services, he had not incurred any damages and was therefore not entitled to the compensation claimed.
In this regard, the Court stated that:
“[translation] (…) the risk of a future harm developing, such as an illness or infection, is not an injury that can be compensated under Quebec law. It is an uncertain and hypothetical injury. (…) A risk is not an injury that is certain.”2
With respect to the mental distress alleged by Mr. Li, the Court found that simply claiming to have suffered annoyances and stress is not sufficient to warrant compensation. Not only are more than simple allegations required, but the damages alleged in this case are, at the very most, “[translation] ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept.”3
Practical consequences
This judgment goes against the trend in class actions where the members of a group use class action lawsuits as a vehicle to be compensated for the inconveniences, annoyances and stress they suffered as a result of the defendant’s conduct.4 This type of claim can be useful, especially when the members of the group suffered little, if any, actual economic loss. However, allowing lawsuits to proceed that would seek to compensate mere inconveniences, annoyances and stress could have a dissuasive effect on organizations disclosing breaches, since they may be opening themselves up to legal proceedings even when the affected individuals did not suffer any economic loss.5
This judgment is therefore a positive development for any organization that, faced with a breach, assumes its obligations by notifying the individuals affected by the breach, without necessarily having to fear legal proceedings, provided the individuals did not suffer significant economic loss or pain and suffering. These organizations can now fulfill their obligations knowing that the mere fear that the personal information might be used (and the associated stress) will not necessarily result in a class action’s authorization or a finding of liability, even if there may have been some gaps in the organization’s protection of personal information.
This conclusion should nevertheless be qualified. The Court’s decision could have been different had Mr. Li been required to bear the costs of identity protection services, or alleged damages more specific than mere fear and general psychological distress.