The Superior Court of Québec dismissed an application for authorization to institute a class action against Yahoo! Inc.1 (hereinafter “Yahoo!”) seeking damages as a result of cyberattacks that compromised the confidentiality of user data.
Context
In September 2016, Yahoo! issued a press release announcing that nearly 500 million users were reportedly victims of a cyberattack in 2014. In December 2016, the company informed its users of another cyberattack that it claims took place in 2013. In February 2017, users were informed that the use of cookies apparently allowed a third party to access information contained in their accounts between 2015 and 2016.
While a class action was brought in Ontario in December 2016, an application for authorization to institute a class action was filed in Québec the following month seeking compensation for users who were victims of one or more of these cyberattacks.
The decision
No arguable case
After limiting the class to Québec residents whose information was lost and/or stolen between 2013 and 2019, the Court addressed the test set forth in paragraph 2 of article 575 of the Code of Civil Procedure. According to this criterion, the plaintiff must demonstrate that the alleged facts appear to justify the conclusions sought. The Court must distinguish factual allegations from arguments, opinions, unsupported inferences and hypotheses, as well as assertions that are implausible or false. This analysis is carried out in light of the plaintiff’s cause of action.
In this case, the plaintiff had a Yahoo! email account. She alleged having suffered harm because her account may have been hacked during the 2013 cyberattack, although the nature of the compromised information is not yet known. She added that she suffered additional harm due to the “imminent” and “certainly impending” threat of identity theft and fraud resulting from the sale of her information on the black market and its use by criminals. She was also embarrassed because some of her friends received spam emails from her account in her name. As a result, she must now take steps to protect her personal and financial information.
Building on the principles set out in the Sofio2 and Mustapha3 decisions, the Court reiterated that the demonstration of an alleged fault does not presuppose the existence of prejudice and that the latter must be serious and prolonged. Embarrassment and temporary inconveniences of an ordinary nature do not constitute compensable damages.
Contrary to the allegations in the application, the Court considered that the plaintiff’s answers during her examination demonstrated that she has no reason to believe that she was a victim of identity theft or fraud, since she did not identify any suspicious charges and did not receive a poor credit report. In addition, she continued to use her Yahoo! account and admitted that she did not purchase any identity protection services, such as credit monitoring. Thus, the only prejudice the plaintiff suffered is the fact that she had to change her passwords for all of the accounts associated with her Yahoo! email address and the embarrassment she suffered because of the spam emails that were sent to her friends. On this point, the Court noted that none of the spam emails were filed into the Court record and that none of the recipients of the spam emails suffered harm. Consequently, the Court concluded that the plaintiff had not demonstrated the existence of an arguable cause.
The Court distinguished the facts in this case from those in Zuckerman4 and Belley5, in which the plaintiffs had incurred expenses to protect their information or had been victims of fraud or identity theft.
Inadequate representation
Adequate representation implies that the representative plaintiff has a valid personal cause of action. However, a civil liability action requires the demonstration of a legal basis for the claim of damages, which was not achieved in this case. To summarize:
- It is not enough to claim the existence of a fault: damage must result therefrom.
- The notion of “compensable harm” must go beyond mere annoyance.
Conclusion
Legal action brought as a result of data breaches has increased exponentially in recent years. Cybercrime has become the second most common type of financial fraud. Any company that retains client data should be aware of the risks associated with cyberattacks and the potential lawsuits. To minimize risks, several measures can be implemented, such as adopting a response plan for cyberattacks, training employees and regularly updating security measures. For example, the PCI DSS (Payment Card Industry Data Security Standard) provides a detailed framework that allows companies to implement secure transaction processes. It is recommended that companies consult an IT specialist or hire an internal expert for guidance. It is also recommended that companies contact their insurers to verify their insurance policy coverage and, if necessary, obtain cyber risk insurance coverage.
For class action practitioners, this decision once again demonstrates the importance of bearing in mind the impact that the examination of the representative plaintiff could have on the outcome of a case.
- Bourbonnière v. Yahoo! Inc., 2019 QCCS 2624.
- Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2015 QCCA 1820.
- Mustapha v. Culligan of Canada Ltd., 2008 SCC 27.
- Zukerman v. Target Corporation, 2015 QCCA 1809.
- Belley v. TD Auto Finance Services Inc./Services de financement auto TD inc., 2015 QCCS 168/2015 QCCA 1255.