A claimant who is the victim of a data breach and who has suffered only mental distress or potential future loss such as actual fraud or identity theft lacks standing to sue for such losses.
Li c. Equifax Inc., 2019 QCCS 4340, per Bison, J.C.S.
Facts + Issues
The Plaintiff Li sought to certify a class action against the Equifax Defendants (“Equifax”) for compensatory and punitive damages for a data breach.
Equifax was in the business of collecting and storing personal credit information of its clients including name, address and social insurance number. Equifax issued a media release on 7 September 2017 to the effect that between May and July 2017 a third party hacker had obtained unauthorized access to Equifax databases.
Between 8,000 and 19,760 Canadians were affected. The Plaintiff’s counsel learned that several Equifax clients had reported fraud after the data breach, including the opening of bank accounts by fraudulently employing an Equifax customer’s name.
The Plaintiff alleged that he and other Quebec Equifax clients faced “imminent danger” that , sometime in the future their personal information may be used by third parties for illegal purposes, the consequences of which are harmful to them, including theft, identity theft, kidnapping and sexual assault. He further alleged that he and other class members must incur expenses to take steps to protect their personal information, including cancelling credit/debit cards, purchasing identity protection services such as credit monitoring. He alleged that despite taking such steps he would remain at risk of being victimized by fraud, identity theft, etc. He alleged that he had suffered mental distress.
The Plaintiff had not been the victim of identity theft and had not yet suffered the hassle and expense of credit card cancellation or credit monitoring services.
On April 9, 2019, the Office of the Privacy Commissioner of Canada issued a decision wherein it was concluded that “the personal information of Canadians owned by Equifax Canada was not protected by adequate security measures and that the mitigation measures offered by Equifax Canada to those affected as a result of this breach were not adequate” and which identified “systemic problems that have existed since 2015”.
It was alleged that Equifax had settled a parallel class action in the United States for U.S. residents.
The Plaintiff sought compensatory damages for (para. 25):
- economic loss resulting inter alia from the purchase of continuous credit monitoring services;
- troubles and inconveniences associated, inter alia, with the cancellation of credit cards and the organization of credit monitoring services;
- mental distress; and
- other losses.
The Plaintiff also sought punitive damages for breach of the Quebec Charter of Rights and Freedoms, RSQ c C-12, ss. 5 and 9.
HELD: For the Defence; class action not certified.
The Court summarized the elements necessary for the certification of a class action in Quebec [translation]:
[10 ] The Article 575 of the Code of Civil Procedure ("CCP") sets out the conditions to be met by anyone who wishes to be authorized to exercise collective action:
575. The court authorizes the exercise of the class action and assigns the status of representative to the member it designates if it is of the opinion that:
- the demands of the members raise identical, similar or related questions of law or fact;
- the facts alleged appear to justify the conclusions sought;
- the composition of the group renders difficult or impractical the application of the rules on the warrant to sue for the benefit of another person or the joinder of proceedings;
- the member to whom he intends to grant the status of representative is able to ensure adequate representation of the members.
The Court held that a class action could not be certified because the damages alleged by the Plaintiff did not arise from a recognized cause of action because the claim was for the risk of possible future losses and damage and any current mental anguish amounts to merely “ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept" [translation]:
[ 27 ] According to the allegations in the Amended Application, the Applicant has not been the victim of identity theft and has not yet spent money on the purchase of Continuous Credit Monitoring Services and has not yet suffered from problems and inconveniences associated, inter alia, with the cancellation of credit cards and the organization of credit monitoring services. The claimant reports future risk and future expenses. He adds having suffered a mental distress. Is it sufficient? The Tribunal is of the opinion that no. Here's why.
[ 28 ] In Zuckerman v. Target Corporation [2017 QCCS 110] , the Superior Court summarizes the state of Quebec law [Including the judgment of the Court of Appeal Sofioc. Investment Industry Regulatory Organization of Canada (IIROC), 2015 QCCA 1820 and, to the same effect: Bourbonnièrec. Yahoo! Inc., 2019 QCCS 2624] on damages in similar cases:
 The Court concludes that the monitoring of bank accounts and credit cards constitutes normal activities and not inconveniences for which the credit card holder can recover damages. However, other matters such as setting up credit monitoring and security alerts, obtaining credit reports, and cancelling accounts and cancellations are "ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept" purpose may amount to something more. These are potential matters for which class members would be entitled to compensation.
 Zuckerman does not agree that he was the victim of fraud or identity theft. It is possible that it is the victim of the identity of the victim or the future, but those possibilities seem more remote with the passage of time.
 Zuckerman cannot find the class action that he did not suffer. He must alleviate that he suffered the pain. Whether he or she may be included in the class of persons who have been admitted to a court of law, the Court will consider the case, if it authorizes the class action, in the description of the class and the identification of the issues and the conclusions.
[ 29 ] These comments echo the concept that the risk of developing future harm, such as a disease or an infection, is not an injury that can be compensated in Quebec law. This is an uncertain and hypothetical damage, prohibited under Article 1611 CCQ and the authorities [footnote omitted]. A risk is not a certain harm.
[ 30 ] In these circumstances, the plaintiff has no colour of right for the following damages:
- economic loss resulting inter alia from the purchase of continuous credit monitoring services;
- troubles and inconveniences associated with, among other things, the cancellation of credit cards and the organization of credit monitoring services.
[ 31 ] Moreover, the mental distress claimed by the plaintiff is not characterized or described in such a way as to enable him to overcome the ordinary inconveniences, anxieties and fears that every person living in society must regularly accept. Was - this reluctantly [footnote omitted]. It would have required more detail than mere allegations [footnote omitted]. According to the allegations in the Amended Application, the Tribunal finds that this alleged harm by the Applicant is negligible and therefore does not have colour of right.
[ 32 ] Finally, with respect to "other losses", none is alleged by the plaintiff. There is therefore no colour of law in this regard.
The claim for punitive damages was refused for the additional reason that the grounds for punitive damages had not been established [translation]:
[ 40 ] Thus, does the Amended Application contain sufficient allegations of fact to give rise to the conclusions sought in punitive damages?
[ 41 ] The Tribunal is of the opinion that no. The Amended Application only states "unlawful" breach, nothing more. No detail or temporal indication is given. In addition, the plaintiff's argumentation cannot complete the allegations in the Amended Application; oral argument cannot either. The Tribunal can certainly make inferences or deductions, but here it would be to deduce completely that there was unlawful and intentional infringement, without any detail or fact to do so. Without any characterization in the Amended Application, the newspaper articles Parts P-4 and P-7 and the Report of the Office of the Privacy Commissioner of Canada Exhibit P-8 are insufficient in this regard.
The Court went on to find that some of the other elements necessary for certification of a class action had been established, but others had not. It was found:
- that the claims of the members of the proposed class shared identical, similar or related questions of law or fact;
- that the composition of the proposed class made it difficult or impractical to bring individually;
- but that the Plaintiff Li was not able to adequately represent the members of the class as he lacked standing to sue for compensatory or punitive damages as set out above.
Many U.S. cases have wrestled with the question of whether or not the victim of a data breach who has suffered no actual or imminent resultant identity theft, fraud or other misuse of the data has standing to sue for damages. The American law remains unsettled. The earlier American cases do not recognize standing in such situations. However, there is a more recent trend in U.S. authorities is going the other way. The Canadian cases align with Li c. Equifax: Mazzonna v. DaimlerChrysler Financial Services Canada Inc., 2012 QCCS 958; Rowlands v. Durham Region Health, 2012 ONSC 3948; Evans v. Bank of Nova Scotia, 2014 ONSC 7249; Condon v. R.; 2015 FCA 159; Lozanski v. Home Depot Inc., 2016 ONSC 5447; Bourbonnière c. Yahoo! Inc., 2019 CarswellQue 5830 (C.S.Qué.).