Et tu, Canada? Evidence of Harm Required To Advance Class Action Following Data Breach
Ranjan Agarwal, Keely Cameron, J. Sébastien A. Gittens, and Justin Lambert of Bennett Jones write:
Court of Queen’s Bench of Alberta, in Setoguchi v Uber B.V., 2021 ABQB 18, recently dismissed an application for certification of a proposed class action resulting from a data breach because there was no evidence of harm or loss.
This class action followed a hacking event, in which the hackers obtained Uber users’ names, phone numbers, and email addresses from the cloud. Uber did not initially reveal the data breach to class members, regulators, or police. In the three years following the incident, there was no evidence of fraud, identity theft, or any other economic loss. Rather, the evidence showed that the loss or harm was “wholly non-existent”. In considering the harm or loss issues, the Court had regard for the nature of the personal information, noting that the applicable duty and standard of care will vary with the sensitivity of that information. Here, Uber successfully argued that the information that had been released was already in the public domain.
To succeed in certifying a privacy class action, the plaintiffs must provide some evidence of loss or damages. All that is required is some “basis in fact” before certification is granted. On the facts before the Court here, there was no evidence that any of the data had been released beyond the hackers. To the extent that the plaintiffs were arguing future harm as a result of future misuse, the Court noted that should the hacked data somehow be used in the future and real evidence of harm or damage could be shown, that could support a new cause of action.
Read more on JDSupra.