[BreachExchange] Dealing with a data breach: key takeaways from the Ontario Home Depot class action

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 15 10:55:04 EST 2016


http://www.nortonrosefulbright.com/knowledge/publications/144326/
dealing-with-a-data-breach-key-takeaways-from-the-ontario-home-depot-class-
action

The Ontario Superior Court of Justice recently approved a settlement
agreement in the Lowanski v The Home Depot class action,1 a decision that
highlights adequate protection and a sufficient response can significantly
reduce the legal risks after a data breach. This class action was filed
following a data breach that gave access to personal information such as
names, credit card numbers, expiration dates and verification value codes
from Home Depot’s card payment system for six months during 2014.

Although the parties had agreed to settle the class action for more than $1
million, the Honourable Justice Perell reduced the amount to $400,000.
Similarly, the agreed-upon counsel fee was reduced from $406,000 to
$120,000. He also did not approve any honoraria.

Amounts granted by Canadian courts to members of class actions related to
data breaches are usually modest, but this judgment is quite surprising
since it is unheard of for a court to reduce a settlement amount in a class
action approval hearing.

The judge’s decision centred on the lack of significant damage suffered by
the plaintiffs and Home Depot’s responsible and prompt response to the data
breach.


Lack of significant damage

Plaintiffs raised three heads of damage from the payment card system
breach: (1) The risk of a fraudulent charge on one’s credit card; (2) the
risk of identity theft; and (3) the inconvenience of checking one’s credit
card statements.

Justice Perell considered that the proof of any consequent damage was in
the range of negligible to remote. On the first and second heads of
damages, there was no evidence that any class member had suffered a
fraudulent charge or that the data breach increased the risk of identity
theft since the stolen data was inadequate to fake another’s identity.

With regard to the last ground of damages, the Ontario Court of Appeal
recognized in 2012 that economic loss is not necessary to ground an action
in the tort of intrusion on seclusion. Any non-economic damage suffered as
a result of a privacy breach may be compensated by granting “symbolic”
damages.2

However, the mere fact that a person is worried about the security of his
or her personal information following a data breach does not qualify as a
compensable loss. Nor were plaintiffs inconvenienced because they had to
check their credit card statements for fraudulent purchases following the
Home Depot data breach. According to Justice Perell, any credit card holder
already bears such responsibility.

The Quebec Superior Court applied the same reasoning in the 2012 cases
Sofio c. Organisme canadien de réglementation du commerce des valeurs
mobilières3 and Mazzona v DaimlerChrysler Financial Services Canada Inc.4
The courts stated that monitoring account statements for fraudulent
activity is an ordinary inconvenience that constitutes part of the
cardholder’s daily activities and does not warrant compensation. They both
relied on Supreme Court case Mustapha c. Culligan du Canada Ltée5 that
stated compensable injury must be serious and prolonged and rise above the
ordinary annoyances, anxieties and fears that people living in society
routinely accept.


Home Depot’s response

Another decisive factor in the Ontario Superior Court’s decision was Home
Depot’s response following the data breach. The court considered Home
Depot’s response to be “responsible, prompt, generous and exemplary.” They
issued a timely press release, sent informative emails to customers and
offered free credit monitoring and identity theft insurance. Justice Perell
even expressed, notably in view of Home Depot's actions, that he would have
approved a discontinuance of the class action on the merits.

Regarding the fee approval, Justice Perell underlined it has to be viewed
through the lens of access to justice, behaviour modification and judicial
economy. Yet, there was no reason to think that Home Depot needed or
deserved behaviour modification. After the data breach was discovered,
there was no cover-up on Home Depot’s part and it responded as a “good
corporate citizen” toward the breach.


Our take

The Ontario Home Depot class action highlights that adequate prevention,
detection and response significantly mitigate the legal risks associated
with privacy breaches. Preventive and compensatory measures are recognized
by the courts as means of mitigating or eliminating potential damages.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161115/345e1aef/attachment.html>


More information about the BreachExchange mailing list