Being the Victim of an IT Security Breach Is Not Enough to Claim Damages
In the matter of Bourbonnière v. Yahoo! Inc.1, the Quebec Superior Court applied the principles laid down by the Quebec Court of Appeal in the Sofio2 decision and confirmed that being a victim of an IT security incident does not in and of itself give rise to a claim for damages by the victim.
1. Overview of the facts
Following Yahoo!’s disclosure in 2016 that personal and financial information in the user accounts of 500 million of its subscribers had been stolen by hackers, Ms. Bourbonnière sought authorization to bring a class action on behalf of all persons in Quebec who were potential victims of data theft due to this successful cyber-attack against Yahoo!’s platforms.
Her proceeding alleged psychological and emotional distress, potential financial losses from the hackers’ unauthorized access to Yahoo! user accounts, and annoyance and inconvenience resulting from the sending of spam from her email address to her acquaintances.
2. The Superior Court’s reasoning and decision
The judgment rendered by the Honourable Chantal Tremblay confirms the principle established in the Quebec Court of Appeal’s judgment in Sofio, whereby merely being the victim of an IT security breach is not sufficient to constitute actionable harm.
In her analysis of the second condition for authorization under article 575 of the Code of Civil Procedure3, i.e. that the facts alleged must appear to justify the conclusions sought, judge Tremblay pointed out that the fault attributed to Yahoo! in this instance was its negligence in protecting the personal and financial information of its subscribers. However, according to the Court of Appeal in Sofio, the commission of an alleged fault does not entail that harm resulted, such that any ensuing compensable injury must be demonstrated, something the plaintiff failed to do in this instance.
The judge found rather that the harm allegedly suffered by the plaintiff consisted solely of having to change her password, as well as the embarrassment she felt on account of the spam sent to her acquaintances. Citing the Supreme Court of Canada’s decision in Mustapha, judge Tremblay concluded that the alleged harm consisted only of ordinary and transient inconveniences that were insufficient to constitute “compensable injury”4.
The Bourbonnière v. Yahoo! case reminds us that authorization to institute a class action depends on demonstrating the existence of compensable injury, which must be “serious and prolonged” on a prima facie basis in order to give rise to potential compensation. The harm cannot consist merely of “the ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept”5.
Thus, victims of an IT security breach will not necessarily suffer compensable harm from the theft or loss of their personal or financial information.
The Superior Court’s decision in Bourbonnière v. Yahoo! Inc is thus relevant not only for organisations in the IT field, but any organization possessing personal or financial information in electronic form, as it is an excellent illustration of the application of the principles established by the Court of Appeal in the Sofio case. It is now part of an important jurisprudential trend pertaining to the potential legal liability resulting from an IT security incident.
It should be noted that some of the conditions for the authorization of a class action, particularly the difficulty of demonstrating pecuniary harm collectively suffered by a group and the quantum of the harm suffered by each member of the group, are among the factors cited in support of demands for legislative changes to give the power of levying financial sanctions to regulatory bodies such as the Privacy Commissioner of Canada or Quebec’s Commission d’accès à l’information.
Beyond the financial consequences of the institution of a class action by persons whose personal information is compromised by an IT security breach, organizations must also implement appropriate measures and procedures to guard against the reputational and business-interruption risks that may result from a security incident. Notably, special consideration should be be given to the potential consequences of a ransomware attack aimed at disrupting the activities of an organization by encrypting its data so as to render it inaccessible until a ransom is paid.
The authors would like to thank articling student Guillaume Larouche for his assistance in the preparation of this article.
1 2019 QCCS 2624
2 Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2015 QCCA 1820
3 Code of Civil Procedure, CQLR c. C-25.01, article 575
4 Mustapha v. Culligan of Canada Ltd.,  2 SCR 114, 2008 SCC 27, para. 9