In Del Giudice v Thompson, Perell J. of the Ontario Superior Court of Justice denied the plaintiffs’ certification motion seeking certification of a class action involving claims for data misappropriation and misuse stemming from the 2019 Capital One data breach. This decision provides important insights on how the court considers privacy cases, in particular those involving third-party hackers, and the reluctance of the court to find defendants in breach of a privacy tort for the conduct of a third party.
The proposed class action arose after the defendant, Paige Thompson, hacked the database of personal information collected by Capital One. The Capital One data was stored on the computer servers of Amazon Web Services, of which Thompson had previously been an employee. Ms. Thompson went on to misappropriate the data by posting it on the website GitHub, a forum for software developers to share information.
As a consequence of the data breach, personal and confidential information of 106 million applicants for Capital One credit cards was exposed or became vulnerable to exposure to the public. It was estimated that approximately six million Canadians were affected.
The court directed that the certification motion have two phases, the first of which was to determine whether and the extent to which the Plaintiffs had satisfied the cause of action criterion.
The Court’s Decision Denying Certification
In their claim, the Plaintiffs pleaded nineteen separate causes of action including: intrusion on seclusion; misappropriation of financial personality; breach of data protection laws; conversion; breach of confidence, trust, and fiduciary duty; strict liability; vicarious liability; negligence; and duty to warn.
The court found that the Plaintiffs’ Fresh as Amended Statement of Claim (Claim) should be struck out in its entirety without leave to deliver a Second Fresh as Amended Statement of Claim for three reasons: (1) the claim “egregiously” contravened the rules of pleading by failing to plead material facts, and contained evidence by which a material fact was to be proved, or was argumentative, repetitive, irrelevant or scandalous allegations; (2) the Plaintiffs failed to plead any legally viable causes of action against Capital One and Amazon Web; and (3) the Plaintiffs’ Claim had been transformed from a straightforward data breach case into a data misappropriation and misuse case.
In dismissing the plaintiffs’ motion for certification, the court considered the nineteen causes of action. For the purposes of this blog post, we have focused on the specific privacy law causes of actions: intrusion upon seclusion, misappropriation of personality, and privacy statutes. Because the cause of action criteria was not satisfied the court did not proceed to phase two in considering the remaining s. 5(1) certification criteria under the Class Proceedings Act, 1992.
Intrusion Upon Seclusion
With respect to the plaintiffs’ claim for intrusion upon seclusion, the court found the only viable cause of action for intrusion upon seclusion was against the defendant, Ms. Thompson, there was no viable claim for intrusion on seclusion as against Capital One or against Amazon Web. The court noted it was Ms. Thompson who was the intruder, not Capital One or Amazon Web. While the Plaintiffs’ argued that the defendants had increased the risk of a data breach or had at least failed to prevent one, the court rejected these submissions, noting that a failure to prevent an intrusion, even a reckless failure to prevent, is not an intrusion.
I agree with my colleague (paragraph 43) that Equifax's actions, if proven, amount to conduct that a reasonable person could find to be highly offensive. But no one says that Equifax intruded, and that is the central element of the tort. The intrusion need not be intentional; it can be reckless. But it still has to be an intrusion. It is the intrusion that has to be intentional or reckless and the intrusion that has to be highly offensive. Otherwise, the tort assigns liability for a completely different category of conduct, a category that is adequately controlled by the tort of negligence.
The court went further, noting, “I would add that if the tort of intrusion on seclusion would assign liability without an intrusion, then it would assign liability to categories of misconduct that are adequately controlled by an assortment of other possible torts, by statutory provisions, and by actions for breach of contract. The Court of Appeal in Jones v. Tsige, however, intended intrusion on seclusion to fill gaps in the law of privacy not pave them over.”
While the plaintiffs plead that the defendant collected and used personal information for purposes to which the proposed class did not agree, the court, in reviewing the contract documents found the contracts disproved the material facts. Thus, the court found that the causes of action intrusion upon seclusion, misappropriation of financial personality, breach of statutory causes of action, conversion, breach of confidence, breach of trust, breach of fiduciary duty, conversion, and strict liability that rely on that refuted material fact were doomed to fail.
The court also found that the alleged misconduct of the defendants Capital One and Amazon Web were not intentional or reckless which are requisites of the elements of the tort of inclusion upon seclusion. The court “carelessness is not the same mental state as intentionality or recklessness.” As pleaded against them, Capital One’s and Amazon Web’s conduct amounts to making mistakes in safeguarding not particularly sensitive information that largely consists of information to identify the applicant for a credit card and to provide means to contact them. Capital One’s or Amazon Web’s conduct, which might be wrongful and expose them to some other cause of action, was not offensive in the requisite legal sense that would constitute the tort of intrusion on seclusion.
Misappropriation of Personality
The plaintiffs alleged the defendants, Capital One and Amazon Web, are liable for the privacy torts of (a) intentional misappropriation of financial personality; and (b) reckless misappropriation of financial personality. The court noted the proposed cause of action for intentional or reckless misappropriation of personality was not remotely close to the existing tort of misappropriation of personality and could not be an incremental extension of that tort and thus these claims were struck.
The court also dismissed several claims for breach of privacy statutes finding the Plaintiffs’ claims an attempt to bootstrap their common law causes of action with statutory causes of action that were not jurisdictionally or factually available or applicable.
Remaining Causes of Action
With respect to the other causes of action, the court was not satisfied a viable claim for conversion was made out. The court was not satisfied there was a breach of confidence because most of the information was not confidential, and Capital One and Amazon Web did not make unauthorized use of the information thus there was no misuse of information and the claims for breach of confidence, trust and fiduciary duty were struck. The court found the doctrine of strict liability was not applicable in this case, and in particular would not be available to the majority of class members who suffered no damages. With respect to the claim for vicarious liability, the court noted “it would be both absurd and unfair if it imposed liability on a defendant for failing to do the impossible…it would be both absurd and unfair to impose liability on Amazon Web for its failure to supervise a former employee for her post-employment activity or (b) on Capital One for its failure to supervise someone else’s former employee from wrongdoing in her post-employment activity.” The court concluded there was no viable negligence or duty to warn claim.
Notably, with respect to the breach of contract claim, the court noted “although the plaintiffs could have advanced a certifiable breach of contract claim for the whole class, they have not done so.” The court noted:
The Plaintiffs could have but they assiduously avoid pleading a straightforward breach of contract claim against Capital One based on the application form. In the immediate case, the Plaintiffs might have pled a straightforward breach of contract alleging that Capital One breached its contractual promises to keep the Class Members’ personal information secure and its promise to comply with Canadian privacy laws such of PIPEDA. Breach of contract entails at least nominal damages for all Class Members and some Class Members would have actually suffered economic losses from Capital One’s breach of contract.
In a “smoke em if you got em”-argument instead of a straightforward breach of contract claim for the whole class, the Plaintiffs plead a negligent breach of contract for the Class Members who have credit card agreements with Capital One. This pleading is a doctrinal fantasy. The failure to perform a contract promise be it intentional, reckless, careless, or because of matters beyond the control of the promisor is irrelevant to a breach of contract claim. Negligent performance of a contract is a legally meaningless concept to a cause of action for breach of contract, which is about what are the contract promises and whether those promises have been performed, not about what motivated or caused the contract to be breached.
In conclusion, the court found there were no viable causes of action, and denied certification in this case. However, this may not be the end of the Capital One data breach class actions. In denying certification in this case, the court lifted the stay imposed on the other proposed Capital One data breach class, which Perell J. stayed on April 30, 2020, on the carriage motion before him. It remains to be seen whether the other proposed class action, the Slapinski Action, will resurface, and whether any attempt to certify that action will suffer the same fate.
This case, together with Equifax, suggests that Ontario courts are unlikely to find businesses liable for third-party hacking that exposes class members’ personal information unless such claims are brought on the basis for more straight-forward or traditional causes of action, such as breach of contract.
The growing privacy law jurisprudence seems to suggest that a court will only find a defendant to have intruded on an individual’s privacy if the defendants themselves have intruded, and that a failure to prevent an intrusion, even a reckless failure to prevent, is not an intrusion itself. Or if the claimants can demonstrate that the defendant had a contractual obligation to keep data secure and failed in its performance of that obligation.
 Ibid at paras 62-66.
 Ibid at para 258.
 Ibid at paras 262, 270.
 Ibid at para 115.
 Ibid at para 134
 Ibid at para 134
 Ibid at para 134.
 Ibid at para 55.
 Ibid at para 138.
 Ibid at para 140.
 Ibid at para 141.
 Ibid at para 142.
 Ibid at para 146.
 Ibid at para 148.
 Ibid at para 150.
 Ibid at para 181.
 Ibid at paras 197 – 198.
 Ibid at paras 199 – 207.
 Ibid at para 217.
 Ibid at para 250.
 Ibid at para 259.
 Ibid at paras 257-258.