Superior Court of Justice Edward Belobaba has dismissed a motion for certification of a class action launched after a cyberattack targeting Casino Rama, a casino and hotel north of Toronto. The ruling on May 7 in Kaplan v. Casino Rama occurred after a cyberattack in November 2016, which led to the personal information of more than 10,000 people being posted online. Personal information of customers, employees and suppliers was shared after ransom demands by an anonymous hacker failed, said the ruling.
Belobaba ruled that the proposed class action should not proceed and noted in his ruling that it “collapses in its entirety at commonality.”
“The fact that there are no provable losses and that the primary culprit, the hacker, is not sued as a defendant makes for a very convoluted class action,” said the ruling.
“Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes. And defence counsel, not surprisingly, takes issue with all five of the certification requirements as set out in s. 5(1) of the Class Proceedings Act.”
Belobaba said there was “no evidence” the five plaintiffs named in the case had “sustained any compensable financial loss or psychological harm as a result of the November 2016 hacking episode.” The ruling also noted that the casino had immediately responded to the cyberattack by shutting down two websites that posted the personal information and updated people affected by the breach to offer free credit monitoring for one year.
“I agree with the defendants that . . . the scope and content of the personal information that was stolen by the hacker varies so widely for each person that any assessment of the plaintiffs’ claims quickly devolves into individual inquiries,” said the ruling. “Any common issues are completely overwhelmed by these individual investigations, such that commonality is not established and a class action cannot be justified as the preferable procedure.”
Catherine Beagan Flood, a litigation partner at Blake Cassels & Graydon LLP in Toronto, represented Casino Rama and other defendants named in the motion for certification.
“I think for both lawyers and for clients . . . the big takeaway is that a prompt response to a cyberattack that puts customers and employees first pays off. In this decision, a very important factor was that, two and a half years after the cyberattack, there was no evidence that anyone had suffered compensable economic loss,” she says.
“Offering comprehensive credit monitoring and giving prompt public notice of the breach helped ensure that there was no loss for which the defendants could be liable.”
Beagan Flood says that, in Belobaba’s ruling, the judge pointed to certain parts of the casino’s response to the cyberattack, including that there had been “timely notice” given to the appropriate authorities and full co-operation with them. She also said there had been take-down notices sent to websites to remove the stolen information.
“That’s sometimes something that lawyers who don’t practise in this area or clients may not be aware that they can do, in the same way that you can send a notice to [a website] that is breaching copyright,” she says.
She also says that, if it’s a legitimate website, “If you give them notice that someone is using their website to publish stolen data, in our experience, they do respond to those take-down notices, particularly if you involve law enforcement in sending their own take-down notice, we have found that websites are quite prompt in removing the stolen data.”
Other key elements of the response by the casino to the cyberattack were notices sent to patrons and employees, as well as the offer of credit-monitoring services, she says.
“I think that those are best practices that are now routinely being recommended by privacy commissioners, and I think one of the encouraging things about this decision is that it shows that our courts are also recognizing that these kinds of steps help mitigate the risk of potential harm to individuals,” she says.
Theodore Charney, principal of Charney Lawyers in Toronto and one of the lawyers representing the plaintiffs, says he was “disappointed” with the ruling.
“From our perspective, it’s inconsistent with the majority of the privacy breach class actions that have been decided to date in Canada,” he says.
However, Beagan Flood says the casino was the victim in what transpired with the cyberattack, not a wrongdoer. She says courts recognize that the purpose of the law isn’t to punish the victims of criminal cyberattacks, if best practices are followed.
“[Justice Belobaba] found that it would stretch tort and contract too far to make them responsible for what the criminal hacker had done,” she says.
Beagan Flood also acted for one of the defendants in Broutzas v. Rouge Valley Health System, 2018, another class action related to privacy.
“[T]he courts are still working through which are the types of cases that can appropriately be certified as privacy class actions. I think it will take some time, as it has in other practice areas, for it to be clear which are the circumstances in which certification is appropriate,” she says.
Saba Ahmad, principal of Saba Ahmad Barrister PC in Toronto, says the remarks by Belobaba about the tort of intrusion upon seclusion are similar to ones made by Justice Paul Perell last year in Broutzas.
“In both decisions, the plaintiffs failed to articulate a methodology for determining whether the individual plaintiffs experienced anguish or humiliation — which is a necessary element of the tort — on a class-wide basis,” she says.