As data breaches become more and more prevalent, customers are finding themselves at greater and greater risk of having their personal information improperly disclosed or stolen. When it does happen, thousands or millions of users may be exposed to identity theft. A recurring question for the courts is, in the absence of actual identity theft, how does one quantify the damages of this “increased risk” when the risk has not actually materialized?
This question has been looked at by both Canadian and American courts, and they have arrived at similar but distinct positions.
United States
In the United States, standing to commence a lawsuit is governed by Article III of the Constitution, and requires the plaintiff to have suffered an “injury in fact”. Equally importantly, where there is no such standing, class proceedings where no actual damages have been sustained are not normally certified.
The application of this to data breaches was addressed in Krottner v. Starbucks Corporation, which held that an increased risk of future harm was sufficient grounds to bring an action against the defendant corporation, because the risk was both real and immediate. This was further developed in the recent high-profile and ongoing cases of the Sony data breach and the Adobe data breach, finding that the breach and disclosure of personal and financial information created a sufficiently imminent risk to identity theft that a plaintiff could proceed with a claim.
This generally comports with the US Restatement (Second) On Torts, which provides that privacy invasion can result in damages for (a) harm to the interest in privacy resulting from the invasion, (b) mental distress which would normally develop from such an invasion, and (c) actual monetary damages caused by the invasion. Generally speaking, damages will not be presumed, and a cause of action can only continue if damages are established.
However, some US courts have held that nominal damages are still awardable even if there is no actual harm or evidential risk of harm, including the recent case of Tabata v. Charleston Area Medical Center Inc., essentially allowing a fourth category of available damages. In that case, the West Virginia Court of Appeals reversed the trial decision and certified a class action where there was no evidence of actual unauthorized access to customer’s information, though the information had been made publically available online. While the majority essentially permitted the class proceeding to continue on nominal damages alone, the dissenting judge felt that, without evidence of actual damages, the case was “a typical example of a frivolous lawsuit.” While the decision is only binding in West Virginia, it shows an increasing trend that nominal damages alone are sufficient to ground a cause of action. Other decisions supporting nominal damage actions have also been made in Pennsylvania, Nebraska, Colorado, and elsewhere.
Canada
By comparison, one of the most recent Canadian cases on data breaches is Condon v. Canada, which was certified as a class action last year (that decision is currently under appeal). In that case, the personal and financial data of nearly 600,000 individuals was placed on a hard drive by the Ministry of Human Resources, which was subsequently lost. The plaintiffs sued in respect of that breach, including a claim for inconvenience and anxiety as well as increased risk of identity theft. There was no evidence that any of the information was actually obtained by any unauthorized users, making it very similar on its facts to Tabata.
The court considered that there was no evidence that any of the plaintiffs were at an increased risk for identity theft, or that any instances of identity theft were related to the data breach, and found that there was no possibility of success in the recovery of damages as a result. The court also found that the inconvenience and actual losses were not significant, as the plaintiffs had not even obtained credit monitoring services or shown any significant inconvenience. Accordingly, any claims which required proof of actual damages (including negligence and breach of confidence) were set aside.
However, the court also found that even if the claims were only for nominal damages – a minimal award where a wrong is committed but no real damage is suffered – the plaintiffs’ claims could proceed. In particular, the court considered the tort of “intrusion upon seclusion”, or more colloquially known as breach of privacy, which was a tort developed in the recent Ontario case of Jones v. Tsige, which would provide for nominal or “symbolic” damages even where no actual losses were incurred. The court in Jones held that such symbolic damages of up to $20,000 would be appropriate.
Conclusions
As a result, both Canada and the United States are increasingly allowing proceedings, and even class proceedings, to continue in cases of data breaches even if no evidence of actual damages are provided.
However, this area of law is still developing, and cases remain in the early stages of litigation where the various allegations and actual damage awards have yet to be determined on the merits. It is expected that further developments in these and other cases will provide some much-needed guidance in the complexities of this new area of law.