The Ontario Superior Court of Justice has denied certification of the proposed class in a breach of privacy class action, which arose out of a cyber-attack against Casino Rama in November 2016. Justice Belobaba held that “the certification collapses in its entirety” as a result of the absence of commonality between the proposed class members, in accordance with s.5(1)(c) Class Proceedings Act.
Casino Rama was the victim of a cyber-attack in November 2016 when a team of hackers took control of the Casino’s internal systems and stole information relating to employees, suppliers and customers. The hacker demanded a ransom, but Casino Rama did not concede and the stolen information was posted online. Approximately 11,000 people had some personal information posted on the website and Casino Rama took adequate procedural steps to inform the individuals who were affected by the breach. They acted promptly to shut down the websites that were hosting the stolen information, they immediately alerted regulators and law enforcement officials, and they offered credit monitoring services to many of the Plaintiffs. Due to Casino Rama’s response to the attack, there was no evidence presented to the court that any theft, identity or otherwise, had occurred to the Plaintiffs.
The Plaintiffs commenced class action certification proceedings against Casino Rama alleging; negligence, breach of contract, intrusion upon seclusion, breach of confidence, and publicity given to private life. Out of the five proposed Plaintiffs, only two had any personal information posted online and none of the proposed Plaintiffs experienced any actionable loss.
Justice Belobaba began with a clever analogy, stating that “class counsel find themselves trying to force square (breach of privacy) pegs in round (tort and contract) holes.” The fact that there were no provable loses by any of the Plaintiffs and the fact that the hacker was not sued as a Defendant, made this a very “convoluted” class action.
The Defendants took issue with the certification requirements, set out in s. 5(1) Class Proceedings Act. They submitted that there were no viable causes of action by the Plaintiffs, as their class definition was over-broad and unprincipled, the proposed class members were inadequate, a class action was not the appropriate procedure and most importantly, there were no common issues or commonality between any of the Plaintiffs. The court agreed.
The court held that “the less sensitive the information…the lower the duty or standard of care.” The information that was gathered by Casino Rama and then subsequently published online by the hacker consisted of a “disparate collection of unorganized documents” and since the information varied widely between the proposed class members, there was no commonality or common basis to determine that the Defendants breached a duty of care.
The Plaintiffs attempted to submit that individual assessments were required in order to determine their actual loss, as per s.6Class Proceedings Act, but the court held that there would not be any assessments, since there were no certified common issues to determine. Since the alleged causes of action could not be answered in commonality across the entire proposed class, the court held that the class proceeding “would not be the preferable procedure” to resolve the Plaintiffs’ claims. Justice Belobaba concluded by stating that the Plaintiffs do have the right to bring individual actions, potentially in small claims court, provided that they can show actual loss. The motion was dismissed.
The successful Defendants presented costs submissions seeking $255,707.13 on a partial indemnity basis and the Plaintiffs submitted that no costs should be awarded because the proposed class action raised novel legal issues and was in the interest of the public. Justice Belobaba rejected both of the Plaintiffs’ arguments and held that the very basis for this class-action was questionable since it failed at the commonality stage. The court awarded total costs of $160,000 to the Defendants.
The courts have made it clear that failing to establish commonality or common issues between the proposed Plaintiffs will result in an unsuccessful class action certification motion. For an issue to be common, it must be capable of being answered once for all class members. Clearly, with the varying depth of loss between each proposed Plaintiff, no question could be answered in common. Another reason for the dismissal of the certification was that many of the proposed class members required so much in the way of individual assessments, that there would be no possibility of establishing commonality between them. If a cause of action can only be resolved by one class member and not across the entirety of the class, the cause of action will not be common. In this case, the Plaintiffs were unable to establish; 1) a basis in fact for the existence of the proposed class’s common issues; and 2) any commonality between the proposed class members.
In the future, when attempting to certify a class proceeding, Plaintiffs’ counsel must first establish that their proposed class has the requisite commonality and second, they must understand that even a common cause of action asserted by all class members does not in itself give rise to a common issue. The Plaintiffs are now facing $160,000 in costs and the courts have made it clear that if a proposed class cannot establish commonality between them, they will not be certified.