Superior Court of Quebec Authorizes Privacy Class Action in Zuckerman v. Target Corporation

Protection your system from hacker information data.

Privacy class actions triggered by data breaches are growing in popularity in Canada, with more than 30 of them pending throughout the country. While none of these cases have yet been heard on their merits, some are being certified or authorized. The Superior Court of Quebec recently rendered judgment on a motion to authorize a privacy class action in Zuckerman v. Target Corporation, in which the petitioner alleged damages as a result of a data breach involving an estimated 40 million credit and debit cards, as well as the personal information of up to 70 million customers.

I have co-authored with my colleague Christopher Maughan a short piece summarizing this decision, which includes a description of the nature of the breach, discusses jurisdictional issues raised, and summarizes the damages claimed as well as the damages claimed which were suffered by other class members.

This recent decision provides a number of takeaways for businesses on how to manage security breaches.

• It is interesting to note that the court in this case authorized a common question on Target’s alleged failure to notify affected customers. While breach notification is not yet mandatory in most Canadian provinces (it is only mandatory in Alberta), organizations may still decide to notify on a voluntary basis, especially if it is open to customers to argue that their damages were exacerbated because they did not receive timely notification.
• Given that one of the common questions authorized against Target pertained to the cost of credit monitoring services, organizations which manage security incidents involving personal information may consider paying for such services (in cases that warrant them). This may be considered as a mitigating factor when assessing the damages sustained by customers.
• This case may also serve as a warning of the extent of the potential consequences of a data breach, given the court’s authorization of a common question pertaining to punitive damages. In response, businesses may wish to invest in prevention and ensure that they have adequate security measures in place, as well as an appropriate privacy governance framework. This will become even more important when the new notification and recordkeeping requirements in the Personal Information Protection and Electronic Documents Act come into force. These requirements provide that it will be a criminal offence for an organization to knowingly fail to report breaches, punishable by significant fines.
• Finally, this decision may also serve as a warning to businesses that their actions in one jurisdiction (in this case, the United States) can lead to significant legal exposure in another (i.e., Quebec), in situations where their customer bases extend beyond provincial, state or national borders.

To read our short article summarizing this decision, click here.

To read the French version of our article, click here.

This content has been updated on February 3, 2017 at 12 h 39 min.