Lawsuits for Data Breaches: Useless or Strategic?

Éloïse Gratton September 15, 2014

Solove published an interesting piece today entitled: “Why Do Lawsuits for Data Breaches Continue Even Though the Law Is Against Plaintiffs?” He explains that while the U.S. law has been far from kind to plaintiffs in data breaches (most courts dismiss claims for lack of harm), lawsuits keep coming.

We have a similar situation in Canada: these types of lawsuits will often be dismissed for lack of harm. The federal courts have not awarded any real damages since PIPEDA came into force. Since 2004, only a few decisions have been issued by the Federal Court, in which—except for one case in 2013 in which the federal court awarded 20,000$ (Chitrakar v. Bell, which even included punitive damages)— there have been either no damages or small amounts awarded in damages.

Many class action lawsuits are also dismissed at the authorization stage for lack of harm. I have blogged recently about the Investment Industry Regulatory Organization of Canada (IIROC) 2013 security breach (the loss by IIROC of a non encrypted laptop containing detailed information on clients of 32 firms and 52 000 individuals). While a privacy class action was filed in Quebec, claiming 1000$ per affected individual, it was not authorized, in part because of the lack of harm. This is consistent with previous decisions on the same issue: ordinary annoyances and anxieties (fear of identity theft) are often not considered as harmful enough. If there is evidence of some type of financial harm, for instance, if following the security breach there is evidence of identity theft such as in Larose c. Banque Nationale du Canada, this will usually play in favor of an authorization.

Solove refers to an article authored by Sasha Romanosky, David A. Hoffman, and Alessandro Acquisti entitled: “In Empirical Analysis of Data Breach Litigation“, in which the authors analyzed court dockets on more than 230 U.S. federal data breach lawsuits over a ten year period (2000 to 2010). The article provides interesting stats which may explain why data breach lawsuits keep coming even if many courts may dismiss these claims for lack of harm: 76% of data breach lawsuits are filed as class actions (i.e. more money at stake), and data breach lawsuits lacking actual harm or class certification are almost as equally likely to reach settlement as dismissal (50/50 chance). For some, this may well be worth the gamble!

This content has been updated on September 15, 2014 at 20 h 39 min.

Éloïse Gratton

Privacy & Data Protection Law

Lawsuits for Data Breaches: Useless or Strategic?

Data governance and privacy risks in Canada: A checklist for boards and c-suite

An Update on New Québec Confidentiality Incidents and Record-Keeping Requirements

The inside scoop on how to become a privacy lawyer: 10 tips from the top

Preparing for the Privacy Reform in Canada

Getting Ready for Québec’s New Privacy Law in 2023 (Part 1): Using what we know so far

Getting Ready for Quebec’s New Privacy Law in 2023 (Part 2): Navigating uncertainty in the Law

Une fugitive recherchée depuis 30 ans, capturée à Berlin grâce à la reconnaissance faciale

CBC Windsor Morning Radio Show

La Cour suprême vient compliquer les cyberenquêtes

Une fugitive capturée à Berlin grâce à la reconnaissance faciale

Aide-mémoire en matière de protection de la vie privée et de sécurité des renseignements personnels

Lucky 7 data privacy and security cheat sheet