Focus On

CIVIL PROCEDURE - Parties - Class or representative actions - Certification - Sub-class

Thursday, January 30, 2020 @ 6:18 AM  


Lexis Advance® Quicklaw®
Motion by the plaintiff, Alina Owsianik, for certification of a proposed class action. The claim arose out of the intrusion by unauthorized persons (hackers) into the computer systems of the defendant Equifax Canada Co. (Equifax) from May 13, 2017 through July 30, 2017. Equifax notified approximately 20,000 Canadians that their personal information including names, addresses, and social insurance numbers were impacted and compromised by hackers. Equifax obtained detailed and sensitive financial information and sold credit reporting services for profit. It also sold credit protection, fraud management, and credit management subscription services, including identity theft protection. Owsianik was a subscriber to Equifax's Complete Premier Plan since 2013. She received a letter from Equifax confirming that her personal information was compromised and impacted by hackers. Owsianik sought to certify a class action on behalf of all persons in Canada whose personal information was accessed by hackers as a result of the data breach and who did not purchase subscription products between March 7, 2017 and September 7, 2017 (Access-Only Subclass), all persons in Canada who purchased subscription products between March 7, 2017 and September 7, 2017 and whose personal information was not accessed by hackers (Contract-Only Subclass), and all persons in Canada whose personal information was accessed by hackers as a result of the data breach and who purchased subscription products between March 7, 2017 and September 7, 2017 (Combined Subclass). The Access-Only Subclass sought certification of common issues based on claims for negligence, intrusion on seclusion and breach of provincial privacy legislation. The Contract-Only Subclass sought certification of common issued based on claims for breach of contract and breach of consumer protection legislation. The Combined Subclass sought certification of all the previously listed common issues. Owsianik sought damages on an aggregate and individual basis, and punitive damages. Equifax opposed certification on the intrusion on seclusion claim, the breach of provincial privacy legislation claim, the breach of contract claim of the Contract-Only Subclass, the claim of the Contract-Only Subclass under consumer protection legislation, the claim of the Combined Subclass for rescission or damages under consumer protection legislation, and the claim of all class members for an award of aggregate damages.

HELD: Motion allowed. It was not settled law that an intrusion upon seclusion claim was precluded against Equifax for the hacker attack. As a database defendant who allegedly recklessly allowed hackers to obtain social insurance numbers, credit card numbers, email addresses, names, addresses, and other information which collectively exposed an individual to the risk of identity theft, it was not certain that the intrusion upon seclusion claim would fail. At the very least, the seclusion against intrusion claim should be determined at a hearing on the merits. There was case law in which courts found a cause of action was disclosed under provincial privacy statutes against database defendants arising from a hacker attack. The law was uncertain as to whether an objective aspect could be applied to the statutory requirement of “wilful” conduct. Thus, it was not plain and obvious that Equifax could not be found to have engaged in wilful conduct. It was not appropriate to prevent the law from developing as to the "wilful" requirement under the provincial privacy legislation. It was possible that the Contract-Only Subclass had a claim against Equifax for breach of contract. The claim disclosed a cause of action for restitutionary and nominal damages. It was not plain and obvious that a subscriber could not obtain restitutionary damages to return fees paid to Equifax between March 7, 2017 and September 7, 2017. Equifax collected monthly subscription fees from its subscribers under "grossly deficient" security, using outdated and obsolete software. It was also not plain and obvious that the contractual claim of the Combined Subclass would be limited to expectation damages. If the court accepted the facts as pleaded, it could find that Equifax engaged in unfair practices which could permit a rescission or damages claim under s. 18 of the Consumer Protection Act. It was not settled law that damages for the alleged unfair practices were limited to expectation damages. The action was certified on all proposed common issues.

Agnew-Americano v. Equifax Canada Co., [2019] O.J. No. 6337, Ontario Superior Court of Justice, B.T. Glustein J., December 13, 2019. Digest No. TLD-January272020008