Court File and Parties

Court File No.: CV-19-00631317-00CP Date: 2021-11-04 Superior Court of Justice - Ontario

Re: Michael Obodo, Plaintiff And: Trans Union of Canada, Inc., Defendant

Before: Justice Glustein

Counsel: Christopher Du Vernet and Carlin McGoogan, for the plaintiff Craig T. Lockwood, Lauren Harper, and Jessica Habib, for the defendants

Heard: October 14, 2021

Reasons for Decision

Overview

[1] The plaintiff, Michael Obodo (Obodo) brings this motion for an order certifying this proposed class action pursuant to s. 5 of the Class Proceedings Act, 1992, S.O. 1992, c. 6 (the CPA).

[2] The action arises out of a large-scale intrusion by unknown and unauthorized persons[^1] into the database of the defendant Trans Union of Canada, Inc. (TransUnion), which took place between June 28, 2019 and July 11, 2019 (the Data Breach). The hackers accessed the credit profiles of 37,444 persons (the Affected Individuals) whose financial information was held by TransUnion, a company that provides consumer credit reports, risk scores, and other related services to businesses who seek to evaluate the credit worthiness of consumers.

[3] TransUnion also provides services to individual consumers, to provide either credit reports or credit monitoring services and identity theft insurance. Consumers also rely on TransUnion to obtain credit, as Canadian credit granters and other entities use TransUnion services when determining whether to grant credit.

[4] The financial information accessed in the Data Breach consisted of credit reports for each of the Affected Individuals. The credit report contained the following information (to the extent that such information was available for a particular consumer): first and last name, date of birth, recent addresses and phone numbers, limited employment information, trade accounts, mortgage accounts, registered items, accounts closed for cause (i.e., overdraft), insolvency filings, legal claims, collection accounts (i.e., accounts referred to a collection agency), and hard inquiries (i.e., inquiries conducted only for credit adjudication purposes) (the Financial Information).

[5] The Financial Information was accessed using valid credentials belonging to an authorized employee of TransUnion’s customer CWB National Leasing, Inc. (CWB).

[6] Obodo relies on an expert report from Dr. Norman Archer who concludes that based on the information provided concerning the Data Breach, TransUnion’s information technology (IT) “security maturity level” was 1.5 out of a maximum score of 5, well below the level of security required to result in a major reduction in information security risk.

[7] Obodo brings this action for damages arising from the Data Breach. His claim is based on three causes of action: (i) intrusion upon seclusion (proposed common issue (PCI) 1), (ii) negligence (PCIs 2 to 6), and (iii) breach of provincial privacy statutes (PCIs 7 to 11).[^2]

[8] TransUnion opposes certification, and relies on 14 objections. TransUnion submits:

(i) Dr. Archer’s evidence is inadmissible because he is not qualified to be an expert (Objection 1);

(ii) In the alternative, Dr. Archer’s report should be given no (or little) weight since he was not familiar with any of TransUnion’s policies or procedures (Objection 2);

(iii) The intrusion upon seclusion claim in PCI 1 does not disclose a cause of action under s. 5(1)(a) of the CPA since it does not apply to hacker attacks (Objection 3);

(iv) The negligence claim fails to disclose a cause of action under s. 5(1)(a). While TransUnion acknowledges that the negligence claim discloses facts sufficient to establish a breach of the duty of care,[^3] TransUnion submits that the damages sought under PCI 6 for out of pocket expenses and mental distress cannot be claimed since:

(a) the class members only seek compensation for “transient upset”, “ordinary annoyances” and for “mental states that fall short of injury” (Objection 4); and

(b) in any event, out of pocket expenses are “pure economic loss” that cannot be recovered (Objection 5);

(v) The breach of provincial privacy statute claims under PCIs 7 to 11 fail to disclose a cause of action under s. 5(1)(a). TransUnion submits that:

(a) for the provincial privacy statutes in Manitoba, Newfoundland and Labrador and British Columbia, the Ontario court has no jurisdiction because the claim can only be brought before the courts of the particular province (Objection 6);

(b) in any event, the pleadings do not establish that TransUnion engaged in conduct that:

1. was “wilful” (as required under the Saskatchewan, Newfoundland and Labrador, and British Columbia statutes)[^4] (Objection 7),

2. “substantially” or “unreasonably” violated Obodo’s privacy (as required under the Manitoba statute)[^5] (Objection 8), or

3. constitutes an “invasion” of privacy that caused compensable loss (as required under the Quebec statute)[^6] (Objection 9);

(vi) The proposed class definition should not be certified under s. 5(1)(b) of the CPA since “there is no evidence of compensable harm” as “[n]ot a single person has complained of actual harm in the more than two years since the Incident” (Objection 10);

(vii) PCIs 2 to 6 related to the negligence claim should not be certified under s. 5(1)(c) of the CPA, since:

(a) the pleadings “disclosed no reasonable cause of action in negligence against the defendant on a class-wide basis” (Objection 11); and

(b) “[t]o the extent that any class member suffered actual compensable harm, the nature, scope and impact of that harm would necessarily be different for every Class member” (Objection 12);

(viii) A class action is not the preferable procedure under s. 5(1)(d) of the CPA, since (a) there is no access to justice concern because there is no evidence of “actual harm or actual damages”; (b) there is no judicial economy since the assessment of damages would necessarily revert to individual assessments; and (c) behaviour modification is not advanced because “there is a comprehensive regulatory scheme in each province with a designated privacy regulator dedicated to ensuring the industry is properly regulated” (Objection 13); and

(ix) Obodo is not an appropriate representative plaintiff under s. 5(1)(e) of the CPA because he “sustained no loss and therefore has ‘no stake in the potential outcome’” (Objection 14).

[9] For the reasons that follow, I dismiss the above objections, except for (i) Objection 3, as I find that intrusion upon seclusion cannot extend to hacker attacks, and (ii) Objection 6, as I find that Ontario courts have no subject matter jurisdiction over breach of the provincial privacy legislation in Manitoba, Newfoundland and Labrador and British Columbia.

[10] Consequently, I grant the certification motion. I certify PCIs 2 to 6, 9, and 11 to 14, subject to amendments to the statement of claim to plead material facts based on the evidence before the court on the certification motion. I do not certify PCIs 1, 7, 8, or 10.

The Equifax decisions

[11] In Agnew-Americano v. Equifax Canada Co., 2019 ONSC 7110, I addressed many of the same objections raised in the present case. In Agnew-Americano, a hacker obtained access to Equifax’s database which contained personal financial information.

[12] Equifax Canada Co. (Equifax) and TransUnion are the two largest credit reporting services in Canada. The claims in Agnew-Americano included the same claims in the present case, i.e., intrusion upon seclusion, negligence, and breach of provincial privacy statutes.

[13] In Agnew-Americano, Equifax opposed certification of the claims for intrusion upon seclusion and breach of provincial privacy statutes. Equifax submitted that (i) there was no cause of action for the intrusion upon seclusion claims because such claims could not arise upon a hacker attack; and (ii) there was no pleading of “wilful” conduct or any other basis to support the breach of provincial privacy statutes. Equifax did not submit (unlike TransUnion in the present case), that the court had no jurisdiction to hear breach of provincial privacy legislation claims arising out of the Manitoba, British Columbia, and Newfoundland and Labrador statutes.

[14] In Agnew-Americano, Equifax did not oppose certification of the negligence claim (or raise any objections to the PCIs that addressed such a claim). I granted that relief as part of my order.

[15] In Agnew-Americano, I held that both the intrusion upon seclusion and breach of provincial privacy statutes claims could be certified.

[16] I found that it was not settled law that (i) the intrusion upon seclusion claim could not apply to a hacker attack or (ii) there was no cause of action for breach of provincial privacy statutes. I rejected all of the other objections raised by Equifax which were particular to that case.

[17] Leave was granted to the Divisional Court from my decision in Agnew-Americano only on the intrusion upon seclusion claim: Owsianik v. Equifax Canada Co., 2020 ONSC 5761.[^7]

[18] In Owsianik v. Equifax Canada Co., 2021 ONSC 4112,[^8] the majority of the Divisional Court allowed the appeal and held that the tort of intrusion upon seclusion could not apply to find a database defendant liable for hacker attacks. J.A. Ramsay J. held that “[t]he tort of intrusion upon seclusion was defined authoritatively only nine years ago [in Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241]” and that “[i]t has nothing to do with a database defendant”: at para. 54.

[19] Consequently, J.A. Ramsay J. held at para. 56 that he would “respectfully disagree with the decision in Kaplan v. Casino Rama, 2019 ONSC 2025 and the motion judge’s decision in Tucci v. Peoples Trust Company, 2017 BCSC 1525”, in which those courts had certified claims against database defendants for hacker attacks.

[20] In a dissenting opinion, Sachs J. held that it was not settled law that intrusion upon seclusion precluded a claim against a database defendant for hacker attacks. She held, at paras. 42 and 43:

In my view, Sharpe J.A.'s articulation of the necessary elements of the cause of action [in Jones] were not a final pronouncement about this cause of action. I say this for a number of reasons. First, he was clear in his reasons that he was seeking to establish a cause of action that would encompass the facts before the court in that case. There was nothing in those facts that raised the issue presented in the case at bar. Second, from a policy perspective, Sharpe J.A. was clearly driven by the need for the common law to be able to develop to protect the threats posed to privacy presented by the "routine collection and aggregation of highly personal information that is readily accessible in electronic form." There is nothing in his reasons to indicate that that concern was limited to the third parties who actually hack the information. Again, he was not presented with a case of alleged reckless storage; he was primarily seeking to find a remedy for the facts of the case before him.

Of prime concern to Sharpe J.A. was that the case before him was one that cried out for a remedy. The same could be said about the case at bar if the facts alleged in the pleadings are proven to be true. Equifax collected and stored private information about individuals who had no say in whether the information was collected about them. They did so after holding themselves out as having highly developed security systems that were kept up to date and were therefore less vulnerable to hacking. Equifax knew that their systems were vulnerable to being hacked and chose to do nothing about it, which in turn led to precisely the hack that they had been warned about. These actions facilitated an intrusion that a reasonable person could find to be highly offensive. If the Plaintiff's action for intrusion upon seclusion is not certified, the Plaintiff may be left without a remedy as they may not be able to prove harm to a recognized economic interest. Part of the purpose of class actions is to achieve behaviour modification, which "does not only look at the particular defendant but looks more broadly at similar defendants..." (Pearson v. Inco Ltd., 2006 CanLII 913 (ON CA), 78 O.R. (3d) 641 (Ont. C.A.) at para. 88).

[21] Consequently, based on her analysis of Jones and the case law which had certified intrusion upon seclusion claims against database defendants, Sachs J. concluded, at para. 51, that:

For these reasons, I find that the certification judge made no error when he refused to strike the Plaintiff's claim for intrusion upon seclusion. The tort is a new tort, whose limits have not been fully developed at common law in Canada. The rights at issue are fundamental rights that are facing unprecedented threats. The common law should be allowed to develop in an incremental way to see how far the tort should be extended to meet those threats.

[22] As I discuss below, Owsianik is binding authority that an intrusion upon seclusion claim cannot apply to a hacker attack, and, as such, I find that the same claim against TransUnion does not disclose a cause of action.

Facts

The parties

[23] Obodo is a Canadian citizen who works as a film and television actor in Canada and at locations in the United States, Nigeria, and internationally. His place of ordinary residence is in Ontario.

[24] TransUnion is a provider of risk and information solutions to businesses and consumers. TransUnion provides consumer reports, risk scores, analytical services and decisioning capabilities to businesses.

[25] TransUnion’s business customers use TransUnion’s solutions to, among other things, assess consumers’ ability to pay for services, measure and manage debt portfolio risk, collect debt, and verify consumer identities.

[26] Consumers use TransUnion’s solutions to, among other things, view their credit profiles. Consumers rely on credit reporting agencies such as TransUnion to obtain credit from Canadian credit granters and other entities.

The “TU Direct” portal

[27] TransUnion’s business customers access consumer credit files through a web-based platform known as “TU Direct”. Business customers must designate at least one administrator who is responsible for managing their company’s secured access to TU Direct. The administrator is responsible for assigning and setting up user accounts and credentials (i.e., username and temporary password) for authorized employees to access TU Direct.

[28] Once an authorized employee logs in to TU Direct using their assigned credentials, they are only able to access a consumer credit file after providing sufficient and accurate identifying information about a particular consumer: first and last name, full address, and either date of birth, social insurance number, or an account number (e.g., a credit card).

[29] Given the number of TransUnion customers who had access to TU Direct, login credentials were distributed widely. The security of the credentials was based on the measures each individual customer chose to take, which might vary. Moreover, customers often had multiple credentials – for instance, CWB, the customer whose credentials were taken, had four active administrator accounts, and an undisclosed number of user accounts.

Safeguards and protocols in place for TU Direct as of the Data Breach

[30] All customers who request access to TU Direct are required to undergo a credentialing process involving, among other things: (i) onsite inspections, (ii) verification of the customer’s business license, credit references, consent and privacy policies, and (iii) confirmation that the customer has no prior instances of non-compliance with TransUnion’s policies or legal/regulatory non-compliance.

[31] That credentialing process takes place only at the outset of setting up the TU Direct account.

[32] In addition, TU Direct imposes password security requirements on each user which include: (i) changing temporary passwords, (ii) minimum length and complexity criteria for passwords, (iii) the use of challenge questions, (iv) resetting passwords upon automatic expiry, and (v) requiring passwords after a period of inactivity. Where an authorized user unsuccessfully attempts to log into TU Direct, their password must be reset by their administrator. Unsuccessful login attempts by administrators can only be resolved by TransUnion directly.

[33] TransUnion also maintains an information and safety program which includes:

(i) Organizational safeguards, in which TransUnion performs risk assessments of the safeguards in place (including detecting, preventing, and responding to attacks), maintains Payment Card Industry Data Security Standard (PCI DSS) compliance, investigates security events, and monitors TransUnion’s networks for threat activity;

(ii) Technical safeguards, including dedicated firewalls, intrusion detection systems, encryption for personal information, regular scans for vulnerabilities, anti-virus and malware systems, automatic lockout systems, minimum password and complexity requirements, data loss prevention tools, and mobile device management tools;

(iii) Physical safeguards, including specified access controls on entryways housing server or network equipment and intrusion monitoring for physical facilities; and

(iv) Contractual safeguards, in which all customers are contractually obligated to safeguard the credentials they create and assign to their users.

[34] TransUnion is certified as compliant with the PCI DSS (which establishes security practices for the protection of payment information), and is aligned with the ISO/IEC 27002:2005 security standard (which establishes guidelines for implementing, maintaining and improving information security management).

Safeguards and protocols not in place for TU Direct as of the Data Breach

[35] In her answers to undertakings and in her cross-examination, Ms. Lindsey Anslow, Senior Manager of Operations for Canada for TransUnion, acknowledged that the following safeguards and protocols were not in place for TU Direct when the Data Breach occurred:

(i) There was no velocity monitoring technology unless a customer requested to be notified if usage exceeded certain thresholds. CWB did not request this monitoring feature;

(ii) There was no lockout system in place in case of users who make a series of requests in rapid succession;

(iii) There was no algorithm to detect the number of transactions from a customer and to determine whether the number of transactions was unusual;

(iv) There was no volume monitoring system to identify an unusual number of transactions, unless the client requested to set up such a system with TransUnion. CWB did not request this monitoring system;

(v) The system did not create a customer profile which sets out the normal number of transactions for a customer;

(vi) TransUnion did not have a system to lock out a user of TU Direct for making too many incomplete requests;

(vii) There was no two-factor authentication system in place;

(viii) There was no alarm or lock-out procedure if there were excessive hits for credit reports;

(ix) There was no notification system if there were too many “no hits”, which would either result from data being entered incorrectly or the person not being on the TU Direct database;

(x) There was no restriction on IP addresses unless requested by the customer, which CWB had not requested;

(xi) There was no limit on the maximum length of time which a user could be logged into the system, as long as the user remained active; and

(xii) TransUnion only investigated its third-party customers on a single occasion at the start of the relationship, and no follow-up audits were conducted.

The Data Breach

[36] Between approximately June 28, 2019 and July 11, 2019, hackers accessed the TU Direct portal using stolen credentials to retrieve consumer credit files containing personal and private information of the 37,444 Affected Individuals, without their knowledge or consent. The accessed Financial Information is set out at para. 4 above.

[37] No special software was required for a customer to access TU Direct, as the portal was accessed through the internet based on a username and a password. The hackers accessed the credit reports by providing first and last names, full addresses, and social insurance numbers.

[38] On 10 separate days in the 14 day period between June 28 and July 11, 2019, the hackers made a total of 40,528 requests for credit files. The requests were made for a period of 7 to 12 hours each day.

[39] Consequently, on average, the hackers sought access to over 4,000 credit reports per day, and obtained access to over 3,700 credit reports per day.

[40] Ms. Anslow’s evidence is that “the transactions were made in quick succession, generally faster than humans could manually browse a web site”, and, as such, “TransUnion believes that a script or other computer program was used to automate the unauthorized access to credit files” during the Data Breach.

[41] The evidence is that such “script” requests would not have come from a TransUnion customer. TransUnion’s evidence was that it was not aware of any customer who used a computer program or an algorithm to make automated requests for a credit report.

[42] Not all requests resulted in a credit file being provided. Slightly more than 3,000 of the requests resulted in a “no hit”, which occurred if the individual was not resident on TransUnion’s consumer credit database, either due to inaccurate or insufficient identification data, or because the individual did not have a consumer credit report with TransUnion.

[43] On cross-examination of Ms. Anslow, TransUnion refused to produce any evidence related to (i) the average number of requests made by CWB (either on a per day, week, or month basis), (ii) how many requests had been made by CWB in the six months prior to the Data Breach, or (iii) the largest number of authorized requests made by CWB prior to the Data Breach.

[44] TransUnion also refused to produce a list of the approximately 3,000 “no hits”. TransUnion took the position that such requests were irrelevant.

[45] There was no internal warning raised at the time of the Data Breach. No security device was triggered to stop the access by the hackers to the Financial Information. The hackers continued to access the Financial Information until they decided of their own volition to stop.

[46] It was only during the billing process in late July 2021, when TransUnion identified an “unusually high volume of transactions for CWB during the month of July”, that TransUnion first raised any concern about the legitimacy of the inquiries, by contacting CWB’s senior credit manager on July 29, 2019.

[47] It was more than two weeks later, on August 14, 2019, after CWB confirmed that the unusual activity was a result of unauthorized access of a CWB user’s credentials, that TransUnion inquired into details of the unauthorized access, including when the unauthorized access occurred, what products were affected, what credentials were compromised, and the results of CWB’s internal investigation.

[48] After the discovery of the Data Breach, TransUnion:

(i) suspended and eventually terminated the CWB user’s credentials,

(ii) removed the inquiries made by the intruder from the credit files of the Affected Individuals and added clarifying notes,

(iii) reviewed its IT systems and determined there was no evidence of an unauthorized intrusion into TransUnion’s systems,

(iv) reviewed access logs for TU Direct to determine the details of the unauthorized intrusion, including an IP search for all unauthorized requests,

(v) investigated the status of all user and administrator accounts for CWB, and

(vi) reviewed and made a number of enhancements to its information security controls.

Notification of Data Breach

[49] TransUnion notified the Affected Individuals on October 3, 2019.

[50] Each letter provided the Affected Individuals with a code for two years of free credit monitoring services, including access to $50,000 of identity theft insurance through TransUnion Consumer Interactive, Inc. The letter also directed Affected Individuals to TransUnion’s online services and offered to place a fraud alert on their credit file free of charge.

[51] TransUnion made no offer to extend credit monitoring or identity theft insurance beyond the two year period. Identity theft insurance is included only as part of TransUnion’s Interactive Credit Monitoring package, which currently costs $19.95 per month, plus applicable taxes.

Investigations and findings of regulatory authorities

[52] TransUnion notified the federal privacy regulator and the provincial privacy regulators in Ontario, Alberta, British Columbia and Quebec of the Data Breach.

[53] The Office of the Information and Privacy Commissioner for British Columbia (B.C. OIPC) concluded that as a result of TransUnion’s failure to require customers to implement IP restrictions, and its failure to audit or review customer compliance with this security measure, TransUnion “did not take reasonable steps to protect personal information in its custody or under its control”.

[54] The B.C. OIPC further concluded that (i) the intruder was sophisticated and had access to sufficient information about the Affected Individuals to effect the incursion; and (ii) TransUnion “made every reasonable effort to mitigate any potential harm to the affected individuals that may result from the breach and has taken appropriate steps to prevent future breaches”.

[55] Put differently, the B.C. OIPC was satisfied with the steps taken by TransUnion after the Data Breach, but found that TransUnion did not properly protect the Financial Information from the hackers.

[56] The Office of the Information and Privacy Commissioner of Alberta (Alberta OIPC) found that there was a “real risk of significant harm” to the Affected Individuals, since “a reasonable person would consider that the contact, identity and financial information at issue could be used to cause the significant harm of identity theft and fraud”.

[57] The Alberta OIPC required TransUnion to notify the individuals whose personal information was collected in Alberta, which TransUnion had already done. Consequently, the Alberta OIPC required no further action by TransUnion.

TransUnion Privacy Policy

[58] In the TransUnion Privacy Policy (the Privacy Policy) located on its website, TransUnion represented to consumers that:

(i) “[W]e are committed to protecting your privacy”;

(ii) “[W]e are committed to fostering a sense of responsibility amongst our employees for protecting the privacy … of personal information while it is in our care”;

(iii) “We take the protection of personal information seriously”;

(iv) “TransUnion has implemented a security program that is aligned with industry best practices”;

(v) “We have adopted procedures to secure storage of personal information”; and

(vi) “We have also instituted a number of safeguards to identify and prevent the fraudulent use of personal credit information” (collectively, the Policy Representations).

Expert report of Dr. Archer

(i) Qualifications

[59] Dr. Archer is a Professor Emeritus in the Information Systems Area of the DeGroote School of Business at McMaster University, where he has been employed since 1975. He has engaged in research, publication, and testimony related to identity theft and fraud for the past 12 years. He was one of the founders of the Ontario Research Network for Electronic Commerce.

[60] Dr. Archer has supervised a Ph.D. thesis on identity theft and is the principal author of a book on the risks from identity theft and fraud. He listed 17 published papers and/or presentations on identity theft and fraud. He has written articles on the development of software to be used in health care, in which privacy issues are addressed.

[61] Dr. Archer was the co-author of two national consumer surveys that examined the extent of identity theft and fraud in Canada. He has taught privacy as a subject matter in many different courses he has taught.

[62] Between 2009 and 2020, Dr. Archer has acted as a consultant in 11 cases related to identity and data theft and fraud.

(ii) Opinion of Dr. Archer

[63] As Dr. Archer acknowledged in his report, he was “not familiar with what risk management systems are in place at TransUnion”, nor could he specifically opine on specific details on data security systems used by other companies since those “defensive arrangements must be kept totally secret”.

[64] Consequently, the scope of Dr. Archer’s report was to review the allegations related to the Data Breach, and comment on security measures he would expect large corporations, who maintain databases involving personal financial information, to reasonably adopt to protect that information.

[65] Dr. Archer concluded that:

(i) “[I]t is common practice among medium to large corporations to use enhanced security for business transactions involving personal financial information”;

(ii) The risk of data theft was reasonably foreseeable in 2019 for a corporation such as TransUnion, since “[v]irtually every company in Canada experiences multiple attempted criminal attacks on its online systems” and “according to a 2019 survey Canada had the third most such incidents of any country”;

(iii) A company such as TransUnion which (a) holds such personal financial information in its database and (b) provides external business clients with access to that database, would have acted in “reckless disregard of the known consequences of a potential data breach” if it “ignore[d] implementing a proper risk management program”;

(iv) TransUnion ought to have anticipated in 2019 that one of its customers might experience a security breach or otherwise lose control of their credentials;

(v) A company such as TransUnion ought to have procedures in place (a) to address the risk that a hacker could access a customer’s user credentials in order to then access TransUnion’s database (for example, by using two-factor authentication) and (b) to detect illegal incursions if they occur (by using algorithms and data limits); and

(vi) TransUnion’s IT “security maturity level” was 1.5 out of a maximum score of 5, a very low score which was well below the level of security required to result in a major reduction in information security risk.[^9]

[66] Consequently, while Dr. Archer was not familiar with the particular protocols in place at TransUnion, he concluded that:

(i) “[G]iven the theft of a large number of their Canadian consumer records that are alleged to have occurred in 2019, it seems likely that the Company does not have a comprehensive risk management program implemented to deter such events”;

(ii) It was “astounding” that the breach was over 14 days; and

(iii) A “good risk management system that a company of TransUnion’s size might choose to implement” would include the following technological components:

(a) two-factor authentication,

(b) a customer profiling algorithm,

(c) a daily limit on the number of reports that could be downloaded by a given customer,

(d) a software ‘circuit breaker’ to prevent excessive downloads of data,

(e) a hard limit on downloads from the system, and

(f) a restriction on access to its portal based upon the customer’s IP address.

[67] As noted at para. 35 above, on cross-examination of Ms. Anslow (and primarily in answers to her undertakings), Obodo established that none of the above safeguards were in place, on a system-wide basis or, at a minimum, with respect to the CWB account.

[68] Dr. Archer also provided evidence as to the types of damages that can be suffered by a victim of identity theft. He identified the following damages:

(i) Existing account fraud: Even if credit card numbers were not accessed, “fraudsters would still be able to use other consumer identity information to enable finding consumer credit or debit numbers by subterfuge from other sources”, as well as examples of “account takeover” with respect to bank accounts, cloud email accounts, PayPal address changes, and phone number takeovers. Dr. Archer concluded that the risk of such fraud is “negligible”, since TransUnion advised that no consumer account numbers were contained in the information stolen;

(ii) New account fraud: Hackers (or fraudsters who acquire the information from hackers) can use personal information stolen through a data breach to create new accounts (credit cards, utility, loan, or other online accounts) by using names, addresses, birthdates, and previous or current loan histories. Credit monitoring and identity theft protection would not necessarily prevent such fraud, as a lender might not check with TransUnion before providing a loan to a fraudster. Dr. Archer concluded that the risk of such fraud is “low to moderate”, since TransUnion advised that no consumer account numbers were contained in the information stolen; and

(iii) Identity theft: A person’s identity could be used for activities such as “scam calls” to seek funds for fraudulent donations, payment of non-existent debt, or taxes, with a “small or zero” risk “[i]f the scamming contact can be handled properly”.

[69] Dr. Archer also opined that TransUnion’s offer of two years of credit monitoring services and identity theft protection “is not long enough to provide adequate protection [from new account fraud] since the stolen identity information is likely circulating online more or less permanently and available for purchase by other criminals”.

[70] Dr. Archer also concluded that victims of identity theft can suffer:

(i) “anxiety and mental anguish over worry that the outcomes due to the initial theft may re-appear in the form of damage to reputation for transactions gone wrong”,

(ii) “potential for blackmail (if there is a threat that stolen identity might be published on social media)”,

(iii) “potential for damage to credit ratings”,

(iv) “continuing mental stress due to worry that something might go wrong in some form in the future”,

(v) “concerns caused by surges in harassing telephone and e-mail contacts from criminals”,

(vi) “continuing need to monitor financial records regularly”, and

(vii) “concerns caused by worry about further theft of private information, and the hassle caused when trying to open accounts that require businesses to contact credit reporting agencies”.

[71] Dr. Archer concluded that “[d]epending on the individual and the specific situation that is of concern to the individual, the risk of a psychological impact from these losses sadly can range from relatively low to very high”.

[72] Dr. Archer also concluded that “the risks that have been outlined in the foregoing answers may or may not be infrequent, but they will rarely if ever will stop”.

[73] TransUnion did not file a report to challenge any of the conclusions of Dr. Archer.

Evidence of damages

[74] Obodo’s evidence as to damages can be summarized as follows:

(i) “I suffered a loss of privacy of my personal information”;

(ii) He did not sign up for the two year free subscription to TransUnion because “I had considerable doubt about their ability to protect my privacy” and “did not want to risk suffering a further intrusion”;

(iii) “I have suffered stress, humiliation, anger, upset, distress, and have an ongoing concern about the prospect of identity theft and further disclosure of my personal information”;

(iv) “I have spent a considerable amount of time dealing with the fallout from the Data Breach both in an attempt to ensure that my personal information is safe and in an attempt to obtain more information from the Defendant regarding exactly what happened”;

(v) “I have obtained and reviewed my credit report from Trans Union’s competitor, Equifax”, although “I do not know if this report contains the same information as the Trans Union report”;

(vi) “I have closely monitored my bank accounts and credit card statements”; and

(vii) “I alerted my family members to be on alert for any suspicious phone calls, letters or e-mails”.

[75] As noted above, Dr. Archer’s evidence is that victims of identity theft can suffer damages through existing account fraud, new account fraud, or identity theft, as well as suffering mental distress, all of which can occur on an indefinite basis.

Analysis

[76] I address each of the defendant’s objections below.

Objections 1 and 2: Objections related to Dr. Archer’s report

[77] I first address TransUnion’s submission that Dr. Archer’s report should not be admitted into evidence since he is not qualified to be an expert (Objection 1).

[78] I then review TransUnion’s alternative submission that if Dr. Archer’s report is admissible, it should be given little or no weight (Objection 2).

(i) Objection 1: Admissibility of Dr. Archer’s report

[79] TransUnion submits that Dr. Archer is not qualified to act as an expert on the Data Breach. TransUnion asks the court to find his evidence inadmissible.

[80] I do not agree.

[81] TransUnion submits that Dr. Archer has not published any academic articles on privacy, nor has he taught a course on privacy.

[82] However, Dr. Archer’s evidence is that privacy “often enters” his publications on health care, and that while he has not taught a course “specifically on the topic of privacy”, he has frequently taught privacy as a subject matter in his courses.

[83] Dr. Archer provided an example of teaching a course in information systems, with a “couple of weeks” spent teaching privacy issues.

[84] Dr. Archer has experience on privacy issues both in his academic and other writings and as a professor. He is the author of a book on the risks from identity theft and fraud. He listed 17 published papers and/or presentations on identity theft and fraud.

[85] TransUnion further challenges the qualifications of Dr. Archer since he:

(i) holds no certificates or accreditations for the technical aspects of designing and implementing measures to protect information systems,

(ii) has not written software or taught software development for almost 25 years,

(iii) did not measure TransUnion’s conduct against the ISO/IEC 27002:2005 security standard for implementing, maintaining, and improving information management in an organization, and

(iv) never worked for a consumer reporting agency or studied the consumer reporting industry.

[86] However, these criticisms do not support a finding that Dr. Archer is not qualified to provide an expert opinion on privacy and identity theft and fraud issues.

[87] Dr. Archer is not required to be a software designer or coding expert in order to opine on security requirements. Dr. Archer’s evidence was that he has written articles about the development of software to be used in health care, where privacy “is always an issue”, since “hospitals, and every other institution, have to safeguard the privacy of individuals whose information they have in their databases. That’s a very strong and ethical issue that has to be addressed every time we do something like that”.

[88] Dr. Archer is currently supervising the development of software “to support people at home” which raises privacy concerns. His role is to write the requirements of the system and to ensure that the software developer follows the requirements. He is also responsible for provincial government approval of the software, which requires meeting privacy specifications.

[89] Dr. Archer has experience in teaching and writing on privacy, identity theft and fraud issues. He advises students as to how to preserve the privacy of individuals when they collect information from firms and work on their projects. He is certified by the Canadian government to conduct health care research where he would have access to personal health information.

[90] There is no relevant evidence before the court that the ISO/IEC 27002:2005 security standard, relied upon by TransUnion, has any effect on TransUnion’s obligations to protect the safety of the Financial Information. Dr. Archer was only asked if he had considered the standard. He was not asked whether the standard had any bearing on the issues he considered.

[91] The evidence that TransUnion complies with that standard is provided on a hearsay basis by Ms. Anslow, who is not an expert on privacy and identity theft issues and who cannot give an opinion on the effect of that standard. If TransUnion had sought to challenge either the admissibility or weight of Dr. Archer’s report based on the ISO standard, TransUnion would have been required to lead evidence on the issue and/or cross-examine Dr. Archer on any issues that might arise from that standard.

[92] The fact that Dr. Archer has not worked for a consumer reporting agency and has never studied the consumer or credit reporting industry does not mean that he is not qualified to provide expert evidence on the issues in his report. Dr. Archer has significant academic and professional experience with large scale databases that store personal health information, and he is able to rely on that experience to assist the court as to the steps that ought to be taken to protect personal information from hackers in such databases.

[93] TransUnion filed no responding expert evidence. There is nothing before the court to suggest (let alone conclude) that the steps Dr. Archer is familiar with from protecting large health databases are in any way different from protecting financial information held by credit reporting services (nor was Dr. Archer cross-examined on this issue).

[94] TransUnion also asks the court to find that Dr. Archer demonstrated a “combative demeanour” during his cross-examination and that he “refused to respond to basic questions from counsel”.

[95] I have reviewed the transcript excerpts relied upon by TransUnion. I do not agree that they demonstrate combative behaviour. The examples demonstrate Dr. Archer attempting to provide a full answer to questions posed, and to explain his experience in response to questions such as whether he had “expertise in the area of privacy, other than as it relates to identity theft or fraud”, or whether he had “any expertise in software development”. The answers do not demonstrate any combativeness, let alone rise to a level at which Dr. Archer could be disqualified as an expert witness.

[96] Finally, TransUnion relies on the recent decision in Kish v. Facebook Canada Ltd., 2021 SKQB 198, in which the court held that Dr. Archer’s report was inadmissible because:

(i) “Nowhere in his CV is there any expertise described in the area of information systems and privacy”: at para. 40;

(ii) “[M]any of the questions are worded in a way that would expect Dr. Archer to have personal knowledge of Facebook's data system”, questions to which “Dr. Archer could not have such information; nor could he be expected to”: at para. 40;

(iii) “[M]any of the questions are related to the statutory and regulatory responsibilities of the defendant [which] is not something Dr. Archer has expertise in, and nor is it something this Court would need assistance with”: at para. 41;

(iv) He cited internet sources and other documents such that “none of the information relied upon by Dr. Archer was within his personal knowledge or expertise”, contrary to the prohibition that “an expert deponent cannot express opinions based exclusively on a review of materials published by those who do actually possess the necessary expertise”: at para. 43; and

(v) The “combative demeanour of Dr. Archer during affidavit cross-examination […] raises concerns about his ability to fulfil the role of an expert witness”: at para. 43.

[97] However, the court in the present case cannot find Dr. Archer’s report inadmissible based on another case, with different facts, particularly when counsel in Kish provided Dr. Archer with questions he could not answer within his own expertise.

[98] Based on the evidence in the present case, the concerns raised in Kish do not arise. Neither the questions posed of Dr. Archer, nor his responses to them, exceed his area of expertise. The questions posed of him and his responses are all within the scope of his expertise in privacy, identity theft and fraud. He was not combative. His curriculum vitae sets out relevant experience.

[99] Finally, to the extent Dr. Archer relies in his report on internet sources and fails to attribute the basis for those statements, they are only for a very limited set of examples (such as the role of a chief information security officer, the importance of a password to two-factor authentication, or a general description of computer profiling software). Such examples are de minimis and do not relate to the analysis and conclusions in his report, all of which are based on his experience and expertise.

[100] For the above reasons, I find that the report of Dr. Archer is admissible.

(ii) Objection 2: Weight of Dr. Archer’s evidence

[101] In the alternative, TransUnion submits that Dr. Archer’s report should be given no (or little) weight.

[102] TransUnion relies primarily on Dr. Archer’s alleged “reliance on uncited internet sources” as the basis for its objection. I have addressed those issues above and found them to be de minimis and just background information unrelated to his analysis and conclusion.

[103] Rather than being combative, Dr. Archer fairly acknowledged that the internet examples put to him by counsel were copied, stating that “I try to avoid that sort of thing”, and “I’m sorry, that’s my mistake”. His comment that “Okay, if it’s copied, then it's illegal and take it out” was not a combative answer, but simply an acknowledgement that for the limited purpose he used the uncited information, he ought to have either cited the reference or stated the point in his own words based on his knowledge.

[104] There is no credible suggestion that Dr. Archer, with his experience, would not have known the role of a chief information security officer, the importance of a password to two-factor authentication, or the purpose of customer profiling software. These examples of inadvertent copying from the internet only restated uncontroverted points and do not detract from the weight of his report which was clearly based on his expertise and knowledge (and as such, did not fall within the same criticism as in Kish).

[105] With respect to the other criticisms of Dr. Archer’s report, I have addressed them in my analysis of Objection 1 above and find that they do not support a conclusion that his report should be given no, or little weight.

[106] Consequently, I do not accept this objection raised by TransUnion.

The applicable law on the s. 5(1)(a) test

[107] TransUnion submits that none of the claims (in intrusion upon seclusion, negligence, or breach of provincial privacy legislation) disclose a cause of action. Consequently, I first set out the applicable test under s. 5(1)(a) of the CPA. That test is common to all of TransUnion’s “cause of action” objections.

[108] In Gilani v. BMO Investments Inc., 2021 ONSC 3589, leave to appeal refused, 2021 ONSC 5906 (Div. Ct.), I reviewed the applicable test under s. 5(1)(a) to determine whether the pleadings disclose a cause of action. I repeat and rely on my analysis at paras. 66-72:

The test under s. 5(1)(a) is the same as on a motion to strike: the "plaintiff satisfies this requirement unless, assuming all facts pleaded to be true, it is plain and obvious that the plaintiff's claim cannot succeed": Pro-Sys Consultants Ltd. v. Microsoft Corp., 2013 SCC 57, [2013] 3 S.C.R. 477, at para. 63.

A claim should not be dismissed unless the court is satisfied "beyond reasonable doubt" that the claim cannot succeed: Hunt v. Carey Canada Inc., 1990 CanLII 90 (SCC), [1990] 2 S.C.R. 959, at 980.

The inquiry is into the legal adequacy of the causes of action pled, not the evidence for or against those causes of action: Brozmanova v. Tarshis, 2018 ONCA 523, at para. 25.

"All allegations of fact pleaded are assumed to be true unless they are patently ridiculous, manifestly incapable of proof, or amount to bald conclusory statements unsupported by material facts": Wright v. Horizons ETFS Management (Canada) Inc., 2020 ONCA 337, at para. 58(b).

"The pleading must be read generously to allow for drafting deficiencies and the plaintiff's lack of access to key documents and discovery information. The court should err on the side of permitting an arguable claim to proceed to trial": Wright, at para. 58(d).

No evidence is admissible: Wright, at para. 58(a). However, the court can assess documents incorporated by reference into the pleading in evaluating the legal tenability of the claim: Das v. George Weston Limited, 2018 ONCA 1053, at para. 74, leave to appeal ref'd [2019] S.C.C.A. No. 69.

Consequently, the threshold for satisfying the cause of action requirement is "very low": McLaren v. Stratford (City), [2005] O.J. No. 2288 (S.C.), at para. 21.

[109] In Gilani, I also reviewed the effect of the recent decision in Atlantic Lottery Corp. Inc. v. Babstock, 2020 SCC 19, 447 D.L.R. (4th) 543, on the test under s. 5(1)(a), in relation to a motion to strike pleadings for failure to disclose a cause of action. I repeat and rely on my analysis at paras. 73-80:

BMO Investments submits that the recent decision of the Supreme Court of Canada in Atlantic Lottery Corp. Inc. v. Babstock, 2020 SCC 19, constitutes a "culture shift" to the law on a pleadings motion. I do not agree.

In Atlantic Lottery, the Court struck the waiver of tort claim brought by the respondent as an independent cause of action for disgorgement. The claim was novel, and the court reviewed the pleadings and law thoroughly to conclude that it was plain and obvious that such a claim could not succeed.

BMO Investments relies on paras. 18 and 19 from the reasons of Brown J.:

[S]ince Microsoft was decided, this Court has recognized in Hryniak v. Mauldin, 2014 SCC 7, [2014] 1 S.C.R. 87 the need for a culture shift to promote "timely and affordable access to the civil justice system" (para. 2). Where possible, therefore, courts should resolve legal disputes promptly, rather than referring them to a full trial (paras. 24-25 and 32). This includes resolving questions of law by striking claims that have no reasonable chance of success (S.G.A. Pitel and M.B. Lerner, "Resolving Questions of Law: A Modern Approach to Rule 21" (2014), 43 Adv. Q. 344, at pp. 351-52). Indeed, the power to strike hopeless claims is "a valuable housekeeping measure essential to effective and fair litigation" (Imperial Tobacco, at para. 19).

Of course, it is not determinative on a motion to strike that the law has not yet recognized the particular claim. The law is not static, and novel claims that might represent an incremental development in the law should be allowed to proceed to trial (Imperial Tobacco, at para. 21; Das v. George Weston Ltd., 2018 ONCA 1053, 43 E.T.R. (4th) 173, at para. 73; see also R. v. Salituro, 1991 CanLII 17 (SCC), [1991] 3 S.C.R. 654, at p. 670). That said, a claim will not survive an application to strike simply because it is novel. It is beneficial, and indeed critical to the viability of civil justice and public access thereto that claims, including novel claims, which are doomed to fail be disposed of at an early stage in the proceedings. This is because such claims present "no legal justification for a protracted and expensive trial" (Syl Apps Secure Treatment Centre v. B.D., 2007 SCC 38, [2007] 3 S.C.R. 83, at para. 19). If a court would not recognize a novel claim when the facts as pleaded are taken to be true, the claim is plainly doomed to fail and should be struck. In making this determination, it is not uncommon for courts to resolve complex questions of law and policy (see e.g. Imperial Tobacco; Cooper v. Hobart, 2001 SCC 79, [2001] 3 S.C.R. 537; Syl Apps; Alberta v. Elder Advocates of Alberta Society, 2011 SCC 24, [2011] 2 S.C.R. 261). [Emphasis added.]

I do not agree that the above paragraphs constitute a culture shift on motions to strike pleadings.

The court in Atlantic Lottery affirms the principles established throughout its jurisprudence (as the Court discusses at para. 19) that (i) a claim cannot be permitted to proceed merely because it is novel; (ii) a court may be able to resolve "complex issues of law and policy" based on the pleadings; and (iii) the court must review the existing law and the pleadings to determine whether a novel claim can proceed.

However, the "plain and obvious" test remains the same. In Atlantic Lottery, Brown J. stated that a court should not permit a claim to proceed "simply because it is novel" (at para. 19). Nevertheless, Brown J. maintained the test that a claim (novel or not) should not be struck unless it is "hopeless" (at para. 18), consistent with the settled test in Hunt and recently affirmed in Wright.

The court on a certification motion is not asked to determine whether the plaintiff will succeed on any particular claim. Instead, the court must only determine whether it is "plain and obvious", on the pleaded facts and applicable law, that the claim cannot succeed. Unless the court finds that the defendant meets that high threshold, the merits of the pleaded cause of action are to be addressed at trial or, if applicable, on summary judgment.

[110] It is on the basis of the above legal test that I will address each of the three causes of action challenged by the defendants.

Objection 3: Whether the intrusion upon seclusion claim discloses a cause of action (PCI 1)

[111] In his factum, Obodo relies on many of the same submissions made before me by the plaintiff in Agnew-Americano. In summary, Obodo submits that:

(i) The court in Jones did not address whether an “enabler”[^10] who engaged in intentional or reckless conduct could be subject to the tort of intrusion upon seclusion for a hacker attack;

(ii) Nevertheless, the court in Jones recognized that “routinely kept electronic databases render our most personal financial information vulnerable”, which suggests that the court did not foreclose that the tort of intrusion upon seclusion could apply to intentional or reckless conduct by database defendants which enabled a hacker attack;

(iii) The law is not settled since intrusion upon seclusion claims for data breaches by hackers have been certified against database defendants in other cases;[^11]

(iv) Academic commentators support an interpretation of Jones that would allow claims in intrusion upon seclusion for intentional or reckless conduct which enables hacker attacks; and

(v) U.S. case law (from which the court in Jones adopted the test for intrusion upon seclusion) has established that a party who recklessly creates the conditions for, or materially increases the risk of, an intrusion upon seclusion being committed by a third party, may be held liable for the intrusion.

[112] On the basis of the above submissions, Obodo asks the court to (i) find that Owsianik is wrongly decided, and (ii) conclude that it is not settled law that database defendants cannot be liable for hacker attacks under the tort of intrusion upon seclusion, for intentional or reckless conduct enabling the data breach.

[113] I recognize that many of the above submissions were the basis of my decision in Agnew-Americano, and for the dissenting judgment in Owsianik.

[114] I am bound by the majority decision in Owsianik. The Divisional Court held that the tort of intrusion upon seclusion “has nothing to do with a database defendant”.

[115] Consequently, I accept TransUnion’s objection and find that the intrusion upon seclusion claim against it does not disclose a cause of action. For the above reasons, I do not certify PCI 1 because it is settled law that the claim cannot succeed.

Objections 4 and 5: Is there a cause of action pleaded in negligence? (PCIs 2-6)

[116] At the hearing, TransUnion acknowledged that the negligence claim discloses facts sufficient to establish a breach of the duty of care. PCIs 2-5 address common issues related to the standard of care and its alleged breach.

[117] However, TransUnion submits that there is no cause of action in negligence because the damages claimed by Obodo for out of pocket expenses and mental distress are not available at law.

[118] PCI 6 asks “Did the Defendant’s breach of duty cause damage to the Class?” TransUnion submits that because the pleadings do not support a damage claim in negligence that can be compensable at law, all PCIs related to the negligence claim should not be certified.

[119] TransUnion submits that the claim for damages cannot sustain a cause of action since (i) the class members only seek compensation for “transient upset”, “ordinary annoyances” and for “mental states that fall short of injury” (Objection 4), and (ii) in any event, the damages sought for out of pocket expenses are “pure economic loss” that cannot be recovered (Objection 5).

[120] For the reasons that follow, I do not agree that it is settled law that either position would be accepted by a trial court.

[121] In the amended statement of claim, Obodo seeks damages for mental distress, but does not allege that he (or other class members) has incurred out of pocket expenses arising from the Data Breach. Nevertheless, such evidence is before the court in Obodo’s affidavit, and is consistent with Dr. Archer’s evidence. Consequently, I review this issue on the basis that the amended statement of claim be further amended to plead monetary damages based on such expenses.

[122] If TransUnion has any objections to the proposed amended pleading, I will address them at a subsequent motion.

[123] I now address each of the objections to the damages claims.

(i) Objection 4: Whether out of pocket expenses and mental distress are not available because they only seek compensation for “transient upset”, “ordinary annoyances” and for “mental states that fall short of injury”

[124] There is case law that supports certification of a class action for damages for out of pocket expenses and mental distress, arising out of a data breach, with the determination of whether any individual class member suffered damage being left to an individual trial.

[125] In Evans v. Bank of Nova Scotia, 2014 ONSC 2135, leave to appeal denied, 2014 ONSC 7249, the defendant employee provided private and confidential information of bank customers to his girlfriend, who then disseminated the private information to third parties for fraudulent and improper purposes: at para. 2.

[126] The defendant bank offered all those whose information was accessed and disseminated (643 members of the “Notice Group”) a complementary subscription to a credit monitoring and identity theft protection service. The bank also compensated 138 of the 643 members of the Notice Group who had been the victims of identity theft or fraud for pecuniary losses that they had suffered: at para. 5.

[127] The defendant bank submitted that the negligence claim did not disclose a cause of action because “[g]eneral damages cannot be awarded to members of the class, because they have failed to meet the required threshold to award general damages for emotional distress, namely by showing a recognized psychiatric or psychological injury”: at para. 6(a)(iv).

[128] The court rejected the bank’s position. R.A. Smith J. held, at paras. 47, 51, and 52:

The Bank argued that because it agreed to pay for any pecuniary damages suffered by members of the Notice Group, there were no longer any claims in negligence or for any other damages. I do not agree with this submission and find that there remains a potential claim for compensatory damages both in negligence and in contract, and in vicarious liability for the tort of intrusion upon seclusion. Whether any damages have been suffered and the amount of damages is an individual issue to be determined once the common issues are resolved.

The plaintiffs do not allege that they have suffered a recognizable psychiatric illness or serious or prolonged psychological injury as a result of the defendants' conduct. Rather, they alleged that the class members, whose personal and financial information was provided to third parties and who have incurred pecuniary losses, have suffered emotional distress, inconvenience and upset. These plaintiffs have suffered real financial damages as a result of the alleged commission of the tort of negligence, a breach of contract and/or the tort of intrusion upon seclusion.

I find that it is not plain and obvious that the plaintiffs who have suffered real pecuniary damages would not also have the right to claim additional damages for the emotional suffering, hardship and inconvenience they have suffered. This is a unique situation, where their personal financial records were distributed to third party criminals and where such confidential information has been used to steal their identity and commit fraud and has negatively affected their credit ratings. [Emphasis added.]

[129] In Grossman v. Nissan Canada, 2019 ONSC 6180, an unknown Nissan employee accessed a company database that contained information including the credit scores of thousands of customers who had financed the lease or purchase of their Nissan vehicle. Instead of paying the ransom demand of the unknown employee, Nissan posted news of the data breach on its website, notified its 932,000 customers, and offered one year of free credit monitoring: at paras. 7-9.

[130] The court certified the negligence claim, finding that it disclosed a cause of action and that there was a common issue since “the duty and standard of care will be the same for every individual”: at paras. 22 and 50-52.

[131] In Hynes v. Western Regional Integrated Health Authority, 2014 NLTD(G) 137, W.H. Goodridge J. (as he then was) certified a class action where an employee of the defendant hospital accessed personal health information of the class members. W.H. Goodridge J. described the negligence claims as follows (which are similar to the allegations in the present case), at para. 27:

Paragraphs 19-26 and 48 of the Statement of Claim advance the negligence claim, both directly and vicariously. Unspecified monetary damages (special, general, punitive, aggravated and exemplary) are claimed for "distress, humiliation, anger, upset, anguish, shock, fear of identity theft, uncertainty as to how information was used, confusion ... [and] feeling of vulnerability". No specific psychiatric illness or prolonged psychological injury is pleaded. [Emphasis added.]

[132] As in the present case, the defendant in Hynes submitted that no cause of action could arise in negligence on such a pleading of damages. W.H. Goodridge J. set out the defendant’s position, at para. 28:

The Defendant disputes this cause of action on the basis that there is no compensable harm pleaded. With no specific psychiatric illness or prolonged psychological injury, there can be no compensable harm, and therefore no cause of action in negligence. The Defendant relies on Mustapha v. Culligan of Canada Ltd., 2008 SCC 27, where McLachlin, C.J.C. stated at paragraph 9 that "[p]ersonal injury at law connotes serious trauma or illness" and that a "psychological disturbance that rises to the level of personal injury must be distinguished from psychological upset". If the loss is limited to minor psychological upset then there will be no compensable harm. [Emphasis added.]

[133] W.H. Goodridge J. held that the issue of whether any particular class member suffered compensable harm was a matter for an individual trial, not a basis to find that no cause of action existed. He held, at paras. 29 and 30:

The Plaintiffs agree that there is a threshold that must be passed before mental or emotional distress is compensable in damages, but they do not agree that the harm alleged falls below that threshold. They point out that arguments similar to the Defendant's (no cause of action in negligence because no damages for mental or emotional distress) were advanced, and rejected, in several class action certification applications: Rideout v. Health Labrador Corp., 2005 NLTD 116; Doucette v. Eastern Regional Integrated Health Authority, 2007 NLTD 138; Anderson v. Wilson (1999), 1999 CanLII 3753 (ON CA), 44 O.R. (3d) 673, 122 O.A.C. 69, leave to appeal denied [1999] S.C.C.A. No. 476; Rose v. Pettle (2004), 23 C.C.L.T. (3d) 21, 129 A.C.W.S. (3d) 655 (Ont. Sup. Ct.); and Fakhri v. Alfalfa's Canada Inc. (c.o.b. Capers Community Market), 2003 BCSC 1717, upheld at 2004 BCCA 549. In most of these applications, the court acknowledged that minor mental or emotional distress would not be compensable, even if foreseeable, but elected not to determine the issue at the certification stage of the proceedings. Whether the Plaintiffs' claims fall above or below the threshold of compensable harm will depend on evidence presented at trial. In this case, there may be some class members who have suffered no compensable harm, others who have nominal claims, and others who have more significant claims. It is not appropriate at the pleading stage to eliminate the possibility of compensable harm.

It is not plain and obvious that there was no compensable harm and therefore it is not plain and obvious that this cause of action in negligence would be unsuccessful against the Defendant. [Emphasis added.]

[134] Similarly, in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 696 (7th Cir. 2015), the US Court of Appeals for the Seventh Circuit held that costs incurred in protecting oneself against a real risk of future harm constitute an injury sufficient to provide standing to bring a claim against a database custodian.

[135] Consequently, on the basis of the above case law, there is support for the damage claims made by the class.

[136] First, under Hynes, the court should not determine on certification which claims for mental distress will be recoverable. If there is a common issue as to negligence, and if mental distress damages may be recoverable by reaching the Mustapha threshold, it is not appropriate at the pleading stage to strike the claim.

[137] Second, under Evans, class members in the present case may be able to establish pecuniary damages arising from the Data Breach, such as out-of-pocket expenses incurred to ascertain the scope of the breach, contain any negative effects, secure their personal information and guard against future risk of identity theft.

[138] By way of example, in order for a class member to protect against the reasonable (as concluded by Dr. Archer) concern of future identity theft, a class member may purchase a credit monitoring service with identity theft insurance. The offer by TransUnion to the Affected Individuals suggests that incurring such a monetary loss would be reasonable.

[139] However, TransUnion only offered the free credit monitoring service with identity theft insurance to the Affected Individuals for two years. After that time, the cost from TransUnion would be $19.95 per month plus applicable taxes, or approximately $22.50 per month or $270 per year.

[140] If each class member purchased such a product, the cost to the class would be over $10 million each year.

[141] TransUnion’s position that the pleadings in such a case disclose a cause of action for PCIs 2-5 relating to the standard of care and breach, but fail to disclose a cause of action in damages, is not supported by the above case law.

[142] The cost of credit monitoring services and identity theft protection of $270 per year cannot be said to be insignificant to the consumer whose data was accessed, and who may be entitled to purchase such services for numerous years, or indefinitely.

[143] Third, under Evans, if pecuniary losses can be established, damages for emotional stress can be claimed even if there is no psychological disturbance that rise to the level of personal injury.

[144] TransUnion relies on case law that provides that “[t]here is no right to be free from the prospect of damage”: Atlantic Lottery, at para. 33. However, the class members are not seeking damages for hypothetical events that may occur in the future. The class members seek actual damages, whether for out of pocket expenses for credit monitoring and identity theft insurance, the cost of obtaining credit reports, emotional suffering that occurred upon “real pecuniary damages” (as in Evans) or damages for a psychological disturbance that rise to the level of personal injury (even without real pecuniary damage, as in Hynes).

[145] TransUnion relies on two cases in which claims for out-of-pocket expenses or mental distress were not certified.

[146] First, TransUnion relies on Stewart v. Demme, 2020 ONSC 83, 63 C.C.L.T. (4th) 93, leave to appeal granted, 2021 ONSC 6057 (Div. Ct.), where the court certified the claim for intrusion upon seclusion but held that the claim for negligence disclosed no cause of action. Morgan J. held, at para. 87:

Plaintiff's counsel has couched the damages portion of the negligence claim in terms of inconvenience, discomfort and distress caused to the class members by the loss of their privacy. The Supreme Court of Canada has established, however, that damages for "upset, disgust, anxiety, agitation or other mental states that fall short of injury" do not constitute compensable damages in a negligence claim: Mustapha v. Culligan of Canada Ltd., 2008 SCC 27, [2008] 2 SCR 114, para 9.

[147] However, in Stewart, the plaintiff admitted that she suffered no actual damage beyond the invasion of her privacy. That loss could only be compensated by an intrusion upon seclusion claim. Morgan J. held, at para. 85:

By her own admission, the Plaintiff suffered no actual damage beyond the fact of the invasion of her private health information. The affidavit of Ms. Ford on behalf of the Hospital explains that the records show that the Plaintiff, Ms. Stewart, attended diagnostic imaging at the Hospital on December 5, 2016. No medication was prescribed or administered to her, and no medication profile was created for her. Ms. Demme withdrew two tablets of Percocet under Ms. Stewart's name using the ADU. This withdrawal was not recorded in Ms. Stewart's file and had no impact on her treatment at the Hospital or otherwise. [Emphasis added.]

[148] Consequently, on the pleadings in Stewart, there was no claim available in negligence since there were no actual damages.

[149] In the present case, however, there is a claim for out of pocket expenses to prevent future identity theft (based on an amended statement of claim taking into account Obodo’s evidence of actual pecuniary harm and Dr. Archer’s evidence of the need to prevent actual harm by credit monitoring and identity theft insurance).

[150] Consequently, the case in Stewart can be distinguished from the present case. Even if it could not be distinguished (which I do not find), there would still be unsettled law since the court in Evans permitted such a claim.

[151] TransUnion also relies on the decision of the Quebec Superior Court in Zuckerman v. Target Corporation, 2015 QCCS 1285, in which the court, on a motion to dismiss for lack of jurisdiction, held that out-of-pocket expenses arising from a data breach arising from a hacker attack cannot sustain a class action since such damages are “prima facie of the nature of ordinary annoyances and anxieties and do not constitute ‘compensable’ damages”: at para. 55. [Italics in original.]

[152] The court in Zuckerman held that “the expense of $19.95 incurred by Zuckerman for credit monitoring services” was not “a logical, direct and immediate consequence of Target’s alleged fault”: at paras. 44-45.

[153] Such a finding was obiter, as the role of the court on the jurisdiction motion was not to consider the merits of a certification motion, but only to determine whether the pleadings supported jurisdiction in Quebec.

[154] The decision in Zuckerman was reversed by the Court of Appeal, reported at 2015 QCCA 1809, who held, at para. 7:

The Appellant alleged that he spent $19.95 on a credit monitoring service to guard against potential fraud given the possibility that his personal information in Respondent's possession may have been stolen. Respondent had indicated in an e-mail that it would arrange to provide this service but Appellant did not wish to wait and, as alleged, contracted and paid for the service. In any event, Appellant professed that the credit monitoring service offered by Respondent was inadequate. This is prejudice suffered in Quebec and is sufficient to accord jurisdiction over the proposed class action. [Emphasis added.]

[155] Consequently, not only are the comments in Zuckerman relied upon by TransUnion obiter (as the motion was to dismiss on the basis of lack of jurisdiction), but the Court of Appeal held that credit monitoring costs could be a compensable damage, to ground jurisdiction in Quebec.

[156] Further, when the certification motion in Zuckerman was returned to the motions court after the Court of Appeal decision, the action was certified against the database defendant (Target) for the hacker attack. Hamilton J. held (reported at 2017 QCCS 110, at para. 73):

[S]etting up credit monitoring and security alerts, obtaining credit reports, and cancelling cards or closing accounts and replacing them are not "ordinary annoyances, anxieties and fears that people living in society routinely, if sometimes reluctantly, accept" but may amount to something more. These are potentially matters for which class members would be entitled to compensation.

[157] Hamilton J. further held, at para. 76:

[I]t is premature to conclude that the expense of $19.95 incurred by Zuckerman for credit monitoring services does not constitute a direct, logical and immediate consequence of the alleged fault. The Court should be very cautious about deciding issues on the merits with incomplete evidence.

[158] Hamilton J. certified PCIs including (i) “[w]hether the inconvenience suffered by the class members is compensable”, and (ii) “[w]hether class members who incurred out of pocket expenses are entitled to compensation”: at para. 123.

[159] In any event, the initial decision in Zuckerman (relied upon by TransUnion) has only been cited in one other Quebec case and by no other Canadian court. It is not binding on this court (let alone given that the conclusion relied upon by TransUnion is in obiter), and is not consistent with the common law cases cited above, nor with the subsequent Zuckerman decisions of the Quebec Court of Appeal and the certification motion.

[160] For the above reasons, I find that it is not settled law that the claims for out of pocket expenses and mental distress cannot constitute damages in a class action and, as such, I find that the claim discloses a cause of action in negligence on this basis.

(ii) Objection 5: Is it settled law that out of pocket expenses are “pure economic loss” that cannot be recovered in the action?

[161] TransUnion did not raise this submission in its factum. However, at the hearing, it relied on the decision of Perell J. in Del Giudice v. Thompson, 2021 ONSC 5379, in which he concluded that the proposed class of individuals who were subject to a data breach could not recover damages. Perell J. held that “the overwhelming majority of the six million Canadians will suffer no injury at all and for the minority who do suffer harm their losses will be pure economic losses. However, tort claims for pure economic losses are only available in rare circumstances”: at para. 226.

[162] Perell J. concluded, at paras. 228-29, and 231:

Although the categories are not closed, in Canadian National Railway Co. v. Norsk Pacific Steamship Co., 1992 CanLII 105 (SCC), [1992] 1 S.C.R. 1021), the Supreme Court recognized five established categories where recovery for pure economic losses was permitted; namely: (1) negligent misrepresentation; (2) negligence of public authorities; (3) negligent performance of a service; (4) supply of shoddy goods or structures; and (5) relational economic losses. None of these recognized categories is available in the immediate case and thus, once again, there is no compensable harm for the Class Members' negligence causes of action.

Put simply, as pleaded in the Fresh as Amended Statement of Claim, because there are no losses compensable in negligence, it is plain and obvious that the Class Members will not have a certifiable negligence claim or a duty to warn claim.

[T]he legal policy of the law of negligence is that with a few exceptions that can be justified on public policy grounds, tort law leaves pure economic losses to be addressed by the law of contract.

[163] The law related to pure economic loss is settled, as set out in the above passage.

[164] However, the question before the court on the present motion is whether it is settled law that any of the exceptions to the rule, and in particular, the “negligent performance of a service” exception, could not apply to permit those claims which are not consequent upon physical or proprietary harm.

[165] For the reasons that follow, I find that it is not settled law that the negligent performance of a service exception cannot apply.

[166] The recent decision of the Court of Appeal in Wright v. Horizons ETFS Management (Canada) Inc., 2020 ONCA 337, 448 D.L.R. (4th) 328, sets out the applicable test to determine whether a claim for negligent performance of a service discloses a cause of action.

[167] In Wright, the motions judge dismissed the plaintiff’s motion to certify a class action arising from the sudden collapse of a proprietary derivatives-based exchange-traded fund created and managed by the defendant.

[168] The motions judge concluded that the claim did not disclose a cause of action for negligent performance of a service. While the motions judge accepted that there was a “legally proximate relationship” between the class and the defendant, he concluded that the scope of the undertaking provided to investors was only to place on the exchange a financial product that operated in accordance with the accompanying disclosure documents, and not to actively manage the fund or step in to stop investor losses: Wright, at paras. 66-68.

[169] The Court of Appeal granted the appeal and held that there was a cause of action against the fund manager for negligent performance of a service based on the undertaking it provided to investors.

[170] In Wright, at para. 105, the court set out the first step in the analysis of whether there is a cause of action for negligent performance of a service: do the pleadings establish a “relationship of proximity” between the plaintiff and defendant?

[171] The court in Wright relied on the approach taken by Strathy J. (as he then was) in Cannon v. Funds for Canada Foundation, 2012 ONSC 399, leave to appeal refused, 2012 ONSC 6101 (Div. Ct.). In Cannon, the claim against a creator of a purported charitable gift program was allowed to proceed even though the creator had no direct contractual relationship with investors.

[172] As in Cannon, the court in Wright found that the defendant had created the fund, undertook to provide a service to investors, and earned money from his involvement in that service: at paras. 102-05.

[173] Based on the above law, it is not beyond doubt that a negligent performance of a service claim would fail in the present case.

[174] Through its Privacy Policy, TransUnion made significant Policy Representations, as set out at para. 58 above, undertaking to protect confidential financial information “aligned with industry best practices”. Based on Dr. Archer’s report, there is some basis in fact that the undertaking significantly misstated the security protocols (or lack thereof) on the TU Direct portal.

[175] TransUnion’s TU Direct business depends on its collection of personal financial information. Consumers rely on TransUnion to operate a secure TU Direct portal so that those lenders seeking to grant credit to consumers can verify credit reports.

[176] Consequently, as in Wright, I find that Obodo “has a reasonable prospect of demonstrating that the claim falls within a recognized duty of care under the category of negligent performance of a service”: at para. 107.

[177] Similarly, as in Wright, even if the court were required to consider whether the claim in the present case is novel, it would still disclose a cause of action. The court in Wright held, at para. 109:

Where there is no recognized duty, the first step is to determine whether there is a proximate relationship between the parties resulting from the defendant's undertaking that invites the plaintiff's reasonable reliance. If so, the defendant becomes obligated to take reasonable care: Livent, at para. 30. The proximity analysis includes an examination of "'expectations, representations, reliance, and the property or other interests involved' as well as any statutory obligations": Livent, at para. 29 (citations omitted).

[178] In the present case, the Privacy Policy and the Policy Representations contained therein could establish a “legally proximate relationship” between TransUnion and consumers whose data it collects: Wright, at para. 110.

[179] The undertaking in the Privacy Policy to use “best industry practice” is broad. If the allegations are accepted as proven, TransUnion knowingly and grossly exaggerated its security practices, as TransUnion allegedly did not have even the most basic algorithms, two-factor authentication, or search limits to protect the database from external hackers. This was particularly concerning for the TU Direct portal, which was designed to be used by external customers whose credential security could not be assured under the system (as there was no IP address requirement for any user of the TU Direct portal).

[180] Finally, in Wright, at para. 116, the court noted the requirement to assess whether policy considerations would preclude a novel tort claim from proceeding:

It is not plain and obvious that policy considerations should negate the alleged prima facie duty of care. The risk of loss cannot be addressed by contract because this was not a vendor-purchaser relationship. Nor, on the claim as pleaded, can it be addressed by insurance, or due diligence by Class members. Moreover, it does not seem apparent that imposing a duty would create liability toward an indeterminate number of persons. Allowing the claim might cause fund managers like Horizons to exercise caution and control in designing investment products and ensure that all material facts are provided to investors.

[181] Similarly, in the present case, it is not plain and obvious that TransUnion should not owe a duty to properly provide database security services to consumers. As in Wright, the risk of loss cannot be addressed by contract since TransUnion aggregates information without the consent of consumers. Nor could the claim be addressed by insurance or due diligence by class members, who have no control over the collected Financial Information. Further, imposing a duty would not create liability to an indeterminate number of persons. Finally, allowing the claim might cause database defendants to “exercise caution and control in designing” their security systems to protect consumers.

[182] I follow the approach of the court in Wright, at para. 117:

I also note that on a certification motion, as on a motion to strike, the certification judge is not to assess whether the claim can withstand summary judgment or a trial on the basis of the material adduced on the motion, but only whether the pleadings contain some radical defect such that there is no reasonable prospect of success: Hunt, at p. 980. The courts must "err on the side of permitting a novel but arguable claim to proceed to trial": Imperial Tobacco, at para. 21. A full evidentiary record that includes information about how the Fund was structured, the risks associated with investing in the Fund, the responsibilities of the Fund manager and other evidence may assist in determining the merits of the claim. As pleaded, it is not clear that the claim cannot succeed. [Emphasis added.]

[183] Consequently, even if the pleaded claims constituted pure economic loss, it is not beyond doubt that the exception of negligent performance of a service could not apply to allow the damage claims pleaded.

[184] For the above reasons, I find that the pleadings disclose a cause of action in negligence.

Objections 6 to 9: Cause of action under the provincial privacy statutes (PCIs 7 to 11)

[185] TransUnion submits that the breach of provincial privacy statutes claims fail to disclose a cause of action under s. 5(1)(a) of the CPA. TransUnion submits that:

(i) For the provincial privacy statutes in Manitoba (PCI 7), Newfoundland and Labrador (PCI 10) and British Columbia (PCI 8), the Ontario court has no jurisdiction because the claim can only be brought before the courts of the particular province (Objection 6); and

(ii) In any event, the pleadings do not establish that TransUnion:

(a) engaged in “wilful” conduct, as required under the provincial privacy statutes in Saskatchewan (PCI 9), Newfoundland and Labrador (PCI 10), and British Columbia (PCI 8) (Objection 7),

(b) “substantially” or “unreasonably” violated Obodo’s privacy, as required under the Manitoba statute (PCI 7) (Objection 8), or

(c) constituted an “invasion” of privacy that caused compensable loss, as required under the Quebec statute (PCI 11) (Objection 9).

[186] I address each of these objections below.

(i) Objection 6: Ontario court jurisdiction to determine breaches of the provincial privacy statutes in Manitoba, Newfoundland and Labrador and British Columbia (PCIs 7, 8, and 10)

[187] The provincial privacy statutes in Manitoba, Newfoundland and Labrador and British Columbia limit jurisdiction to order damages for a breach of the respective provincial privacy legislation to the superior courts of that province: The Privacy Act, C.C.S.M., c. P125, ss. 1(1), 4(1) and 4(2); Privacy Act, R.S.N.L. 1990, c. P-22, s. 8; and Privacy Act, R.S.B.C. 1996, c. 373, s. 4.

[188] In Del Giudice, Perell J. reviewed the relevant law and concluded that no claim could be brought before the Ontario courts under the above provincial privacy statutes, as subject matter jurisdiction was exclusively provided to the courts of that province. He held (footnotes omitted), at paras. 156-57:

Where a class action is brought in Ontario on behalf of a national class, it has become a convention to include statutes from other provinces and territories and from the federal government that may be available to the Class Members. In the immediate case, the Plaintiffs plead the privacy statutes from the provinces and territories and the Charter. Capital One and Amazon Web assert, however, that this court does not have jurisdiction with respect to three provinces (British Columbia, Manitoba, and Newfoundland and Labrador) because the statutes in those provinces expressly confer an exclusive jurisdiction on the domestic provincial court.

There is merit to the Defendants' submission. As a constitutional law principle, it is plain and obvious that this court has no jurisdiction with respect to the privacy statutes of British Columbia, Manitoba, and Newfoundland and Labrador. [Emphasis added.]

[189] The issue of subject matter jurisdiction was considered at length by Strathy J. (as he then was) in Gould v. Western Coal Corp., 2012 ONSC 5184, 7 B.L.R. (5th) 19.

[190] In Gould, the plaintiff sought certification under the CPA. The plaintiff alleged that the defendants “fabricated” a financial crisis in Western Coal Corporation to depress the stock price, so that they could acquire shares at a fraction of the price.

[191] The plaintiff in Gould sought to certify three claims, i.e. (i) secondary market misrepresentation under the Securities Act (which required leave of the court), (ii) conspiracy, and (iii) an oppression claim under the British Columbia Business Corporations Act, S.B.C. 2002, c. 57 (BCBCA), as the defendant, Western Coal Corporation, was incorporated under the BCBCA.

[192] Strathy J. held that the plaintiff had not met the test for leave under the Securities Act, and found no factual basis for the conspiracy claims.

[193] Strathy J. held that the Ontario court did not have jurisdiction to hear the oppression claim.

[194] Under s. 227(2) of the BCBCA, a shareholder “may” apply to the “court” for an oppression order. The “court” is defined as the Supreme Court of British Columbia: BCBCA, s. 1; Interpretation Act, R.S.B.C. 1996, c. 238, s. 29.

[195] In Gould, the defendants took the position that “the s. 227 claim is purely statutory, that the statute confers exclusive jurisdiction on the Supreme Court of British Columbia, and that the Ontario Superior Court of Justice has no subject-matter jurisdiction over the claim”: at para. 322.

[196] In Gould, the plaintiff relied on the decision in Club Resorts Ltd. v. Van Breda, 2012 SCC 17, [2012] 1 S.C.R. 572, and submitted that provided that there was a “real and substantial connection” with the forum in which the litigation was brought, the court must assume jurisdiction over all aspects of the case”: at paras. 323-35.

[197] Justice Strathy distinguished between “territorial jurisdiction”, which was at issue in Van Breda, and “subject-matter jurisdiction” under the BCBCA which required that oppression claims under the BCBCA be brought to the Supreme Court of British Columbia. Strathy J. held, at paras. 326-27:

In my view, Van Breda is not on point. The issue in Van Breda was territorial jurisdiction or jurisdiction simpliciter. The issue here is jurisdiction over the subject matter. The distinction was noted by the British Columbia Court of Appeal in Conor Pacific Group Inc. v. Canada (Attorney General), 2011 BCCA 403, 343 D.L.R. (4th) 324 at para. 38:

It is important to appreciate the distinction between territorial jurisdiction and subject-matter jurisdiction. Territorial jurisdiction, known at common law as jurisdiction simpliciter, is concerned with the connection between the dispute and the court's territorial authority. A Canadian court may only assume territorial jurisdiction over a proceeding where there is a real and substantial connection between the action and the territory over which the court exercises jurisdiction: Morguard Investments Ltd. v. De Savoye, 1990 CanLII 29 (SCC), [1990] 3 S.C.R. 1077; Hunt v. T&N plc, 1993 CanLII 43 (SCC), [1993] 4 S.C.R. 289. In contrast, subject-matter jurisdiction is concerned with the court's legal authority to adjudicate the subject-matter of the dispute. For example, the Provincial Court does not have subject-matter jurisdiction with respect to claims for libel, slander or malicious prosecution: Small Claims Act, R.S.B.C. 1996, c. 430, s. 3(2).

The fact that a court may have territorial jurisdiction over a particular party in relation to a particular cause of action cannot give it jurisdiction over that party in relation to a subject matter that is outside its jurisdiction. [Emphasis added.]

[198] Strathy J. then reviewed numerous cases in Ontario, other common law provinces, and in the United States, all of which followed the same approach and declined jurisdiction when the statute required the provincial superior court to hear the matter: at paras. 328-37. Strathy J. relied on the following Ontario cases:

(i) Ironrod Investments Inc. v. Enquest Energy Services Corp., 2011 ONSC 308, in which C. Campbell J. held, at paras. 14 and 16, that the oppression claim could only be brought in Alberta as the company was incorporated under the Alberta Business Corporations Act, which gave exclusive jurisdiction to the Alberta courts for oppression claims. C. Campbell J. noted that in the cases relied upon by the plaintiff to support its jurisdiction submission, “the issue of the jurisdiction exclusive to the province of incorporation was not made”: at para. 15;

(ii) Incorporated Broadcasters Ltd. v. Canwest Global Communications Corp. (2001), 2001 CanLII 28395 (ON SC), 20 B.L.R. (3d) 289 (Ont. S.C.), at paras. 100 and 111-13, aff’d on other grounds, (2003), 2003 CanLII 52135 (ON CA), 63 O.R. (3d) 431 (C.A.), leave to appeal refused, [2003] S.C.C.A. No. 186, in which Killeen J. stayed the oppression claim on the basis that only the Manitoba Court of Queen’s Bench had jurisdiction under the Manitoba Companies Act, R.S.M. 1987, c. 225: at para. 113;

(iii) CAE Wood Products G.P. v. Coe Newnes/McGehee ULC, 2011 ONSC 1617, in which Marrocco J. held that an oppression claim relating to a corporation incorporated under the BCBCA was “assigned by the Legislature of British Columbia to the jurisdiction of the Supreme Court of British Columbia, not the Ontario Superior Court of Justice”: at para. 31.

[199] After his review of the law in Gould, Strathy J. concluded, at paras. 338 and 339:

Where the law of another province is the proper law, there is no question that an Ontario court is entitled to apply that law, just as it is entitled to apply the law of another foreign jurisdiction, based on conflict of laws principles, in an appropriate case. There is a difference, however, between applying another jurisdiction's law and assuming an adjudicative jurisdiction that can only be exercised by a court of another province or state. The constraint is more than just comity, in my view. It is a matter of constitutional competence.

The oppression remedy applicable to this dispute is a creation of a British Columbia statute. The statute confers the remedy and describes the manner in which it is to be enforced. I have no jurisdiction to grant the remedy because the statute expressly grants jurisdiction to the British Columbia [Supreme] Court. It is irrelevant that the defendants may be otherwise subject to this court's jurisdiction, or may have attorned to the jurisdiction. I have no jurisdiction over the subject matter. The oppression claim should therefore be struck. [Emphasis added.]

[200] As did the plaintiff in Ironrod, Obodo relied on several cases in which the courts have certified common issues based on provincial privacy statutes, including Agnew-Americano. However, in none of those cases was the issue of subject matter jurisdiction raised before the court.

[201] As Perell J. noted in Del Giudice, at para. 156, “[w]here a class action is brought in Ontario on behalf of a national class, it has become a convention to include statutes from other provinces and territories and from the federal government that may be available to the Class Members”. However, Obodo produced no case in support of his position that considered the jurisdiction issue.

[202] The jurisdictional provisions of the statutes are clear. Ontario courts cannot hear claims for breach of provincial privacy statutes in Manitoba, Newfoundland and Labrador, and British Columbia.

[203] For the above reasons, I find that there is no cause of action under the provincial privacy statutes in Manitoba, Newfoundland and Labrador, and British Columbia. Consequently, I do not certify PCIs 7, 8, and 10.

(ii) Objection 7: Do the pleadings establish a cause of action that TransUnion engaged in “wilful” conduct? (PCIs 8, 9, and 10) (Objection 7)

[204] In my above analysis of Objection 6, I held that the Ontario court has no jurisdiction to address breaches of the provincial privacy legislation of Newfoundland and Labrador, British Columbia, and Manitoba, and as such I did not certify PCIs 7, 8, and 10. Consequently, it is not necessary for me to consider whether the alleged conduct could constitute “wilful” conduct as required under the Newfoundland and Labrador or British Columbia statutes (PCIs 8 and 10).

[205] However, there is no subject matter jurisdiction prohibition under the Saskatchewan legislation, The Privacy Act, R.S.S. 1978, c. P-24 (PCI 9). Liability under that statute arises under s. 2, which provides:

It is a tort, actionable without proof of damage, for a person wilfully and without claim of right, to violate the privacy of another person.

[206] TransUnion submits that the pleadings do not disclose a cause of action based on wilful conduct, since Obodo does not plead that TransUnion intended to breach the privacy of the class members.

[207] I do not agree.

[208] As I reviewed in Agnew-Americano, it is not settled law that a database defendant who allegedly recklessly enables a data breach, without any basic security protections, cannot be found to have engaged in wilful conduct.[^12]

[209] In Agnew-Americano, the defendant Equifax made a similar objection on the basis that it could not have acted wilfully if it was the subject of a hacker attack. I reviewed the case law which had considered the definition of wilful, and concluded that there was uncertainty in the law. I noted, at paras. 211-13, and 233-34, that some courts had:

(i) applied an “objective” test to the breach of privacy requirement by holding that the wilful test could be met by “an intention to do an act which the person doing the act knew or should have known would violate the privacy of another person”: Hollinsworth v. BCTV (1998), 1998 CanLII 6527 (BC CA), 59 B.C.L.R. (3d) 121 (C.A.), at para. 29, or

(ii) found that there was a triable issue that failing to establish safeguards to protect privacy could constitute wilful conduct: Hynes, at para. 19.

[210] Other courts had questioned whether the “wilful” requirement extended to the intention to breach privacy, as well as the intention to commit the act. By way of example, the British Columbia Court of Appeal in Duncan v. Lessing, 2018 BCCA 9, 5 B.C.L.R. (6th) 81, questioned (without deciding) whether the objective test in Hollinsworth was correct. Hunter J.A. commented that “the inclusion of the objective standard ‘should have known’ [in Hollinsworth] may not capture the deliberateness that is implicit in the word ‘wilfully’”: at para. 84.

[211] TransUnion relies on Kumar v. Korpan, 2020 SKQB 256, in which the court reviewed much of the same law I discussed in Agnew-Americano.

[212] After reviewing the law, Klatt J. concluded that there was uncertainty in the law, holding that “[t]here has been much debate on the meaning of ‘willfully’ in this context”: at para. 31, and that “there is no firm agreement across the country as to what ‘willfully’ entails in the context of privacy legislation”: Kumar, at para. 36.

[213] In Kumar, Klatt J. struck the breach of privacy statute claim, based on the approach requiring intent, as opposed to the Hollinsworth approach.

[214] I do not decide which approach ought to be followed by the court. Under the analysis in Wright, at para. 58, the role of the court on a motion to strike (or under s. 5(1)(a) of the CPA), is only to determine whether it is plain and obvious that the claim will fail, based on settled law.

[215] Given the uncertainty in the law as discussed above, I find (as in Agnew-Americano) that it is not settled law that a database defendant could not be found to have engaged in a wilful breach of privacy under the provincial privacy legislation if the plaintiff alleges that the conduct was “intentional” or “wilful” (which could include reckless conduct), which the database defendant knew or should have known would violate the privacy of another person.

[216] In Agnew-Americano, I also held that it was not settled law that the statutory tort is precluded by a hacker attack because it was the hackers who accessed the personal information: at paras. 208-17. I relied on cases such as Hynes and Li c. Equifax Inc., 2019 QCCS 4340, in which the courts had certified provincial privacy legislation claims against database defendants. I rely on the same law in the present case.

[217] In this case, I find that the pleadings can support a claim that TransUnion engaged in intentional, wilful, or reckless conduct by failing to take reasonable security precautions, when it knew or ought to have known that such conduct would lead to a data breach. The material facts pleaded are (quoted verbatim):

(i) The Defendant’s system was so crude, primitive and inadequate that the Defendant permitted [the hacker] to [obtain thousands of credit reports per day], without raising any internal warning or notice or triggering any security device to stop the vast transfer of data from the Defendant to the Hacker;

(ii) The enormous volume of reports requested by a single requester was extremely unusual and ought to have prompted the Defendant to enquire immediately into the requestor’s legitimacy, and to have taken immediate steps to stop the requestor’s access until his or her bona fides had been established;

(iii) Although the Defendant had ample financial means to institute measures to prevent the intrusions upon seclusion at issue herein, and knew that the data it aggregated was of great value and that it was private in nature, it failed to do so. In deciding not to institute sufficient measures to prevent the intrusions from occurring, the Defendant placed its own financial self-interest ahead of the interests of the Plaintiff and Class Members;

(iv) As a sophisticated credit reporting agency, the Defendant knew, or ought to have known of the need to keep the information of the individuals it was profiling private, and of the need to protect that information from theft by hackers;

(v) Despite this knowledge, the Defendant wilfully and deliberately ignored the risk of intrusion upon seclusion that in fact materialized. In the alternative, it was recklessly indifferent to the risk;

(vi) Without limiting the foregoing, the Defendant failed to implement any system that would flag excessive requests for credit reports by a single user, prima facie illogical requests for credit reports… Such a system would have enabled the Defendant to shut down the malicious requests much sooner and would have limited the damage;

(vii) Despite paying lip service to privacy in its promotional material, the Defendant in fact maintained a culture which tolerated and indeed encouraged such intrusions upon seclusion. Particulars of that culture are as follows:

a. The Defendant had no safeguards in place to prevent intrusions such as this from occurring, or in the alternative, insufficient safeguards;

c. The Defendant placed a low priority on the protection of privacy, and devoted resources to it which were grossly inadequate;

…; and

(viii) [T]he Defendant deliberately sacrificed the Plaintiff’s privacy interests on the altar of economy and expediency. It consciously preferred its own economic interests to the privacy interests of individuals such as the Plaintiff and Class Members.

[218] I find that the above allegations, if taken as true, can demonstrate an intentional decision by TransUnion to ignore the privacy interests of consumers whose personal financial information was in the TU Direct database, in circumstances where TransUnion knew that it did not have proper protection for that information but nonetheless exposed that information to hackers due to economic expediency. Such allegations, if proven, can meet the definitions of “wilful” in the jurisprudence discussed above.

[219] Consequently, I reject this objection, and I certify PCI 9.

(iii) Objection 8: Do the pleadings establish a cause of action that TransUnion “substantially” and “unreasonably” violated the privacy of the class members under the Manitoba privacy legislation? (PCI 7)

[220] Given my findings above as to Objection 6 on subject matter jurisdiction, it is not necessary to consider this objection. PCI 7 cannot be certified on this basis.

[221] However, if the Ontario court has jurisdiction to determine whether there has been a breach of the Manitoba legislation and award damages, then I would find that the pleadings disclose a cause of action.

[222] Under The Privacy Act, C.C.S.M., c. P125, s. 2(1):

A person who substantially, unreasonably, and without claim of right, violates the privacy of another person, commits a tort against that other person.

[223] TransUnion submits that the pleadings do not disclose that it either “substantially” or “unreasonably” violated the privacy of another person.

[224] I rely on the pleadings set out in at para. 217 above. Such allegations could allow the court to conclude that (i) TransUnion, as a database defendant, “violate[d]” the privacy of the class members by failing to take any steps to protect the Financial Information; and (ii) the violation was “substantial” and “unreasonable” (based both on the allegations and the evidence of Dr. Archer).

[225] However, as I discuss above, I do not certify PCI 7 given the lack of subject matter jurisdiction.

(iv) Objection 9: Do the pleadings disclose a cause of action that TransUnion breached the Quebec privacy legislation? (PCI 11)

[226] TransUnion submits that the pleadings fail to disclose a cause of action that TransUnion breached the Quebec privacy legislation. I do not agree.

[227] Article 35 of the Civil Code of Québec, L.R.Q., c. C-1991 provides:

Every person has a right to the respect of his reputation and privacy.

The privacy of a person may not be invaded without the consent of the person or without the invasion being authorized by law.

[228] Article 37 of the Civil Code of Québec provides:

Every person who establishes a file on another person shall have a serious and legitimate reason for doing so. He may gather only information which is relevant to the stated objective of the file, and may not, without the consent of the person concerned or authorization by law, communicate such information to third persons or use it for purposes that are inconsistent with the purposes for which the file was established. In addition, he may not, when establishing or using the file, otherwise invade the privacy or injure the reputation of the person concerned.

[229] In Agnew-Americano, at paras. 216-18, I relied on the decision of Bisson J. in Li, and found that the claim disclosed a cause of action under art. 37:

In the recent decision of Li c. Equifax Inc., 2019 QCCS 4340, [2019] J.Q. No. 8976 (C.S.) ("Li"), Bisson J. held that the claim as pleaded supported a cause of action based on s. 37 of the CCQ, arising from the Data Breach. He held (at para. 23):

Le demandeur a également démontré une violation du droit à la vie privée, à la réputation et à la non-divulgation en communiquant ou en ne prévenant pas la communication à des tiers de renseignements confidentiels sans l'autorisation du demandeur.

Consequently, the decision supports the availability of a statutory tort claim against Equifax for a hacker attack, subject to the issue of damages, which I address below.

Bisson J. did not certify the claim in Li. Bisson J. relied on Quebec law that compensatory damages could not be claimed for a breach of s. 37 CCQ unless those damages had been incurred (Li, at paras. 24 and 28). In Li, the representative plaintiff only claimed compensatory damages (Li, at para. 25). As the representative plaintiff failed to establish any compensatory losses, certification was denied (Li, at paras. 27, 29-31, and 34). [Footnotes omitted.]

[230] As in Li, the claim in the present action, if proven, could establish that class members suffered a violation of their right to privacy and to not have their financial information disclosed, due to TransUnion's failure to prevent communication of the Financial Information to third parties without the consent of the class members.

[231] Further, in the present case, Obodo and the class members seek compensatory losses for out of pocket expenses, as those damages have been incurred.

[232] Consequently, it is not settled law that the claim under arts. 35 and 37 of the Civil Code of Québec does not disclose a cause of action. I would certify PCI 11 on this basis.

Objection 10: The s. 5(1)(b) objection

[233] TransUnion submits that the proposed class definition should not be certified under s. 5(1)(b) of the CPA since “there is no evidence of compensable harm” as “[n]ot a single person has complained of actual harm in the more than two years since the Incident”. On this basis, TransUnion submits that none of the PCIs should be certified.

[234] TransUnion relies on Maginnis v. FCA Canada Inc., 2020 ONSC 5462, aff’d 2021 ONSC 3897 (Div. Ct.), in which Belobaba J. held, at para. 37, that a court could find that there is no identifiable class under s. 5(1)(b), if “there is no evidence of a class of two or more people seeking access to justice” (relying on the decision of Strathy J. in Singer v. Schering-Plough Canada Inc., 2010 ONSC 42, at para. 136).

[235] Belobaba J. noted in Maginnis that “it is best to use s. 5(1)(d)” to address the “rare case where, as here, there is no evidence of compensable harm”: at paras. 37-38.

[236] However, even if the court were to consider the evidence of compensable harm in determining whether there is an identifiable class, the evidence in the present case provides some basis in fact for compensable harm.

[237] I have addressed the evidence of compensable damages above. Obodo has led evidence of out of pocket expenses in purchasing a credit report from Equifax, and Dr. Archer’s evidence is that many class members may seek to obtain credit monitoring services and identity theft protection beyond the two year period offered by TransUnion, with the evidence of such services costing $19.95 per month, plus applicable taxes.

[238] The offer by TransUnion of a service for two years, which would otherwise have cost approximately $270 on an annual basis, demonstrates that there is compensable loss.

[239] Consequently, this is not a “rare case” where “there is no evidence of compensable harm”.

[240] TransUnion does not submit that the class is not otherwise identifiable. I find that the s. 5(1)(b) criteria are easily met under the settled law.

[241] The proposed class in the claim consists of:

All persons who (i) reside in Canada; (ii) provided personal information to the Defendant, whether directly or indirectly, which information may include but is not limited to their name, date of birth, current address, past addresses, and information relating to credit and loan obligations and the entities to whom these obligations are owed; and (iii) were sent written notice by the Defendant that their personal information was stolen by hackers without any permissible purpose, and without their consent.

[242] The class is objectively defined, easily identifiable, and rationally connected to each of the PCIs. The members of the proposed class can be determined by objective criteria. TransUnion sent notices to 37,444 putative class members regarding the Data Breach, and thus have knowledge of the persons to whom they sent such notices.

[243] Consequently, the class has clear boundaries and is not unlimited. Class members can be easily identified without considering the merits of the action and all class members have an interest in the resolution of the PCIs.

[244] For the above reasons, I reject the objection and find that Obodo has met the requirement to establish an identifiable class under s. 5(1)(b) of the CPA.

Objections 11 and 12: The s. 5(1)(c) objections (PCIs 2 to 6)

[245] TransUnion submits that that the PCIs for negligence should not be certified under s. 5(1)(c) of the CPA, since:

(i) The pleadings “disclosed no reasonable cause of action in negligence against the defendant on a class-wide basis” (Objection 11); and

(ii) “To the extent that any class member suffered actual compensable harm, the nature, scope and impact of that harm would necessarily be different for every Class member” (Objection 12).

[246] TransUnion does not raise s. 5(1)(c) objections on any other PCIs.

[247] I address each of these objections below.

(i) Objection 11: The cause of action objection

[248] It is not contested that a court will not certify a PCI if the pleadings fail to disclose a cause of action or if there is insufficient evidence of a viable cause of action (as the court did for the negligence claim in Stewart, at para. 94).

[249] However, as I discuss above, the present case can be distinguished from Stewart, both because (i) the pleadings disclose a cause of action in negligence and (ii) there is some basis in fact for both breach of duty of care (which TransUnion does not contest) and for damages (which I discuss above).

[250] Consequently, I reject this objection as a basis to not certify the PCIs on the negligence claim.

(ii) Objection 12: The individual damages assessment objection

[251] TransUnion submits that “[t]o the extent that any Class member suffered actual compensable harm, the nature, scope and impact of that harm would necessarily be different for every Class member. Accordingly, the proposed common issues in negligence should not be certified”. I do not agree.

[252] TransUnion again relies on Stewart, in which Morgan J. held, at para. 93, that adjudicating the claims of the class members “would require mini-trials that would be every bit as complicated as a full negligence trial”.

[253] However, in Stewart, there was no common issue on liability which would have advanced the case. As Morgan J. noted, “the duty and standard of care questions are easy to answer; it is the causation and damages questions that are entirely elusive here”: at para. 93. The defendant nurse had improperly accessed the patients’ medical records in order to dispense the Percocet medication. There was no dispute as to whether she had breached the standard of care.

[254] In the present case, however, the PCIs on negligence are significant components of each class member’s claim and will advance the claims of all class members. The PCIs pertaining to negligence ask:

(i) Did the Defendants owe the Class a duty of care? (PCI 2)

(ii) If so, what duty of care was owed to the Class? (PCI 3)

(iii) If so, what was the applicable standard of care for the Defendant? (PCI 4)

(iv) Did the Defendant breach the applicable standard of care? (PCI 5)

(v) Did the Defendant’s breach of duty cause damage to the Class? (PCI 6)

[255] The above PCIs will enable the court to determine if TransUnion is liable in negligence. These PCIs are central to the litigation and do not require evidence from individual class members but instead depend upon the conduct of TransUnion. Expert evidence will be significant in such a determination. As R.A. Smith held in Evans, at para. 88: “The fact finding and legal analysis would be done once rather than 643 times if the action is certified.”

[256] For the above reasons, I reject this objection.

Objection 13: The section 5(1)(d) objection

[257] TransUnion submits that a class action is not the preferable procedure under s. 5(1)(d) of the CPA, since (i) there is no access to justice concern because there is no evidence of “actual harm or actual damages”; (ii) there is no judicial economy since the assessment of damages would necessarily revert to individual assessments; and (iii) behaviour modification is not advanced because “there is a comprehensive regulatory scheme in each province with a designated privacy regulator dedicated to ensuring the industry is properly regulated”.

[258] I do not agree. I address each of these submissions below.

[259] With respect to the submission that there are no access to justice concerns because there is no evidence of “actual harm or actual damages”, I have addressed that issue above and find that there is such evidence. I rely on that analysis and, as such, find that there would be significant access to justice concerns if each of the 37,444 class members were required to bring an individual action for damages, such as the cost of credit monitoring services and identity theft insurance or for mental distress. Such litigation is not economically feasible.

[260] I agree with Obodo’s submission that access to justice will be promoted by a class action since:

(i) Documentary discovery will be extensive and time-consuming and numerous experts will be required in the course of the proceedings;

(ii) Litigating this action will cost hundreds of thousands of dollars at a minimum, much more than the full damages of most individual class members;

(iii) Any applicable limitation period has been tolled for the entire class;

(iv) A formal notice program will alert all or the vast majority of class members to the litigation and give them the opportunity to participate;

(v) Class counsel is experienced and have been retained on a contingency basis;

(vi) The court will protect the interests of absent class members; and

(vii) After the trial of the common issues, and if necessary, the court may create streamlined procedures to deal with any remaining individual issues.

[261] With respect to judicial economy, it would not serve that goal to have thousands of cases addressing the applicable standard of care, reviewing the expert evidence, and determining whether TransUnion was in breach of any duty of care or acted in a reckless or intentional manner. Those issues must be resolved in one action to avoid both a multiplicity of litigation and the risk of inconsistent judgments. Requiring 37,444 actions would be the antithesis of judicial economy.

[262] Consequently, even though individual mini-trials may be required to establish damages for the negligence claims, those trials would raise fairly straightforward assessments of damages, as opposed to the complex duty of care and liability issues that ought to be resolved in common.

[263] With respect to behaviour modification, TransUnion submits that “the defendant has already taken several steps to remedy the situation and, importantly, there is a comprehensive regulatory scheme in each province with a designated privacy regulator dedicated to ensuring the industry is properly regulated”.

[264] However, TransUnion led no evidence as to the ability of a privacy regulator to provide the class with any of the substantive damage relief they seek, nor a process to do so (AIC Limited v. Fischer, 2013 SCC 69, [2013] 3 S.C.R. 949, at para. 24). In particular, there is no evidence that a privacy regulator can order TransUnion to compensate any class member for the damages suffered, nor is there any evidence of a process for the class members to bring a proceeding to seek relief.

[265] For the above reasons, I find that a class action is the preferable procedure.

Objection 14: The section 5(1)(e) objection

[266] TransUnion submits that Obodo is not an appropriate representative plaintiff because he “sustained no loss and therefore has ‘no stake in the potential outcome’”. TransUnion relies on the comments of Belobaba J. in Maginnis, at para. 37, that: “[t]he judge can also find under s. 5(1)(e) that the two plaintiffs herein are not suitable representatives because they have sustained no loss and have ‘no stake in the potential outcome’” (citing Stone v. Wellington County Board of Education, 1999 CanLII 1886 (ON CA), [1999] O.J. No. 1298 (C.A.), at para. 10).

[267] I have addressed the evidentiary issue repeatedly in these reasons. Obodo’s evidence provides some basis in fact that he suffered both pecuniary damages and mental distress. He has sustained a loss and has a stake in the outcome.

[268] Further, Obodo meets the criteria to act as a representative plaintiff. He has a common interest with other class members and will vigorously prosecute the claim. He understands the major steps in a class action and the responsibilities he will undertake if he is appointed as representative plaintiff. He has already been participating in the proceeding, having filed an affidavit and been cross-examined in support of the present motion. He has produced a workable litigation plan.

[269] For the above reasons, I dismiss this objection.

A note on the PCIs relating to damages (PCIs 12, 13, and 14)

[270] TransUnion did not oppose certification of PCIs 12-14 on damages, including PCIs seeking punitive or aggregate damages. Consequently, I do not address these PCIs in my reasons, except for my brief comments below.

[271] The Saskatchewan privacy legislation (like intrusion upon seclusion) permits a claim for a tort “without proof of damage”: The Privacy Act, R.S.S. 1978, c. P-24, s. 2. Consequently, there is some basis in fact that at least part of the damages claim may be determined without individual proof from class members.

[272] Further, there is some basis in fact for a punitive damages claim given the pleadings set out at para. 217 above and Dr. Archer’s conclusion that if TransUnion “ignore[d] implementing a proper risk management program”[^13] in circumstances where it held such personal financial information in its database and provided external business clients with access to that database, then TransUnion would have acted in “reckless disregard of the known consequences of a potential data breach”.

Order and costs

[273] For the above reasons, I grant the certification motion. I certify PCIs 2 to 6, PCI 9, and PCIs 11 to 14, subject to amendments to the statement of claim to plead material facts based on the evidence before the court on the certification motion. I do not certify PCIs 1, 7, 8, or 10.

[274] There was divided success on this motion, which must be reflected in any costs award.

[275] If either party decides to seek costs, I will accept submissions from both parties concurrently, as I do not determine at this point which, if any, of the parties would be entitled to costs.

[276] If the parties require a court determination on costs, both parties shall deliver a costs submission of no more than five pages (not including the costs outline) by December 1, 2021. Each party shall then deliver responding costs submissions of no more than three pages by December 15, 2021. Each party may deliver a reply costs submission of no more than two pages by December 22, 2021 to address the respective responding costs submissions. While the process is somewhat cumbersome, to ensure fairness to both parties, it is necessary to allow them to make costs submissions if they choose to seek costs in their favour.

GLUSTEIN J.

Date: 2021-11-04

Schedule “A”

List of Proposed Common Issues

1. Do the actions of the Defendant constitute intentional or reckless intrusion upon seclusion that would be highly offensive causing distress, humiliation or anguish to a reasonable person?

2. Did the Defendant owe the Class a duty of care?

3. If so, what duty of care was owed to the Class?

4. If so, what was the applicable standard of care?

5. Did the Defendant’s breach the applicable standard of care?

6. Did the Defendant’s breach of duty cause damage to the Class?

7. For class members resident in Manitoba, did the defendant violate section 2 of the Privacy Act, C.C.S.M. c. P.125?

8. For class members resident in B.C., did the defendant violate section 1 of The Privacy Act, R.S.B.C. 1996, c. 373?

9. For class members resident in Saskatchewan, did the defendant violate section 2 of the Privacy Act, R.S.S. 1978, c. P-24?

10. For class members resident in Newfoundland, did the defendant violate section 3 of the Privacy Act, R.S.N.L. 1990, c. P-22?

11. For class members resident in Quebec, did the defendant violate Articles 35 and 37 of the Civil Code of Québec, L.R.Q., c. C-1991?

12. To what damages are the Class members entitled?

13. Are the Class Members entitled to punitive or aggravated damages, and if so, in what amount?

14. Can the Class Member’s damages be assessed in whole or in part in the aggregate, and if so, what is the quantum of the aggregate damages?

[^1]: In these reasons, I refer to these unknown and unauthorized persons (or person) using the commonly-used term of “hackers”. [^2]: The PCIs are set out at Schedule A to these reasons. [^3]: (which is the basis of PCIs 2 to 5) [^4]: (PCIs 8-10) [^5]: (PCI 7) [^6]: (PCI 11) [^7]: It is not stated in the decision whether leave was sought on any other issue and was denied. [^8]: I refer to the Divisional Court decision as the Owsianik decision to distinguish it from the Agnew-Americano decision. [^9]: In his report, Dr. Archer explained that an IT Security Maturity Level of 1 meant that “[t]here is no formal process in the organization for generating security policy, and what process exists is unpredictable, poorly controlled, and reactive”. Dr. Archer explained that an IT Security Maturity Level of 2 meant that “[s]ome security policy is documented and distributed, but is likely incomplete and has not been demonstrated to be proactive nor to fit the organization”. [^10]: (the term used by Obodo to describe the “database defendant” (as I used the latter term in Agnew-Americano)) [^11]: The majority of the Divisional Court disagreed with the conclusions of the motions judges in both Tucci and Kaplan and held that intrusion upon seclusion claim did not apply to hacker attacks: at para. 56. [^12]: Consequently, if it were found that the court had jurisdiction to hear the claims for breach of provincial privacy legislation in Manitoba, Newfoundland and Labrador, and British Columbia, the analysis in this section would apply to the British Columbia (PCI 8) and Newfoundland and Labrador (PCI 10) statutes, since they also require a finding of “wilful” conduct. [^13]: (for which there is some basis in fact given what Dr. Archer states are the reasonable requirements to protect personal information and Ms. Anslow’s answers to undertakings that those steps were not taken)