Cyber-Attack Class Action Not Certified
In Kaplan v. Casino Rama, the court dismissed a certification motion in a class action involving a cyber-attack.
Casino Rama’s computer system was hacked, and personal information was stolen relating to customers, employees, and suppliers. The hacker posted the stolen data on the Internet. Just under 11,000 people had some personal information posted online.
Two and a half years after the cyber-attack, there was no evidence that anyone experienced fraud or identity theft. There was no evidence of any compensable financial or psychological loss.
One of the requirements for a class action to be certified is that the claims of the class members must raise common issues. Justice Belobaba held that the proposed class action failed on the commonality requirement.
Justice Belobaba noted that, for many years, class action judges applied a two-step analysis regarding a proposed common issue: whether there was some evidence that the proposed common issue actually existed and whether there was some evidence that the proposed common issue could be answered in common across the entire class.
He noted that the Supreme Court of Canada eliminated the first step of the two-step approach. In particular, evidence that the acts alleged actually occurred is not required.
In the case at bar, Justice Belobaba stated that the proposed common issues required highly individualized assessments. For example, the scope and content of the personal information that was stolen by the hacker varied widely for each person.
Further, individual inquiries would be required to determine if class members were, in fact, embarrassed or humiliated by the disclosure of information.
Justice Belobaba indicated that liability could not be established on a class-wide basis.