Canadian data breach litigation is still in its early phase. On July 3rd, the Ontario Superior Court of Justice approved a settlement in a significant class action that was brought after a public health nurse lost a USB key containing the personal information of about 85,000 individuals who had been immunized during the 2009 H1N1 scare.
The settlement involved the creation of a claims period open until August 1, 2016 to allow class members to claim for economic loss but no damages payment otherwise. As Justice Lauwers explained, the defendant and its insurer agreed to accept the risk of economic harm over the six and a half year claim period, after which, he held, “the risk will be virtually eliminated.”
In approving the settlement, Justice Lauwers stressed that the plaintiff faced a difficult case given, as time passed, his ability to prove compensable damages worsened. He said:
It is important to consider the context in which this case developed. The USB key was lost on or about December 16, 2009. In the midst of the anxiety created by that loss, the action was started on April 26, 2010. The certification motion was heard on December 16, 2010 with the decision rendered on February 4, 2011, and the certification order signed on April 26, 2011. Over the course of this action, anxiety about the abuse of private information has given way to the realization that it is now probable that no one has the missing USB key. This inference comes from the fact that no class member has claimed that information on the key has been used to financially damage his or her interests. This case, it bears emphasizing, would look far different if information from the lost USB key had been abused by a wrongdoer…
As a matter of law, in my view, the chances of success, in the circumstances as they have unfolded since the USB key was lost, are quite low.
Justice Lauwers approved an agreement to pay $500,000 in costs (including taxes and disbursements) to class counsel plus an amount equal to 25% of any claims paid. Though loss to individuals was not the basis for this amount, it equals about $5.99 per affected individual for a suspected breach involving the loss of name, address, telephone number, gender, date of birth, Ontario health number, health card expiration date, name of primary care provider and “some additional personal health information.”