On March 26, 2021, the Superior Court rendered a decision dismissing a class action against the Investment Industry Regulatory Organization of Canada (“IIROC”) on the loss of personal information of thousands of Canadian investors.1 The lack of evidence of compensable injury and IIROC’s diligent behaviour are the main reasons for the dismissal of the class action.
On February 22, 2013, an inspector working for IIROC forgot his laptop computer in a public place. The computer, which contained the personal information of approximately 50,000 Canadians, was never found. The information had originally been collected by various securities brokers who were under inspection by IIROC.
Mr. Lamoureux, whose personal information was on the computer, brought a class action on behalf of all persons whose personal information was lost in the incident. He claimed compensatory damages for the stress, anxiety and worries associated with the loss of personal information, as well as compensation for the injury associated with the identity theft or attempted identity theft of members. He also claimed punitive damages for unlawful and intentional infringement of the right to privacy protected by the Quebec Charter of Human Rights and Freedoms. On this point, the members claimed that IIROC had been reckless and had delayed in notifying affected persons and brokers, as well as relevant authorities.
The class action is dismissed in its entirety.
The Superior Court started by acknowledging IIROC’s admission that it was at fault for the loss of the computer, and that the computer was not encrypted as it should have been to comply with IIROC policies.
With respect to compensatory damages, the Court reiterated the principle according to which the existence of fault does not presume the existence of injury; each case must be analyzed on the basis of the evidence.2 In this case, the injury alleged by the members can be summarized as follows:
- They suffered worry, anger, stress and anxiety about the incident.
- They were forced to monitor their financial accounts, and in particular their credit cards and bank accounts.
- They were inconvenienced and wasted time in having to deal with credit agencies and ensuring that their personal information was protected.
- They felt shame and suffered delays caused by identity checks on their credit applications attributable to flags on their files.
In its analysis, the Court held that, apart from the fact that the members were generally troubled by the loss of their personal information, there was no evidence of any particular and significant difficulties related to their mental state. Relying on Mustapha v. Culligan of Canada Ltd.,3 the Court reiterated that “the law does not recognize upset, disgust, anxiety, agitation or other mental states that fall short of injury.” If the injury is not serious and prolonged, and is limited to ordinary discomforts and fears that are inherent to life in society, it does not constitute compensable injury.
In this case, the Court found that the negative feelings experienced as a result of the loss of personal information did not rise above the level of ordinary discomforts, anxieties and fears that people living in society routinely accept. Having to monitor one’s personal accounts more closely does not qualify as a compensable injury, as the courts equate this practice with that of [translation] “a reasonable person who protects their assets.”4 The Court also considered the fact that IIROC provided members with free credit monitoring and protection services. It thus concluded that, in this respect, there was no injury to compensate.
Finally, the experts who were mandated to analyze the circumstances and wrongful use of the investors’ personal information found that there was no clear indication of wrongful use of the information by a person or group of persons, although evidence of wrongful use of personal information is not necessary to assert a claim.
The plaintiff, on behalf of the members of the class action, also sought punitive damages on the grounds that IIROC had been reckless in its handling of the incident.
To analyze IIROC’s diligence, the Court noted the following facts.
- IIROC launched an internal investigation in the week that followed that of February 22, 2013, the date on which the computer was lost.
- On March 4, 2013, the investigation revealed that the computer likely contained the personal information of thousands of Canadians.
- IIROC filed a police report.
- On March 6, 2013, it mandated Deloitte to identify what personal information was lost and who were the affected persons and brokerage firms, and to help it manage the risks and obligations associated with the loss of the personal information.
- On March 22, 2013, Deloitte informed IIROC that the computer contained “highly sensitive” and “increased sensitivity” information about thousands of Canadian investors.
- On March 27, 2013, IIROC notified the Commission d’accès à l’information du Québec and the Office of the Privacy Commissioner of Canada.
- On April 8 and 9, 2013, IIROC met with representatives of the affected brokerage firms, and simultaneously mandated credit agencies to implement safeguards for investors and brokerage firms.
- IIROC also set up a bilingual call center, issued a press release about the loss of the computer and sent a letter to affected investors.
The Court also accepted expert evidence according to which IIROC’s response was consistent with industry best practices, and that the measures put in place were appropriate in the circumstances and consistent with other responses to similar incidents.
In light of the evidence, the Court concluded that the loss of the unencrypted laptop computer and the resulting violation of the right to privacy were isolated and unintentional. It therefore dismissed the claim for punitive damages. The outcome is that IIROC was not reckless: it rather acted in a timely manner.
This decision introduces a basis for analyzing the diligent conduct of a company should the personal information that it holds be compromised, and confirms that a prompt and diligent response to a security incident can safeguard against a civil suit.
It also confirms that the mere loss of personal information, no matter how sensitive, is not in itself sufficient to justify financial compensation, and that it must be proven that injury was suffered. Furthermore, ordinary annoyances and temporary inconveniences do not constitute compensable injury, and monitoring financial accounts is not exceptional, but is rather considered the standard practice expected of a reasonable person protecting their assets.
At the time of writing this bulletin, the time limit for appeal has not expired and the plaintiff has not announced whether he intends to appeal the judgment.
- Lamoureux v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2021 QCCS 1093.
- Sofio v. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2014 QCCS 4061, paras. 21 and 22.
- Mustapha v. Culligan of Canada Ltd., 2008 SCC 27  2 SCR 114.
- Lamoureux v. Organisme canadien de réglementation du commerce des valeurs mobilières, 2021 QCCS 1093, para. 73.