His allegations were twofold: first, that the IIROC’s response to the loss of data was too slow, that the services offered by IIROC to protect the class members’ information were inadequate, and that the class members were informed of the data loss too late. Second, the class members claimed damages suffered because of the loss, similar to Sofio’s claims: inconvenience and stress following receipt of the letter, and (for Lamoureux) subsequent identity theft. The class members also claimed punitive damages.
Justice Lucas looked at IIROC’s response to the data loss, which included identifying the loss, taking steps to assess the extent of the breach, notifying the parties involved including the investors, relevant regulatory bodies, and any affected organizations. IIROC also took steps to protect the affected investors, through providing security protection from TransUnion and Equifax for years to come. Justice Lucas found that “IIROC’s response was diligent, and that barred the award of punitive damages,” says Merminod, since under Quebec law punitive damages are awarded only when a plaintiff can establish an unlawful and intentional interference.
The minimum threshold for compensable injury was not reached, either, as no causation was found between the loss of data and the attempted identity theft, as demonstrated by an expert witness, says Merminod; while there was no dispute that Lamoureux had been the victim of fraud, this was not related to the IIROC’s data loss two years earlier.
There are currently more than 80 class actions involving privacy breaches in progress across the country, Merminod told Canadian Lawyer. Class actions have become an increasingly common venue for users and consumers to seek damages from data loss, and the pandemic has also triggered class action lawsuits across numerous sectors and will continue to give rise to many new class actions in the following years.
And, although Quebec is a civil law province, she says, “many companies will be extremely interested to see how IIROC responded to the loss,” and whose efforts were lauded by Justice Lucas, she says. “That’s applicable to anyone in Canada, the U.S., or Europe,” as data loss and privacy breaches occur regularly, with even high-tech giants such as Google, Facebook, LinkedIn, and even Equifax being the target of hacks.