BC Court of Appeal upholds class action certification in Capital One data breach case

The claims of intrusion upon seclusion and breach of confidence were not actionable: court

BC Court of Appeal upholds class action certification in Capital One data breach case

The BC Court of Appeal dismissed both an appeal and cross-appeal regarding a class action certification for a data breach, affirming the trial judge's decision on multiple claims and jurisdictional issues.

The case involves a former Capital One customer seeking to sue the financial corporation for a data breach executed by hacker Paige Thompson in 2019. The court's decision reaffirmed the class action's original certification while addressing multiple claims and procedural contentions.

In 2019, Paige Thompson hacked into Capital One's database, accessing the personal and financial information of approximately six million Canadians and 100 million Americans. Duncan Campbell, a former customer of Capital One, initiated a class action lawsuit against the company, alleging negligence, breach of contract, and various privacy and consumer protection statute violations. He sought certification under the Class Proceedings Act, which the trial judge granted while dismissing certain claims such as intrusion upon seclusion and breach of confidence as bound to fail.

Campbell appealed the dismissal of these claims, while Capital One cross-appealed the certification of privacy-related claims and other aspects of the judge’s decision. Capital One argued that the trial judge erred in certifying privacy claims, asserting that British Columbia courts lacked jurisdiction over claims under privacy statutes from Manitoba and Newfoundland and Labrador. They also contended that the trial judge's finding of compensable loss for the class members was speculative and not supported by evidence.

The appeal court rejected Campbell's appeal, agreeing with the lower court that the claims of intrusion upon seclusion and breach of confidence were not actionable. The court noted that existing Canadian case law does not extend the tort of intrusion upon seclusion to data custodians like Capital One, who did not invade privacy by themselves but allegedly failed to protect data.

On the cross-appeal, the court upheld the trial judge’s decision that British Columbia courts have jurisdiction to hear claims under the privacy statutes of Manitoba, Newfoundland and Labrador. The court also found some basis, in fact, to conclude that class members had suffered compensable loss, particularly in relation to additional credit monitoring services obtained following the data breach.

The court emphasized that the “some basis in fact” requirement at the certification stage is not an assessment of the merits but rather a threshold to determine whether a class action is the preferable procedure. Given the evidence presented, including expert testimony and affidavits from affected individuals, the court found sufficient grounds to support the certification.