Campbell v Capital One Financial Corporation

IN THE SUPREME COURT OF BRITISH COLUMBIA

Citation:

Campbell v. Capital One Financial

Corporation,

2022 BCSC 928

Date: 20220603

Docket: S198617

Registry: Vancouver

Between:

And

Duncan Campbell

Plaintiff

Capital One Financial Corporation, Capital One Bank (USA), National

Association, and Capital One Bank (Canada Branch)

Defendants

Before: The Honourable Justice Iyer

Reasons for Judgment

Counsel for Plaintiff:

T. Charney

R. Loeb

C. Edwards

K. Garcha

P. Sanghe

Counsel for Defendants:

L. Cooper

A. Cameron

A. Borrell

V. Toppings

P. Sergeyev

Place and Date of Trial:

Vancouver, B.C.

January 31, February 1-3, 2022

Place and Date of Judgment:

Vancouver, B.C.

June 3, 2022

Campbell v. Capital One Financial Corporation

Page 2

Table of Contents

OVERVIEW................................................................................................................ 3

THE TEST FOR CERTIFICATION ............................................................................ 4

THE CERTIFICATION APPLICATION...................................................................... 7

UNDISPUTED FACTS............................................................................................... 8

Capital One’s Promises to Safeguard Personal Information .................................. 8

ANALYSIS............................................................................................................... 16

Do the Pleadings Disclose a Cause of Action? .................................................... 20

Negligence........................................................................................................ 20

Breach of Contract............................................................................................ 24

Was the Application a Contract?................................................................... 24

Who are the parties to the Agreement?............................................................ 25

Is there a Cause of Action in Contract against Capital One (Canada Branch)? 26

Breach of Express and Implied Warranties .......................................................... 30

Breach of Contractual Duty of Honest Performance............................................. 30

Breach of Confidence........................................................................................... 31

Intrusion Upon Seclusion ..................................................................................... 32

Statutory Privacy Torts......................................................................................... 34

Breach of Consumer Protection Legislation ......................................................... 36

CONCLUSION ON CAUSES OF ACTION.............................................................. 38

SOME BASIS IN FACT ........................................................................................... 39

Some Basis in Fact for Compensable Loss in Data Breach Cases...................... 39

Some Basis in Fact - Identifiable Class................................................................ 42

Some Basis in Fact – Common Issues................................................................. 45

Some Basis in Fact – Preferability........................................................................ 50

Some Basis in Fact – Suitability of Representative Plaintiff ................................. 51

CONCLUSION......................................................................................................... 52

Negligence .................................................................................................... 53

Contract......................................................................................................... 53

Statutory Privacy Torts.................................................................................. 53

Breach of Consumer Protection Acts ............................................................ 54

Remedy and Damages.................................................................................. 55

Campbell v. Capital One Financial Corporation

Page 3

OVERVIEW

[1]

Capital One issues credit cards for its banking business as well as for Costco

Wholesale and the Hudson’s Bay Company. When applying for such a credit card,

individuals provide Capital One¹with their personal and financial information. Capital

One stores that information in a database on Amazon Web, a third party cloud-

based server in the United States. In the spring of 2019, Paige Thompson hacked

Capital One’s database. She downloaded the personal and financial information of

American and Canadian residents who had applied for Capital One credit cards

(“Data Breach”). The Data Breach affected six million Canadian customers and

about 100 million American customers.

[2]

In July 2019, an independent security researcher discovered the breach and

informed Capital One, which contacted American law enforcement. FBI agents

arrested Ms. Thompson and seized digital devices from her home on July 29, 2019.

On the same day, Capital One published a statement about the cyber-breach on its

website.

[3]

The data stolen from Canadians included information submitted on credit card

applications between 2005 and early 2019, such as name, date of birth, mother's

maiden name, address, email address, phone number, employer name, housing

situation, annual income, status of mortgage, and banking information. It included

some people’s credit scores, credit limits, balances and payment history, and

fragments of transaction histories over a total of 23 days in 2016-2018. The Data

Breach also compromised about one million social insurance numbers. I will refer to

all of this information as the “Confidential Information”.

[4]

Capital One wrote to all affected individuals to notify them of the Data Breach.

It explained what steps they could take to monitor and protect their data and offered

them free credit monitoring and identity protection services, including identity theft

¹The defendants are Capital One Financial Corporation, Capital One Bank (USA) National Branch

(“COBNA”) and Capital One Bank (Canada Branch). I will refer to them collectively as “Capital One”

unless necessary to identify them individually.

Campbell v. Capital One Financial Corporation

Page 4

protection for two years. It stated that no credit card numbers, PIN codes or login

credentials were compromised in the Data Breach.

[5]

Legal proceedings commenced in the United States and in Canada.

Ms. Thompson was criminally charged in the US and at the time of the hearing

before me, was awaiting trial. At the end of July 2019, the Office of the Privacy

Commissioner of Canada (“OPC”) announced it was commencing an investigation.

As of this date, the OPC has not issued a report. In August 2020, the US Office of

the Comptroller of Currency found Capital One non-compliant with its risk

assessment standards and imposed civil penalties totaling USD $80 million.

[6]

In Canada, national class actions were commenced in British Columbia,

Alberta, and Ontario. There were carriage contests in British Columbia and Ontario.

Perrell J. of the Ontario Superior Court granted carriage to the Del Giudice action in

Ontario (Del Giudice v. Thompson, 2020 ONSC 2676) and I granted carriage to

Mr. Campbell here: Campbell v. Capital One Financial Corporation, 2020 BCSC

1696. It does not appear that the Alberta claims are proceeding. A class action was

filed in Québec on behalf of a Québec class. As discussed further below, that action

is being case managed by Justice Bernard Tremblay. Most recently, Perell J.

dismissed the plaintiff’s application for certification in Del Giudice: 2021 ONSC 5379.

I am informed that his decision is under appeal and will be heard in June 2022.

[7]

There is no evidence as of the date of this certification hearing that any of the

Confidential Data has been disseminated beyond Ms. Thompson. Capital One’s

primary objection to certification is that the absence of such evidence means that the

action cannot be certified.

THE TEST FOR CERTIFICATION

[8]

Sections 4(1) and (2) of the Class Proceedings Act, R.S.B.C. c. 50 [CPA], set

out the requirements for certifying a class proceeding:

4 (1) Subject to subsections (3) and (4), the court must certify a proceeding

as a class proceeding on an application under section 2 or 3 if all of the

following requirements are met:

Campbell v. Capital One Financial Corporation

Page 5

(a) the pleadings disclose a cause of action;

(b) there is an identifiable class of 2 or more persons;

(c) the claims of the class members raise common issues, whether or

not those common issues predominate over issues affecting only

individual members;

(d) a class proceeding would be the preferable procedure for the fair

and efficient resolution of the common issues;

(e) there is a representative plaintiff who

(i) would fairly and adequately represent the interests of the

class,

(ii) has produced a plan for the proceeding that sets out a

workable method of advancing the proceeding on behalf of the

class and of notifying class members of the proceeding, and

(iii) does not have, on the common issues, an interest that is in

conflict with the interests of other class members.

(2) In determining whether a class proceeding would be the preferable

procedure for the fair and efficient resolution of the common issues, the court

must consider all relevant matters including the following:

(a) whether questions of fact or law common to the members of the

class predominate over any questions affecting only individual

members;

(b) whether a significant number of the members of the class have a

valid interest in individually controlling the prosecution of separate

actions;

(c) whether the class proceeding would involve claims that are or

have been the subject of any other proceedings;

(d) whether other means of resolving the claims are less practical or

less efficient;

(e) whether the administration of the class proceeding would create

greater difficulties than those likely to be experienced if relief were

sought by other means.

[9]

The settled principles governing the certification analysis are succinctly

summarized by Justice Francis in Sharifi v. WestJet Airlines Ltd., 2020 BCSC 1996

rev’d on other grounds 2022 BCCA 149:

[12]

The certification requirements are to be interpreted generously, taking

into account the objects of class action legislation and the perceived benefits

of such proceedings: Gary Jackson Holdings Ltd. v. Eden, 2010 BCSC 273 at

para. 28.

Campbell v. Capital One Financial Corporation

Page 6

[13]

The class procedure has three principal goals: behaviour modification,

judicial economy and access to justice: Hollick v. Toronto (City), 2001 SCC

68 at para. 27.

[14]

The certification analysis does not involve a consideration of the

merits of the claim. The question at certification is not whether a claim is likely

to succeed but rather whether the suit is appropriately brought as a class

proceeding: Hollick at para. 16.

[15]

Subsection 4(1)(a), the requirement that the pleadings disclose a

cause of action, is assessed by means of the same test that would apply to a

motion to strike. A plaintiff will satisfy this requirement unless, assuming all

the facts pleaded to be true, it is plain and obvious that the plaintiff’s claim

cannot succeed or has no reasonable prospect of success: Pro-Sys

Consultants v. Microsoft Corporation, 2013 SCC 57 at para. 63 [Pro-Sys].

[16]

With respect to the remaining subsections 4(b) – (e), the plaintiff must

show “some basis in fact” to establish that the certification requirements have

been met. In determining whether this standard has been met, the court

should not engage in any detailed weighing of evidence at the certification

stage but should confine itself to whether there is some basis in the evidence

to support the certification requirements: AIC Limited v. Fischer, 2013 SCC

69 at para. 43.

[10] In Sherry v. CIBC Mortgage Inc., 2020 BCCA 139, the Court of Appeal

confirmed that, for purposes of the s. 4(1)(a) analysis, pleaded facts must be

assumed to be true unless they are patently unreasonable or incapable of proof, and

the claim’s prospect of success must be reasonable, not speculative: at paras. 23-

24. Dickson J.A. added that certification judges should not shy away from deciding

challenging legal questions: at para 25.

[11] In Atlantic Lottery Corp. Inc. v. Babstock, 2020 SCC 19 at para. 19

[Babstock], the Court cautioned that, while novel claims that might represent an

incremental development in the law should be allowed to proceed to trial, “[i]t is

beneficial, and indeed critical to the viability of civil justice and public access thereto

that claims, including novel claims, which are doomed to fail be disposed of at an

early stage in the proceedings.” (Emphasis in original.) This is because such claims

present "no legal justification for a protracted and expensive trial".

[12] Recently, in Trotman v. WestJet Airlines Ltd., 2022 BCCA 22, Bauman C.J.

addressed the gate-keeping role of a certification judge where there is a question of

statutory interpretation (at para. 46). The judge should not engage in a merit-based

analysis unless there is previous binding case law on the point or “the interpretive

Campbell v. Capital One Financial Corporation

Page 7

exercise is so straightforward the answer is plain and obvious even without previous

case authority.

[13] With respect to the “some basis in fact” assessment, in 676083 B.C. Ltd. v.

Revolution Resource Recovery Inc., 2021 BCCA 85 at para. 31, the Court of Appeal

underscored that the certification stage serves an important gate-keeping function:

Section 4(1) of the CPA establishes the statutory requirements for

certification of a class action. When these requirements are met, the

proceeding must be certified. The merits of a claim are not determined on a

certification application and the threshold for certification is low. Nevertheless,

certification serves as a "meaningful screening device", and the court

performs "an important gatekeeping role by screening out those claims

destined to founder at the merits stage of the proceeding": Pro-Sys

Consultants Ltd. v. Microsoft Corporation, 2013 SCC 57 at paras. 103ꟷ 104

[Pro-Sys Consultants]; Sherry at para. 22. Thus, the standard for assessing

evidence at certification requires more than a "superficial level of analysis into

the sufficiency of the evidence" and more than "symbolic scrutiny": Pro-Sys

Consultants at para. 10.

[14] These principles guide my analysis.

THE CERTIFICATION APPLICATION

[15] The certification application seeks certification of a single national class

comprised of all Canadians who Capital One informed that their Confidential

Information was affected by the Data Breach (“Class”). Mr. Campbell seeks

appointment as the representative plaintiff for the Class.

[16] The application proposes 27 liability-related common issues. These advance

causes of action in negligence, breach of contract and warranty, breach of the duty

of honest performance, breach of confidence, intrusion upon seclusion, breach of

statutory privacy rights, breach of consumer protection statutes, and breach of the

Civil Code of Québec [CCQ]. Five remedial common issues are proposed,

addressing issues such as joint and several liability, whether damages can be

assessed in the aggregate, responsibility for costs of distribution of awarded

damages, and interest. The Amended Notice of Civil Claim filed January 10, 2022

(“Claim”) quantifies damages at $800 million.

Campbell v. Capital One Financial Corporation

Page 8

UNDISPUTED FACTS

[17] Many of the background facts are not disputed. Rather, the parties disagree

about how they should be interpreted and how they affect the issues I must decide.

Capital One’s Promises to Safeguard Personal Information

[18] All Class members applied for Capital One credit cards between 2005 and

2019. To do so, they had to fill out an online application form (“Application”),

providing the following information:

Name

Date of Birth

Mother’s Maiden Name

Social Insurance Number [Optional]

Address

Email Address

Phone Number

Employment Status

Housing situation [Optional]

Annual Income before taxes

Other Income before taxes

Monthly Mortgage/Rent payment

Whether they have any bank accounts

[19] The Application informed applicants that by clicking “Review my Application”

they were confirming they had read Capital One’s “Important Disclosures”, “About

Your Privacy”, and “Other Important Information”, all of which were hyperlinked to

the Application.

[20] This material stated, in relevant part:

Terms of Offer

By submitting the Application Form, the applicant ("I"):

1. Certify that the information provided is true and correct and understand

that Capital One Bank (Canada Branch), ("Capital One"), will rely on this and

other information in deciding to open a MasterCard Account ("Account");

Campbell v. Capital One Financial Corporation

Page 9

2. Request that Capital One open an Account and issue appropriate

MasterCard card(s) ("Card(s)") and Personal Identification Number(s) to me

(including renewals and replacements from time to time);

3. Request that Capital One issue appropriate Cards to me for any

Authorized User identified on the Application Form, as well as renewals and

replacements from time to time;

4. Agree that use of the Account or Card(s) will confirm acceptance of Capital

One's MasterCard Customer Agreement as amended from time to time (the

"Agreement"), which will be sent with my Card(s) if approved; …

[21] Under the heading, “Privacy Terms”, the Application stated as follows:

Privacy Terms

We respect your privacy. Not only do we respect it, but we also protect it. We

collect and provide your information as required for the standard operation of

our business and as required by law. We may also release your information

to companies that you have authorized us to release your information to,

including service providers (such as the printers of our account statements),

credit reporting agencies (like TransUnion and Equifax), our own affiliates

and co-branding partners for cobranded rewards card. These companies

must first meet our rigorous privacy standards before we partner with them to

do business for you. We will not add your name to third-party marketing

campaigns for the first 30 days after the opening of your account to give you

an opportunity to make your privacy choice known to us. You can tell us your

privacy preferences by writing to us at the following address:

…

We may collect information about consumers who are not our current

customers, so we can develop our products and services. Sometimes this

information comes from lists like the telephone book. When a consumer

applies to be our customer, we collect the information given during the

application process (such as the consumer’s name, address, telephone

number and date of birth). We want you to understand why we collect and

use information about you and how this can benefit you. By knowing more

about our customers, we and our business partners can provide specialized

products that may be of interest to you and your family. We collect and use

information about consumers and customers so we or our service vendors

(whether engaged by or on behalf of us or any of our assignees) can use it in

the following ways:

i. to open, maintain, service, process, analyze, survey, audit, and

collect on an account;

ii. to verify your identity and credit worthiness;

iii. to protect you from identity theft, fraud, and unauthorized access to

your account;

iv. to share application and transaction information with consumer

reporting agencies and other parties who have financial, employment

or business dealings with you;

Campbell v. Capital One Financial Corporation

v. to determine your eligibility, administer and contact you for the

Page 10

purposes of marketing, promotions, rewards programs, research or

contests; and

vi. to use for any purpose required by law.

In addition, we may use your information in order to identify your preferences

and determine your eligibility for special offers and discounts, if approved, or

to make another offer to you or analyze your application (including your credit

reports) even if you are declined for this application. This information may

also be shared with any person or entity to which we have assigned or

transferred an interest in your account or any debt or interest due under the

terms to be provided in the Customer Agreement. This will apply upon your

approval, and/or any of our rights and obligations under the Customer

Agreement, including any subsequent assignee or transferee.

We may contact you by e-mail using the e-mail address you provided for

special offers or standard service messages. To ensure your security, we will

not include sensitive information in an e-mail such as your full 16-digit

account number, date of birth, Social Insurance Number (if provided) or

account balance. In the event that a service vendor is located outside of

Canada, the information on file for you or an authorized user may be

processed and stored outside Canada and foreign governments, courts of

law enforcement or regulatory agencies may be able to obtain disclosure of

this information. If you apply for credit, or by communicating or providing

information to us in any other way, you acknowledge your consent for

personal information collection, protection, use, disclosure and retention as

set out herein. Subject to legal and contractual restrictions, you may withdraw

your consent at any time after your account has been opened with

reasonable notice.

Privacy Terms for Authorized Users

We or our service vendors (whether engaged by or on behalf of us or any of

our assignees) may collect, use and disclose personal information of

authorized users such as name and details of their transactions to: open,

maintain, service, process, analyze, audit and collect on the account

(notwithstanding that authorized users will not be held liable for the account);

protect the account from identity theft, fraud and unauthorized access; and for

any purpose required by law. All information on file for authorized users may

be disclosed to the applicant. All information may also be shared with any

person or entity to which we have assigned or transferred an interest in the

account, or any debt or interest due under the terms to be provided in the

Agreement, if approved, and/or any of our rights and obligations under the

Agreement (including any subsequent assignee or transferee).

If you want to learn more about our privacy policies, please call us toll-free at

1-800-481-3239 or review the Capital One Privacy Statement included in the

Customer Agreement you will receive as part of your Welcome Kit.

…

Campbell v. Capital One Financial Corporation

Page 11

Personal Use

You agree that you will use your Card and your Account for personal, family

or household purposes only and will not use your Card or your Account for

any other purpose, including for business or commercial purposes.

[22] I will refer to the information about privacy in the Application as the “Privacy

Terms”.

[23] If Capital One approved the Application, it issued the credit card and sent it to

the person with a cardholder agreement (“Agreement”) that included the following

relevant terms:

Customer Agreement

We’re happy to open your credit card account. This Agreement contains

information about your account. Please read it and keep it for your records. In

this Agreement, the words “you,” “your” and “yours” refer to the applicant and

any co-applicant who, according to our records, was identified as such as

part of the application, meaning the request to us for the account. These

words do not include an authorized user. The words “we,” “us” and “our”

mean the Capital One Bank (Canada Branch) and its successors or assigns.

®

The word “transaction” means purchases, cash advances, special transfers,

balance transfers, Account Access Cheque use, credits, mail or phone

orders, or any other use of the account. The provisions of the Initial

Disclosure Statement that you received when we approved your application

for a Capital One credit card and the terms of our Privacy Statement, as well

as amendments to either that we provide to you, are incorporated as part of

the terms of this Agreement.

1. Confirming your Agreement with us.

When your account is accessed for the first time, it confirms the account was

opened at your request, that you accept the terms of this Agreement and that

you request renewal replacement cards and Account Access Cheques.

Where you have requested a personal identification number (PIN), its first

use also confirms this Agreement’s terms concerning it.

….

Privacy Statement

Our Commitment to Protecting Your Privacy

Capital One® is committed to keeping your personal information accurate,

confidential and secure. We want to earn your trust by providing strict

safeguards to protect your information.

What is Personal Information?

Personal information is any information that can identify you.

Campbell v. Capital One Financial Corporation

Page 12

Your Privacy

We respect your privacy. Not only do we respect it, but we also protect it. The

personal information you share with us, stays with us. We collect and provide

your information as required for the standard operation of our business and

as required by law. We may also release your information to companies that

you have authorized us to release your information to, including service

providers (such as the printers of our account statements), credit reporting

agencies (like TransUnion and Equifax), our own affiliates and co-branding

partners for co-branded rewards card. These companies must first meet our

rigorous privacy standards before we partner with them to do business for

you.

Your Privacy Choices and How to Contact Us

We will not add your name to third-party marketing campaigns for the first 30

days after the opening of your account to give you a opportunity to make your

privacy choice known to us.

…

Access to Personal Information about You

We retain your personal information on our servers and hard drives or on

those of our service providers, both within and outside of Canada. You may

request access to the personal information we collect about you. …

Confidentiality and Security

We have physical security (access in buildings), electronic protection

(encryption), and safe business practices (customer authentication when you

call us) to prevent identity theft. We restrict access to your personal

information to those who need to have it to provide products or services to

you. We use other companies to provide services for us such as marketing,

advertising and credit card embossing, but select these companies carefully

and require them to keep the information we share with them safe and

secure. We do not allow them to use or share information for any purpose

other than the job they are hired to do.

…

Use of Information

We want you to understand why we collect and use information about you

and how this can benefit you. By knowing more about our customers, we and

our business partners can provide specialized products that may be of

interest to you and your family. We collect and use information about

consumers and customers so we or our service vendors (whether engaged

by or on behalf of us or any of our assignees) can use it in the following ways:

(i) to open, maintain, service, process, analyze, survey, audit and

collect on your account;

(ii) to verify your identity and credit worthiness;

(iii) to protect you from identity theft, fraud and unauthorized access to

your account;

Campbell v. Capital One Financial Corporation

(iv) to share application and transaction information with consumer

Page 13

reporting agencies and other parties who have financial, employment

or business dealings with you and;

(v) to determine your eligibility, administer and contact you for the

purposes of marketing, promotions, rewards programs, research or

contests; and

(vi) to use for any purpose required by law.

This information may also be shared with any person or entity to which we

have assigned or transferred an interest in your account, any debt or interest

due or any of our rights or obligations under any agreement with you

(including any subsequent assignee).

…

Sharing of Information

…

Other third parties. We may share with carefully selected business partners

information we collect about our customers, former customers, and withdrawn

or declined applicants, such as name, street address, e-mail address and

telephone number, for the purpose of determining the eligibility of customers

and consumers for valuable products and services (such as credit balance

insurance and credit report monitoring) offered by us or our business

partners. We may share customer information with other parties who have

financial, employment or business dealings with you. If you give us your

Social Insurance Number, we may use it to identify you with credit reporting

agencies and other parties, and we may keep it along with other information

about you in our records, even after your account is closed to use for the

purposes stated above. We ensure that any third party is bound to respect

your privacy rights in the same way that we are.

…

Your Consent

If you apply for credit, or by communicating or providing information to us in

any other way, you acknowledge your consent for personal information

collection, protection, use, disclosure and retention as set out herein. Subject

to legal and contractual restrictions, you may withdraw your consent at any

time after your account has been opened with reasonable notice.

[24] I will refer to the terms respecting privacy in the Agreement as the “Privacy

Statement”.

[25] Capital One also had a privacy policy (“Privacy Policy”) that was incorporated

by reference into the Agreement. In material part, it provided as follows:

1. PRIVACY COMMITMENT AND PERSONAL INFORMATION

Capital One

®

is committed to keeping personal information accurate,

confidential and secure.

Campbell v. Capital One Financial Corporation

Page 14

We collect, use and disclose personal information to operate our business

and as required by law. Personal information is information about an

identifiable individual, as defined in the Personal Information Protection and

Electronic Documents Act.

2. CHANGES TO PRIVACY POLICY

This Privacy Policy (“Policy”) describes our current privacy practices. We

update this Policy on an ongoing basis to ensure consumers, applicants and

customers are aware of updates to our privacy practices, to streamline those

practices and to comply with applicable laws. Consumers are individuals who

are not currently our customers; applicants are individuals who apply to

become our customers; and customers are individuals who have been

approved, use or have used our products and services in the past. Please

visit this site regularly for updates.

…

4. IDENTIFYING PURPOSES

Capital One clearly identifies the purposes for which personal information is

collected, used or disclosed prior to or at the time of collection.

Capital One may collect, use and disclose personal information of

consumers, applicants and customers to develop, analyze and advertise

products and services, process applications, maintain and service accounts,

and comply with applicable laws.

Except where information is marked as mandatory, you get to decide what

information you want to share with us.

[26] In ensuing paragraphs, the Privacy Policy explains what information it collects

from consumers, applicants and customers, and how it uses such information. It

states the following with respect to consent:

5. CONSENT

If you apply for a credit product, communicate with us or provide personal

information to us in any way, you acknowledge your consent for personal

information collection, use and disclosure as set out in this Policy or

applicable laws and industry standards. If we want to use your information for

a purpose that was not disclosed at the time of initial consent, consent will be

sought at the time of this new purpose.

Updating consent. You can withdraw your consent for use and disclosure of

your personal information, other than that which is required for us to maintain

and service your account, subject to legal and contractual restrictions, with

reasonable notice to Capital One. You can also request that we don’t contact

you for advertising, marketing, promotions, rewards programs, research or

contests; however, we may still need to contact you to comply with applicable

laws or for business needs.

Campbell v. Capital One Financial Corporation

Page 15

[27] Under the heading “Limiting Use, Disclosure and Retention”, Capital One

states:

Capital One limits use, disclosure and retention of personal information to the

purposes we identify, and as required by applicable laws.

Third-party service providers. We may share your personal information

with service providers who perform services on our behalf (such as credit

reporting, marketing, research, data processing and other services as

required to service you). Our contracts with third parties include obligations to

protect your personal information, and third parties must meet our rigorous

privacy standards. When you engage with other companies directly, or

contact us through their platforms, their use of the information they collect

from you is subject to the terms of their privacy policies.

…

Information processed outside Canada. Your personal information may be

stored and processed at our corporate offices in the U.S. or with approved

third parties within the U.S. or elsewhere.

If a third party processes or stores information outside Canada, foreign

governments, courts or regulatory agencies may therefore be able to obtain

such personal information through the laws of the foreign jurisdiction.

[28] This section does not address retention other than in its opening clause.

[29] The Privacy Policy describes how it protects personal information:

Capital One uses procedures and practices appropriate to the sensitivity of

personal information to protect against loss, theft and unauthorized access.

Access to your information is restricted to those individuals and parties who

require access.

For example, we have physical security (such as restricted access to our

offices and secure storage), electronic protection (such as passwords and

encryption) and safe business practices (such as customer authentication

when you call us). We also train our staff on how to safeguard personal

information.

You can help us safeguard your information too. If you contact us through

email or social media, you should avoid sending highly sensitive information,

such as your banking information or full credit card number. We also

recommend that you use unique and strong passwords for your online

account(s) and that you don’t share your passwords with anyone.

[30] The Claim incorporates by reference the Application and Agreement, thereby

also incorporating by reference the Privacy Terms, Privacy Statement and Privacy

Policy. For the purposes of the cause of action assessment under s. 4(1)(a) of the

CPA, this means that I may consider inconsistencies between the facts in these

Campbell v. Capital One Financial Corporation

Page 16

documents and facts pleaded in the Claim in determining whether a cause of action

is disclosed: Del Giudice at paras. 43-48, 125-6; Setoguchi v. Uber B.V., 2021

ABQB 18 at para. 63. I am satisfied that these documents are an integral part of the

Claim. As such, the guidance of the Federal Court in Jensen v. Samsung Electronics

Co. Ltd., 2021 FC 1185 at para. 86, is instructive:

… it is appropriate for the certification judge to read the quotes and

paraphrases contained in the pleadings in their context, by referring to their

originating documents. If a plaintiff has ascribed a meaning to those

paraphrases and quotes that is not consistent, on a plain reading, with the

documents from which they originate, and if the documents referred to in the

pleadings do not actually say what the Plaintiffs allege they say, the Court

cannot consider these allegations as material facts, as they would not be true

and would be incapable of proof. Indeed, counsel for the Plaintiffs conceded

at the hearing before this Court that, if the allegations made in the Statement

of Claim contain statements, paraphrases or facts that happen to be false or

incorrect when compared to what the underlying documents actually contain,

it is appropriate for the Court not to consider them or to give them no weight.

ANALYSIS

[31] Before turning to the test for certification, it is useful to address two issues.

The first is the relevance of the Del Giudice decision here. The second is whether

this action should include Québec in light of the current proceeding in Québec.

[32] In Del Giudice, Perell J. dismissed the plaintiff’s application for certification of

a national class action against Capital One arising out of the Data Breach, finding

that none of the pleaded claims disclosed a cause of action under the Ontario

equivalent of s. 4(1)(a). Capital One says Del Guidice is very persuasive because it

arises out of precisely the same facts; Mr. Campbell says I should not accord it any

special weight.

[33] The plaintiff’s theory of the case in Del Giudice is broader and more complex

than the claim before me, which is a relatively straight-forward data breach action.

That is one of the reasons I granted carriage to Mr. Campbell: Campbell at para. 20.

Perell J. discusses the complexity of the Del Giudice claim at length and it is an

important reason why he denied certification: see, for instance, paras. 12-14, 268-

270. Allowing for these differences, Perell J.’s consideration of those causes of

Campbell v. Capital One Financial Corporation

Page 17

action that are also before me is helpful; that they arise out of the same facts

contributes to their persuasiveness. I rely on Del Giudice to that extent.

[34] As I have noted, a class proceeding was commenced in Québec against

Capital One on behalf of a Québec class in July 2019 (“Québec Action”). By virtue of

the definition in s. 1 of the CPA, the Québec Action is a multijurisdictional proceeding

for the purposes of the CPA, and s. 2(2)(b) required Mr. Campbell to give notice of

this certification application to the Québec class.

[35] The parties to this application did not realize that notice had not been given

until the certification hearing before me had commenced. I directed that notice be

given and allowed class counsel in the Québec Action an opportunity to make

submissions. Briefly, class counsel in the Québec Action oppose inclusion of a

Québec class in this proceeding; Mr. Campbell maintains that there should be a

single national class that includes Québec.

[36] The CPA addresses this issue in s. 4(3), which requires me to determine

whether it is preferable for all or some of the claims or common issues to be decided

in this action or in the Québec Action. Section 4(4) sets out what considerations

guide that determination:

(4) When making a determination under subsection (3), the court must

(a) be guided by the following objectives:

(i) to ensure that the interests of all parties in each of the

relevant jurisdictions are given due consideration;

(ii) to ensure that the ends of justice are served;

(iii) to avoid irreconcilable judgments, if possible;

(iv) to promote judicial economy, and

(b) consider relevant factors, including the following:

(i) the alleged basis of liability, including the applicable laws;

(ii) the stage that each of the proceedings has reached;

(iii) the plan for the proposed multi-jurisdictional class

proceeding, including the viability of the plan and the capacity

and resources for advancing the proceeding on behalf of the

proposed class;

Campbell v. Capital One Financial Corporation

Page 18

(iv) the location of class members and representative plaintiffs

in each of the proceedings, including the ability of

representative plaintiffs to participate in the proceedings and to

represent the interests of class members;

(v) the location of evidence and witnesses.

[37] Class counsel in the Québec Action did not file any evidence in support of

their position and no one provided me with the pleading in the Québec Action.²

Based on the representations of counsel in their submissions, the relevant facts are:

 The Québec Action was filed before the Campbell Action was filed;

 The key facts underlying the two actions are the same (that is, the Data

Breach);

 The Québec Action is based primarily on alleged breaches of the CCQ,

Québec’s privacy and consumer protection statutes, and the Québec Charter

of Human Rights and Freedoms, R.S.Q., c. C-12;

 The Québec Action is being judicially case-managed by Justice Tremblay and

several preliminary steps have been taken. A case management conference

to set dates for an authorization hearing (equivalent to a certification hearing)

is set for late March;

 About 100 Québec residents have registered on the website created by class

counsel in the Campbell Action and the plaintiff says that registrants can

access the site in multiple languages including French using “Google

translate”; and

 Some 10,256 Québec residents have registered on the bilingual website

created by Québec class counsel.

²Québec class counsel’s concern that providing me with any evidence would constitute attornment to

this jurisdiction is misconceived. The CPA expressly provides for participation by counsel from other

jurisdictions at the certification stage without attornment.

Campbell v. Capital One Financial Corporation

Page 19

[38] The key relevant factor in this case is s. 4(4)(b)(i). I say this because,

although the authorization hearing has not occurred, the Québec Action is

progressing. Essentially, it is one step behind this action. That is different from a

situation where no steps have been taken in the other action. No one addressed the

workplan. There is no material difference between these parties with respect to

factors (iv) and (v).

[39] I accept that the Campbell Action and Québec Action assert the same or very

similar bases of liability. The difference, in my view, lies in the way the two actions

are likely to be pursued to promote the best interests of Québec residents.

[40] It is clear from the Claim and the submissions in the certification hearing that

class counsel in the Campbell Action see the claims of Québec residents as

analogous to the statutory claims of residents of common law jurisdictions and not

particularly distinctive.

[41] For example, while Mr. Campbell stresses the importance of the breach of

contract claim referring to articles of the CCQ relating to that claim and says it is not

pleaded in the Québec Action, the Campbell Action does not actually plead breach

of these articles. Under the heading “statutes”, para. 201 of the Claim states that the

plaintiff pleads and relies on the CPA, Personal Information Protection and

Electronic Documents Act, S.C. 2000, c. 5 [PIPEDA], negligence statutes, and

consumer protection statutes. It does not mention the CCQ. As no one produced the

claim in the Québec Action, I do not know whether it pleads breach of contract or

not.

[42] By contrast, I understand that the whole focus of the Québec Action is on the

liability of Capital One to Québec residents under Québec law.

[43] In the circumstances of this case, I consider that the interests of Québec

residents and the ends of justice will be better served by excluding residents of

Québec from the Campbell Action. In my view, the risk that the Québec Action will

Campbell v. Capital One Financial Corporation

Page 20

not be certified is outweighed by the risk that the distinctive legal claims of Québec

residents will not be fully addressed in the Campbell Action.

[44] There is little danger of irreconcilable judgments because the claims in the

Québec Action are advanced under civil law. No one has suggested that there is a

risk that interpreting Québec’s consumer protection statute differently from another

jurisdiction’s consumer protection statute would lead to irreconcilable differences. I

agree with Skolrood J.’s comment in N&C Transportation Ltd. v. Navistar

International Corporation, 2021 BCSC 2046 at para. 50, that “there is considerable

force to the submission of the defendants that litigating civil law and common law

claims alongside one another in the same proceeding would add undue complexity

to the matter.”

[45] Therefore, I modify the class definition in this action to exclude residents of

Québec.

[46] In closing on this issue, I want to be clear that I am not suggesting that

multijurisdictional class actions in general should not include Québec. It will often be

appropriate to do so to achieve the objectives in s. 4(4)(a) of the CPA. However,

counsel seeking to certify a multijurisdictional class action including Québec must

ensure that their pleading and submissions address the distinctive nature of Québec

law. Equally, counsel opposing the inclusion of Québec must provide adequate

evidence and submissions to the court hearing the issue that allow it to fully canvass

the factors set out in s. 4(4).

Do the Pleadings Disclose a Cause of Action?

Negligence

[47] The four elements of a negligence claim are (1) the defendant owed the

plaintiff a duty of care; (2) the defendant’s conduct breached the standard of care;

(3) the plaintiff suffered compensable damages; and (4) the defendant’s breach

caused the plaintiff’s damages in fact and law: 1688782 Ontario Inc. v. Maple Leaf

Campbell v. Capital One Financial Corporation

Page 21

Foods Inc., 2020 SCC 35 at para. 18; Mustapha v. Culligan of Canada Ltd., 2008

SCC 27 at para. 3.

[48] Capital One argues that Mr. Campbell has not adequately pleaded the

existence of a duty of care, that he suffered compensable damages, or causation.

[49] Mr. Campbell acknowledges that he is asserting a novel duty of care and that

he must satisfy the Anns/Cooper framework. He submits that the pleaded facts

establish a sufficiently proximate relationship and foreseeability. The Claim defines

the duty of care owed to the Class by Capital One as:

…to keep their Personal Information confidential and secure, and to ensure

that it would not be lost, disseminated or disclosed to unauthorized persons

and to delete and destroy the Personal Information of applicants whose

application[s] were rejected and customers whose credit cards were

cancelled. …

[50] The plaintiff relies on Tucci v. Peoples Trust Company, 2017 BCSC 1525

[Tucci BCSC] rev’d in part 2020 BCCA 246 [Tucci BCCA]. There, Justice Masuhara

found that it was not plain and obvious that a duty of care could not be found in a

cyber-breach case because the pleaded facts were capable of establishing both a

sufficiently close and direct relationship and reasonable foreseeability of harm:

[123] In my view it is not plain and obvious that the first stage of the

Anns/Cooper test is not met. The plaintiff has pleaded sufficient facts capable

of establishing that harm was reasonably foreseeable. The information

collected by Peoples Trust was sensitive and collected in the course of online

applications for financial services. It is arguably reasonably foreseeable that

harm such as identity theft could result if such information were disclosed or

not securely stored, and it was again arguably foreseeable to Peoples Trust

given the various policies and contractual terms it developed. Further, the

plaintiff has pleaded sufficient facts that could establish a close and direct

relationship between Peoples Trust and individuals who applied to it for

financial services.

[51] The Court of Appeal agreed with this conclusion: at para. 51.

[52] The Claim pleads the following damages:

Upon being notified of the Breach, Class Members have experienced fear

and apprehension, anxiety, anger, risk, confusion and humiliation in relation

to the unauthorized or unknown future use of their Personal Information. To

mitigate the risks, Class Members have taken all reasonable steps necessary

Campbell v. Capital One Financial Corporation

Page 22

to protect their credit reputation and secure their finances including hours of

wasted time, lost income and inconvenience involved in applying for and the

cost of credit monitoring services and identity protection services, monitoring

credit reports issued by credit reporting services, placing credit flag/fraud

alerts with credit reporting companies, prolonged credit transactions due to

the credit flags, changing passwords, notifying financial institutions and

applying for a new socialinsurance number from Service Canada.

[53] Put succinctly, the pleaded damages consist of (1) emotional distress,

(2) increased risk of harm, and (3) the costs of mitigating against that risk.

[54] While the first two types of loss may not be compensable absent pleading

actual loss, expenses actually incurred to mitigate against the risk of future loss are

compensable damages and satisfy the third element of a negligence claim. In Obodo

v. Trans Union of Canada, Inc., 2021 ONSC 7297, which was also a data breach

case, the court rejected the same objection that Capital One advances here. After

considering the relevant authorities, Glustein J. concluded that it was not settled law

that the claims for out of pocket damages and mental distress cannot constitute

damages in a class action and held that the claim before him disclosed a cause of

action in negligence: at para. 160; see also Kaplan v. Casino Rama, 2019 ONSC

2025 at para. 22.

[55] Capital One relies on Babstock. There, at para. 27, Brown J. for the majority

held that disgorgement is a remedy, not an independent cause of action. That

means that a plaintiff must prove all elements of negligence, including actual

damages, before it can seek disgorgement: at paras. 32-33. The plaintiffs in

Babstock did not plead the loss element of negligence. By contrast, Mr. Campbell

has pleaded loss arising from the costs of risk mitigation.

[56] Even where there is a viable negligence claim, disgorgement may not be

available. In The Insurance Corporation of British Columbia v. Teck Metals Inc.,

2022 BCSC 374, Justice Riley struck a claim for disgorgement as disclosing no

reasonable cause of action where the alleged negligence arose from acid spills on a

highway. He noted (at para. 19) that Justice Branch had allowed a disgorgement

claim arising out of alleged negligence in the contents of health supplement products

in Krishnan v. Jamieson Laboratories Inc., 2021 BCSC 1396.

Campbell v. Capital One Financial Corporation

Page 23

[57] Riley J. found that that a disgorgement remedy was not available where

losses are quantifiable:

[22]

As noted, disgorgement is an exceptional remedy only available

where traditional remedies would not provide an adequate legal response to

the actionable wrongful conduct of the defendant. Traditional remedies may

be inadequate where, for example, the plaintiff's loss is impossible to

calculate, or where the plaintiff's interest in the defendant's performance of its

legal obligations is not reflected by a purely economic measure: Atlantic

Lottery at para. 59.

[23]

In the case at bar, the plaintiff's second amended notice of civil claim

seeks damages as compensation for various amounts of money paid out or

expended internally in connection with the acid spills that are the subject of

the action. These damages include: (i) compensation for amounts paid out to

insureds whose vehicles were determined to be exposed to acid from the

spills; (ii) costs for towing of vehicles that had to be inspected, together with

costs for replacement vehicle rentals for those owners; and (iii) costs of

investigating the claims arising from the acid spills. Thus, the plaintiff is

clearly able to identify various categories of loss it has suffered in connection

with the acid spills, and to place a monetary value on each category of loss.

[24]

The plaintiff's claim for disgorgement of profits is framed as a

supplementary or alternative form of relief. The plaintiff does not allege that

more conventional forms of damage would be inadequate for any reason.

[25]

On the basis of the pleadings, there is no suggestion that the plaintiff's

losses would be impossible to calculate. Indeed, the alleged losses are

reflective of monies paid out or expenses incurred by the plaintiff, by way of

insurance payments to individual insureds, towing and replacement vehicle

rental costs, and costs of investigating the vehicle damage claims.

[58] Here, the pleaded losses are also routinely pleaded and quantified in

negligence actions. They include out of pocket expenditures and time spent to

protect against he risks of misuse of Confidential Information. The pleading does not

contain material facts showing that the plaintiff has a legitimate interest in Capital

One’s profits. I conclude that the pleadings disclose a cause of action in negligence,

but do not disclose a disgorgement remedy.

[59] Before leaving this issue, I note that the plaintiff pleads joint and several

liability under s. 4(2)(a) of the Negligence Act, R.S.B.C. 1996, c. 333, and equivalent

provisions in other common law provinces. That subsection does not create a cause

of action. It addresses allocation of liability by stipulating that where two or more

persons are at fault for a loss, they are jointly and severally liable. The loss must be

global or indivisible: WorleyParsons Canada Ltd. v. David Nairn and Associates,

Campbell v. Capital One Financial Corporation

Page 24

2013 BCCA 513 at para. 19. Mr. Campbell has pleaded that Capital One and

Ms. Thompson engaged in tortious conduct and that the plaintiff’s loss is indivisible.

That is sufficient to engage the statute for certification purposes.

Breach of Contract

[60] The Claim pleads that, in addition to the Agreement, there was also a contract

between Capital One and those who applied for credit cards but whose Applications

were rejected. Capital One says the application form was not a contract. It also takes

issue with the plaintiff’s position on which Capital One entities were the contracting

parties.

Was the Application a Contract?

[61] The Application expressly states that it is an offer by the applicant to enter

into a contractual relationship with Capital One:

Terms of Offer

By submitting the Application Form, the applicant ("I"):

1. Certify that the information provided is true and correct and understand

that Capital One Bank (Canada Branch), ("Capital One"), will rely on this and

other information in deciding to open a MasterCard Account ("Account");

2. Request that Capital One open an Account and issue appropriate

MasterCard card(s) ("Card(s)") and Personal Identification Number(s) to me

(including renewals and replacements from time to time);

3. Request that Capital One issue appropriate Cards to me for any

Authorized User identified on the Application Form, as well as renewals and

replacements from time to time;

4. Agree that use of the Account or Card(s) will confirm acceptance of Capital

One's MasterCard Customer Agreement as amended from time to time (the

"Agreement"), which will be sent with my Card(s) if approved; …

[62] The Claim characterizes this language as a contract, “formed when the

applicant provided Capital One with Personal Information in exchange for

consideration of the applicant's application for a credit card.” On its face, that is an

untenable interpretation of unambiguous contractual language. It is plain and

obvious that the claim based on the existence of a contract between unsuccessful

credit card applicants and Capital One is bound to fail.

Campbell v. Capital One Financial Corporation

Who are the parties to the Agreement?

Page 25

[63] Current and former cardholders are parties to the Agreement. The Claim

pleads that both Capital One (Canada Branch) and Capital One Financial

Corporation are parties to the contract and, in the alternative:

… Capital One Canada entered into the contract(s) on behalf of and with the

ostensible authority of Capital One, who established Capital One Canada to

be its authorized agent in Canada. Through the use of its trademark and logo

in the contract(s) and assurances it made in the Privacy Statement section of

the contract(s), Capital One intended to convey to customers and did

convey that its agent in Canada, Capital One Canada had ostensible

authority to enter into the contracts on its behalf. Therefore, Capital One

in its capacity as principal is liable, together with Capital OneCanada for

breaches of the contract.

[64] Capital One says that the contract is only between Capital One (Canada

Branch) and the current or former cardholder.

[65] The Agreement expressly defines the contracting parties:

In this Agreement, the words “you,” “your” and “yours” refer to the applicant

and any co-applicant who, according to our records, was identified as such as

part of the application, meaning the request to us for the account. These

words do not include an authorized user. The words “we,” “us” and “our”

mean the Capital One Bank (Canada Branch) and its successors or assigns.

®

[66] Mr. Campbell points to the “Capital One” trademark that appears on the cover

page of the Agreement. The last page of the Agreement states that Capital One is a

registered trademark and “All trademarks used herein are owned by their respective

entities.” The trademark also appears on the Application where, in very small print, it

is stated to be the trademark “of Capital One Financial Corporation used under

licence.”

[67] Capital One submits that there is no authority for the proposition that the

presence of a trademark on a document makes the holder of a trademark a

contracting party, noting that the ubiquitous presence of manufacturer trademarks on

goods sold by retailers does not mean that manufacturers are thereby contracting

with consumers. I agree. The Agreement defines the contracting parties as Capital

Campbell v. Capital One Financial Corporation

Page 26

One (Canada Branch) and the cardholder. The Claim does not disclose a cause of

action for breach of contract against Capital One Financial Corporation.

Is there a Cause of Action in Contract against Capital One (Canada

Branch)?

[68] The Agreement is a contract of adhesion and this fact informs consideration

of the breach of contract claim. Specifically, any ambiguity should be interpreted in

favour of the plaintiff: Zurich Life Insurance Co. of Canada v. Davies, [1981] 2 S.C.R.

670 at 674.

[69] Before determining whether the Claim discloses a cause of action for breach

of contract, I must consider whether it is possible to interpret the Agreement as

incorporating by reference the requirements of PIPEDA. If it does, the breach of

contract claim would include breach of PIPEDA. For example, the Claim pleads that

Capital One’s failure to delete and destroy the personal information of former

cardholders when they ceased to be cardholders. The source of this requirement is

PIPEDA.

[70] The Claim pleads that “[b]y promising to comply with applicable privacy

legislation in its Privacy Policy, Capital One incorporated applicable privacy

legislation intothecontract, includingPIPEDA.”

[71] However, the only explicit reference to PIPEDA is in section 1 of the Privacy

Policy:

1. PRIVACY COMMITMENT AND PERSONAL INFORMATION

Capital One is committed to keeping personal information accurate,

®

confidential and secure.

We collect, use and disclose personal information to operate our business

and as required by law. Personal information is information about an

identifiable individual, as defined in the Personal Information Protection and

Electronic Documents Act.

Campbell v. Capital One Financial Corporation

Page 27

[72] There are three other references to “laws” in the Privacy Policy:

5. CONSENT

If you apply for a credit product, communicate with us or provide personal

information to us in any way, you acknowledge your consent for personal

information collection, use and disclosure as set out in this Policy or

applicable laws and industry standards.

6. LIMITING COLLECTION

Capital One only collects personal information that’s necessary for the

purposes we identify, and as required by applicable laws.

7. LIMITING USE, DISCLOSURE AND RETENTION

Capital One limits use, disclosure and retention of personal information to the

purposes we identify, and as required by applicable laws.

[73] It is open to contracting parties to choose to incorporate legislative

requirements into their contracts. The question is whether, in light of the contractual

language, there is any air of reality to the plaintiff’s claim that PIPEDA is

incorporated into the Agreement.

[74] Even reading the Claim as generously as possible, the Privacy Policy does

not commit Capital One to compliance with PIPEDA, thereby incorporating PIPEDA

into the terms of the Agreement. The language of the Agreement is not ambiguous.

It expressly incorporates only PIPEDA’s definition of personal information.

[75] The three references to “other applicable laws” do not specify what those

laws are either in those clauses or anywhere else in the Agreement. The passage

under the heading “consent” explains that the individual is consenting to Capital

One’s collection, use, and disclosure of personal information as explained in its

policy, or applicable laws or industry standards. This passage does not say or imply

that Capital One will not collect, use, disclose or retain personal information unless

authorized to do so under PIPEDA. The references to “applicable laws” under the

headings “Limiting Collection” and “Limiting Use, Disclosure and Retention” say that

that any constraints on collection, use, disclosure and retention are those set out by

Capital One and applicable laws. These passages do not say or imply that Capital

One’s purposes for collection, use, disclosure or retention are restricted to purposes

authorized by PIPEDA.

Campbell v. Capital One Financial Corporation

Page 28

[76] The cases on which the plaintiff relies are distinguishable because in each the

court found that the contractual language was ambiguous and could reasonably be

interpreted as incorporating a particular law. In Sharp v. Royal Mutual Funds Inc.,

2020 BCSC 1781 at para. 97 aff’d 2021 BCCA 307, there was a live question as to

whether the relevant contract’s references to Canadian securities legislation was

purely informational, or intended to actually confer rights. The language of the

Agreement in this case does not give rise to any similar questions. See also

Berenguer v. SATA Internacional – Azores Airlines, S.A., 2021 FC 394 at para. 84.

[77] Further, the Agreement expressly authorizes Capital One to collect, use,

disclose and retain personal information in ways prohibited by PIPEDA. For

example, the Agreement does not prohibit Capital One from retaining the personal

information of former cardholders, whereas PIPEDA does.

[78] I conclude that it is plain and obvious that the portion of the breach of contract

claim based on a breach of PIPEDA is bound to fail.

[79] However, the breach of contract claim does not rest exclusively on PIPEDA.

The Claim also pleads that Capital One breached the Agreement by failing to

employ sufficiently strict safeguards against unauthorized access and failing to

encrypt user data. It sets out the following particulars:



they failed to hire competent employees, they failed to properly

supervise their employees, or theyfailedto provide propertrainingto

their employees;



they failedto encrypt the data,storingit in 'plain-text' instead;

 they failed to filter traffic from suspicious IP addresses or to catch the

transfer of 28GBof data out of their serversto the suspicious IP

addresses;

 they failed to properly limit the access granted to the account used by

the Hacker to the access necessary for the account's role or have

processes to monitor when it wasbeingused for a process it wasnot

needed for;



theyfailedto implementadequate security monitoringprocedures

resulting in the defendants failing to detect the breach for several

months. At the time of pleading the defendants would be unaware of

the breach had it not been for atip from a white hat cybersource.

Campbell v. Capital One Financial Corporation

Page 29

[80] The Claim pleads compensatory and nominal damages and seeks

disgorgement. For the reasons set out above in relation to the negligence claim, I

find that compensatory damages are adequately pleaded. A plaintiff may disclaim

compensatory damages in favour of nominal damages: Sharp at para. 164.

[81] With respect to disgorgement, the Supreme Court of Canada has established

that disgorgement may be available for breach of contract in “certain exceptional

circumstances”, and only where damages, specific performance and injunction are

inadequate and the circumstances warrant. An important consideration is whether

the plaintiff had a legitimate interest in preventing the defendants’ profit-making

activity: Babstock at paras. 53, 59.

[82] In Babstock at para. 60, Justice Brown states that, “compensatory damages

are not inadequate merely because a plaintiff is unwilling, or does not have sufficient

evidence, to prove loss”. Rather, the inadequacy must flow from the nature of the

plaintiff’s interest. Justice Brown found that there was nothing exceptional about a

breach of contract arising from allegedly deceptive video lottery terminals that could

give the class of plaintiffs in that case a legitimate interest in the defendant’s profit-

making activity.

[83] Here, the Claim pleads that the plaintiffs’ “contract interest is such that it

cannot be vindicated by other forms of contractual relief and cannot possibly be

quantified in monetary terms”. The Claim refers to the need to “deter the wrongdoer”,

the “trust, confidence and vulnerability” of class members, and the importance of

privacy interests. Notably absent are material facts that are capable of establishing

that the class has any legitimate interest in Capital One’s profit-making activity. As

counsel put it, albeit in another context, “this is a straightforward data breach case”.

It is plain and obvious that a claim for disgorgement damages for breach of contract

cannot succeed.

[84] Subject to these limitations, the breach of contract claim is adequately

pleaded.

Campbell v. Capital One Financial Corporation

Page 30

Breach of Express and Implied Warranties

[85] The Claim pleads breach of warranties as follows:

59. Through its Customer Agreement, Privacy Statement and Privacy Policy,

the defendants continually warranted to customers that it took their privacy

seriously and that protecting their Personal Information was a paramount

concern and that it would keep their Information private and confidential

with an intention to prevent identity theft. Further, the defendants

warranted or guaranteed ''The personal information you share with us,

stayswithus".

60. The defendants breached its warranties by not taking customer privacy

seriously, by not making customer Personal Information its paramount

concern, and by not guaranteeing the Personal Information shared with

CapitalOne stayed with Capital One.

[86] I agree with Capital One that the Agreement does not warrant that Capital

One will not disclose customer personal information to others. In fact, it expressly

states that it will disclose such information to third parties for stated purposes. The

Agreement does not represent that protection of such information is Capital One’s

“paramount” concern or that its data storage system is impenetrable. Taking privacy

“seriously” is the kind of subjective description that does not give rise to enforceable

contractual obligations: First City Dev. Corp. v. Bekei (1986), 3 B.C.L.R. 175 at 208-

209 (S.C.); Topnotch Developments Ltd. v. Welldone Ventures Canada Inc., 1991

596 (B.C.S.C.). The breach of warranty claims are bound to fail.

Breach of Contractual Duty of Honest Performance

[87] As the Supreme Court of Canada held in C.M. Callow Inc. v. Zollinger, 2020

SCC 45 at para. 81 [Callow], this cause of action arises only where a defendant

engages in active dishonesty or deception that is directly related to the performance

of the contract. Put another way, the central element is whether one contracting

party lied or knowingly misled the other: Callow at para. 88.

[88] The Claim does not contain this element. Mr. Campbell pleads that the

statements made in the Agreement about the security measures in place to protect

the Confidential Data amounted to a promise that there would be no unauthorised

access to it.

Campbell v. Capital One Financial Corporation

Page 31

[89] However, nothing in the Agreement can be read as representing anything

more than that Capital One has implemented security measures to protect against

hacking. For example, the Privacy Statement says:

Capital One® is committed to keeping your personal information accurate,

confidential and secure. We want to earn your trust by providing strict

safeguards to protect your information.

[90] The Privacy Policy states:

Capital One uses procedures and practices appropriate to the sensitivity of

personal information to protect against loss, theft and unauthorized access.

Access to your information is restricted to those individuals and parties who

require access.

For example, we have physical security (such as restricted access to our

offices and secure storage), electronic protection (such as passwords and

encryption) and safe business practices (such as customer authentication

when you call us). We also train our staff on how to safeguard personal

information.

[91] The Claim does not plead that Capital One lied to or knowingly misled

cardholders about the security measures it had implemented. It pleads that the

measures were inadequate, based on the fact that the Data Breach occurred. As

such, the Claim does not plead material facts that amount to the kind of active

deception or dishonesty necessary to prove breach of the contractual duty of honest

performance. In other data breach cases, courts have refused to certify breach of

confidence claims based on an argument that inadequate security measures after a

hacking event amounts to “misuse” of the confidential information by the defendant:

Tucci at paras. 140-141; Kaplan at paras. 31-32. I consider the claim of breach of

contractual duty of honest performance analogous to those cases.

[92] It is plain and obvious that this cause of action is bound to fail.

Breach of Confidence

[93] The elements of a breach of confidence claim are (1) the information was

confidential; (2) it was communicated in confidence; and (3) it was misused by the

party receiving it: Lac Minerals Ltd. v. International Corona Resources Ltd., [1989] 2

S.C.R. 574 at 608.

Campbell v. Capital One Financial Corporation

Page 32

[94] The Claim does not plead that the Data Breach or the security measures that

failed to prevent it were a misuse of the confidential information by Capital One,

possibly because that argument was rejected in Tucci BCCA at paras. 113-114; see

also Kaplan at para. 31. Instead, Mr. Campbell pleads that Capital One misused the

confidential information by retaining it after it should have been deleted. As counsel

acknowledged in oral submissions, this argument rests on finding that the

Agreement incorporates PIPEDA. It also rests on a conclusion that PIPEDA’s

requirements prevail over the express terms of the Agreement, which say that

Capital One may retain, use and disclose the Confidential Data of unsuccessful

applicants and former customers.

[95] As I have found that the Agreement does not incorporate PIPEDA by

reference, it is plain and obvious that the breach of confidence claim is bound to fail.

Intrusion Upon Seclusion

[96] The tort of intrusion upon seclusion is recognized in some but not all

jurisdictions. Its status is unclear in data breach cases like this where the defendant

is alleged to have “intruded” by failing to prevent an independent third party from

hacking into a database.

[97] In Tucci BCSC, Masuhara J. concluded that the tort does not exist in the

context of a data breach case. However, Mr. Campbell invites me to find that it does

on the basis of the Court of Appeal’s comments in Tucci BCCA. There, Justice

Groberman characterized the failure to appeal that aspect of the certification judge’s

ruling as unfortunate and suggested that “the time may well have come for this Court

to revisit its jurisprudence on the tort of breach of privacy”: at para 55. He added (at

para. 66):

It may be that in a bygone era, a legal claim to privacy could be seen as an

unnecessary concession to those who were reclusive or overly sensitive to

publicity, though I doubt that that was ever an accurate reflection of reality.

Today, personal data has assumed a critical role in people’s lives, and a

failure to recognize at least some limited tort of breach of privacy may be

seen by some to be anachronistic.

Campbell v. Capital One Financial Corporation

Page 33

[98] Justice Groberman is, of course, referring to the timing of the Court of

Appeal’s reconsideration of the issue, not to reconsideration by this court. The Court

of Appeal could revisit the question of recognizing a breach of privacy tort in an

appeal from a decision declining to recognize the tort just as much as it could in a

case where it was found to exist.

[99] Nothing in the Court of Appeal’s reasons suggests that I ought to disregard

the longstanding principle of judicial comity in Re Hansard Spruce Mills Ltd., [1954] 4

D.L.R. 590 (B.C.S.C.).

[100] Privacy breach cases, including class action data breach cases, are coming

before the courts with increasing frequency. Considering the present uncertainty in

Ontario law as to whether a defendant commits the tort where a third party hacks its

database, as I discuss below, the plaintiff has not convinced me to go against

Masuhara J.’s ruling in Tucci BCSC.

[101] Although the decision in Jones v. Tsige, 2012 ONCA 32, in Ontario is often

cited as the basis for recognizing the intrusion tort, in that case, the defendant

committed the intrusive act by accessing the plaintiff’s bank account herself.

[102] More recently, Ontario certification cases have held that a defendant who is

the custodian of a database does not commit this tort by failing to prevent an

independent third party from hacking into the database. In Owsianik v. Equifax

Canada Co., 2021 ONSC 4112, the majority of the Divisional Court held that the tort

of intrusion upon seclusion could not apply to find a database defendant liable for

hacker attacks. Justice Ramsay wrote:

[54]

The tort of intrusion upon seclusion was defined authoritatively only

nine years ago. It has nothing to do with a database defendant. It need not

even involve databases. It has to do with humiliation and emotional harm

suffered by a personal intrusion into private affairs, for which there is no other

remedy because the loss cannot be readily quantified in monetary terms. I

agree that Sharpe J.A.’s definition of the tort is not necessarily the last word,

but to extend liability to a person who does not intrude, but who fails to

prevent the intrusion of another, in the face of Sharpe J.A.’s advertence to the

danger of opening the floodgates, would, in my view, be more than an

incremental change in the common law.

Campbell v. Capital One Financial Corporation

Page 34

[55]

I agree with my colleague (paragraph 43) that Equifax’s actions, if

proven, amount to conduct that a reasonable person could find to be highly

offensive. But no one says that Equifax intruded, and that is the central

element of the tort. The intrusion need not be intentional; it can be reckless.

But it still has to be an intrusion. It is the intrusion that has to be intentional or

reckless and the intrusion that has to be highly offensive. Otherwise the tort

assigns liability for a completely different category of conduct, a category that

is adequately controlled by the tort of negligence.

[56]

For that reason I respectfully disagree with the decision in Kaplan v.

Casino Rama, 2019 ONSC 2025 and the motion judge’s decision in Tucci v.

Peoples Trust Company, 2017 BCSC 1525. I distinguish Bennett v. Lenovo,

2017 ONSC 1082 on the basis that the manufacturer was said to have

intruded by installing adware (a kind of spyware) on the computers that it sold

to the public.

[57]

The plaintiffs here are not without remedy. The essence of their claim

has to do with risk to economic interests caused by disclosure of their

financial information. It is not too much to ask that they prove their damages.

See Babstock, paragraph 60. The tort of negligence protects them

adequately and has the advantage that it does not require them to prove

recklessness.

See also Obodo at para. 22; Del Giudice at paras. 135-147; Winder v. Marriott

International, Inc., 2022 ONSC 390 at paras. 13-18; Stewart v. Demme, 2022 ONSC

1790.

[103] The Ontario Court of Appeal has granted leave to appeal in Owsianik and the

hearing is scheduled for June 2022. The outcome of that appeal may change the

current law in Ontario and may be persuasive if the Court of Appeal decides to

revisit the issue in British Columbia. Just as the fact that a claim is novel is not itself

sufficient reason to certify it (Babstock at para. 19), the possibility that the law may

change is an insufficient basis for certification.

[104] It is plain and obvious that this cause of action is bound to fail.

Statutory Privacy Torts

[105] The plaintiff alleges breaches of the BC Privacy Act, R.S.B.C. 1996, c. 373,

and of similar statutes in Saskatchewan, Manitoba and Newfoundland and Labrador.

[106] Capital One argues that I do not have jurisdiction to adjudicate claims under

the Manitoba and Newfoundland and Labrador privacy statutes because, like the BC

Campbell v. Capital One Financial Corporation

Page 35

Privacy Act, each of these statutes expressly confers jurisdiction on certain courts of

that province.

[107] For the reasons set out in Douez v. Facebook Inc. 2022 BCSC 914, I have

jurisdiction to adjudicate claims arising from the Manitoba and Newfoundland

statutes. As Capital One has not argued forum non conveniens, I may not decline to

exercise jurisdiction: Club Resorts Ltd. v. Van Breda, 2012 SCC 17 at para. 102.

[108] Manitoba’s privacy statute does not require a plaintiff to prove the violation

was wilful. Subsection 2(1) of The Privacy Act, C.C.S.M. c. P125, provides that

“[a] person who substantially, unreasonably, and without claim of right, violates the

privacy of another person, commits a tort against that other person.”

[109] The three other pleaded privacy statutes require the party asserting breach of

privacy to prove that the defendant “wilfully” invaded their privacy: Privacy Act,

s. 1(1); Privacy Act, R.S.N.L. 1990, c. P-22, s. 3(1); The Privacy Act, R.S.S. 1978,

c. P-24, s. 2. The plaintiff must prove that the defendant intended to violate the

plaintiffs’ privacy; it is not enough to show that the defendant engaged in an

intentional act that is causally related to an unintentional intrusion: Cole v. Prairie

Centre Credit Union Ltd., 2007 SKQB 330 at paras. 40-46; Del Giudice at para. 164.

The latter is a claim in negligence, which I have already discussed. In Del Giudice at

para. 163, Perrell J. found that the plaintiff’s statutory tort claims against Capital One

were bound to fail because, “it is not wilfulness to fail to prevent a third party from

invading another’s privacy”

[110] In Hollinsworth v. BCTV, 59 B.C.L.R. (3d) 121 at para. 29 (C.A.), the Court

considered that “wilfully” may include an objective element when it referred to “an

intention to do an act which the person doing the act knew or should have known

would violate the privacy of another person.” In Duncan v. Lessing, 2018 BCCA 9,

the Court of Appeal noted that the inclusion of an objective element in the definition

of wilfulness was out of step with how the word, when used in a statutory context, is

most frequently defined; however, the Court declined to revisit the definition: at

para. 86; see also Agnew-Americano v. Equifax Canada Co., 2019 ONSC 7110 at

Campbell v. Capital One Financial Corporation

Page 36

para. 238. Thus Duncan establishes that wilful conduct cannot be accidental but

does not say whether or not recklessness can constitute wilfulness for the purposes

of the BC statute.

[111] In Kumar v. Korpan, 2020 SKQB 256, the Saskatchewan Queen’s Bench

found that recklessness will not constitute wilfulness under that province’s privacy

act, but also commented (at para 36) that, “there is no firm agreement across the

country as to what ‘willfully’ entails in the context of privacy legislation”.

[112] In Obodo, Glustein J. would have certified the statutory privacy tort

claims in Saskatchewan, Newfoundland and Labrador, and BC on the basis

that (at para. 215):

…it is not settled law that a database defendant could not be found to have

engaged in a wilful breach of privacy under the provincial privacy legislation if

the plaintiff alleges that the conduct was ‘intentional’ or ‘wilful’ (which could

include reckless conduct), which the database defendant knew or should

have known would violate the privacy of another person.”

[113] I agree: absent a definitive appellate ruling on whether wilfulness includes

recklessness, it is not plain and obvious that the pleaded conduct of the defendant

was not wilful.

Breach of Consumer Protection Legislation

[114] The Claim pleads breach of the consumer protection laws of each jurisdiction.

Consumer protection legislation must be interpreted generously in favour of the

consumer it is intended to protect: Seidel v. TELUS Communications Inc., 2011 SCC

15 at para. 37.

[115] An essential element of each of these causes of action is that the defendant

made misleading representations: Krishnan at para. 74. That means the plaintiff

must have pleaded material facts that, if true, are capable of being found to be

misleading representations. Capital One argues that Mr. Campbell has not done so.

Campbell v. Capital One Financial Corporation

Page 37

[116] The Claim identifies the following representations in the Agreement as

misleading:³

a) “Capital One is committed to keeping your personal information accurate,

confidential and secure. We want to earn your trust by providing strict

safeguards to protect your information.”

b) “We respect your privacy. Not only do we respect it, but we also protect it.

The personal information you share with us stays with us.”

c) “We restrict access to your personal information to those who need to

have it to provide products or services to you. We select [those

companies] carefully and require them to keep the information we share

with them safe and secure. We do not allow them to use or share

information for any purpose other than the job they are hired to do. They

must meet our rigorous safety standards before we partner with them.”

d) “We use procedures and practices appropriate to the sensitivity of

personal information to protect against loss, theft, and unauthorized

access. Access to your information is restricted to those individuals and

parties who require access.”

e) “We comply with applicable laws.”

f) “We have physical security (access in buildings), electronic protection

(encryption), and safe business practices (customer authentication when

you call us) to prevent identity theft. We also train our staff on how to

safeguard personal information.”

[117] I agree with Capital One that the fact that the Data Breach occurred does not

make the first five of these representations untrue. The situation is analogous to

³I have set out those representations relevant to the Data Breach and eliminated duplication. The

Privacy Terms, Privacy Statement and Privacy Policy are reproduced more fully at paragraphs 20-29

above.

Campbell v. Capital One Financial Corporation

Page 38

Evans v. General Motors of Canada Company, 2019 SKQB 98, where the court

found that a defect in a car that was represented as safe and reliable was not

misleading: at para 62; see also Williams v Canon Canada Inc., 2011 ONSC 6571

para. 227. As discussed in these cases, general promotional statements about the

quality of a product or device are not factually specific enough to be capable of being

false or misleading.

[118] The plaintiff has no cause of action under consumer protection laws in

respect of general promotional statements. However, the sixth pleaded

misrepresentation arguably goes beyond general promotion. While the fact of the

Data Breach does not make this representation misleading, the representations in

this passage are factual, and the Claim pleads material facts that they are false. It

pleads that Capital One failed to designate individuals responsible for network

security management of personal information, stored personal information on an

unsecured network and server, and failed to encrypt personal information.

[119] Assuming the truth of these facts, it is not plain and obvious that a breach of

consumer protection law claim is bound to fail.

[120] I agree with Capital One that, in the circumstances of this case, there is no

“duty to warn” for the reasons discussed above under duty of contractual honesty,

and that there is no consumer protection cause of action for failing to secure

personal information.

[121] With respect to damages, I have found that the plaintiff has pleaded

compensable loss. If successful, the class would be entitled to provable losses.

[122] I conclude that there is a cause of action for breach of consumer protection

laws, albeit in a more circumscribed form than that pleaded.

CONCLUSION ON CAUSES OF ACTION

[123] In conclusion, the Claim discloses causes of action in negligence, contract,

and breach of consumer protection laws, although they are narrower than framed in

Campbell v. Capital One Financial Corporation

Page 39

the Claim. The causes of action in breach of warranty, breach of the duty of honest

performance, breach of confidence, and intrusion upon seclusion are bound to fail. It

is also plain and obvious that disgorgement is not available as a remedy for the

pleaded negligence.

[124] In the following section I will address whether the plaintiff has provided some

basis in fact that the causes of action disclosed by the Claim satisfy the

requirements in ss. 4(1)(b)-(e) of the CPA.

SOME BASIS IN FACT

Some Basis in Fact for Compensable Loss in Data Breach Cases

[125] Capital One submits that there is no basis in fact that the Claim satisfies any

of the requirements in ss. 4(1)(b) to (e) because there is no admissible evidence that

any of the proposed class members have suffered any compensable loss. Capital

One argues that, absent any evidence that the Confidential Information was actually

disseminated, the proposed class members cannot have suffered any loss. It also

challenges the admissibility of the evidence of what out-of-pocket expenses, such as

credit monitoring and identity theft protection, proposed class members incurred.

[126] Courts have accepted that a demonstrated real risk of future harm may give

rise to compensable loss even where there is no evidence that stolen data has been

used: Tucci BCSC at paras. 200-201; Obodo at para. 137.⁴In Kaplan at paras.

21-22, the Court noted that losses such as damage to credit reputation, costs of

credit monitoring, and costs incurred in preventing or rectifying identity theft are

compensable in breach of privacy class actions. As I read these authorities, the

question of whether victims of a data breach have suffered compensable loss

because of the risk that the stolen information will be disseminated in a manner

damaging to them requires the plaintiff to show, on the “some basis in fact” standard:

⁴In Setoguchi, certification was denied because the court found that the evidence demonstrated

some basis in fact that there was no actual harm or loss. Thus, the loss was purely speculative.

Campbell v. Capital One Financial Corporation

Page 40

a) that there is a real risk, not merely a subjective fear, of future loss due to the

data breach;

b) that the defendant has not provided mitigation measures adequate to protect

against that risk; and

c) that the plaintiff incurred out-of-pocket costs to protect against that risk.

[127] If so, the court will consider whether the plaintiff has established some basis

in fact for the criteria in ss. 4(1)(b) to (e).

[128] Courts have repeatedly emphasized that the “some basis in fact” inquiry is

case specific. While reviewing other cases may illustrate the application of general

principles, evidentiary assessments turn on the evidence and issues before the

court: Harris v. Bayerische Motoren Werke Aktiengesellschaft, 2019 ONSC 5967

para. 50. It is also important to remember that the focus at the certification stage is

on whether a class proceeding is the appropriate form of action. Beyond the low

“some basis in fact” threshold, there is no analysis of the substantive merits of the

claim: Hollick v. Toronto (City), 2001 SCC 68 at para. 16; Finkel v. Coast Capital

Savings Credit Union, 2017 BCCA 361 at para. 19.

[129] In this case, Dr. Scheurkogel’s evidence provides some basis in fact that

there is a real risk that the Confidential Information will be used in ways harmful to

the Class. Dr. Scheurkogel is a cyber-security expert. He agrees that there are no

indications to date that the Confidential Information has been used or disseminated.

However, he deposes that it is possible, in light of the length of time between the

Data Breach and Ms. Thompson’s arrest, her intention to profit from it, and the

sophistication of the theft, that Ms. Thompson has secreted the Confidential

Information somewhere for future dissemination. He says that social insurance

numbers have lasting value on the black market as they tend not to change, and that

criminal groups may wait before using “hot” information. Dr. Scheurkogel points out

that Capital One has not disclosed what, if any, searches it has conducted on the

dark web for indications the Confidential Information has been used.

Campbell v. Capital One Financial Corporation

Page 41

[130] The fact that Capital One offered such protection, in the form of two years of

free credit monitoring and identity theft protection by TransUnion, also supports a

conclusion that the risk was real and reasonable for some period of time.

[131] Capital One argues that the risk mitigation protection it offered fully addressed

the risk attributable to the Data Breach, relying on Maginnis v. FCA Canada Inc.,

2021 ONSC 3897. That was a certification application for a class action arising from

defective eco-diesel car engines built by the defendant. The defendant had recalled

and repaired the defective vehicles. The Divisional Court concluded that it was open

to the judge to find that the repair adequately compensated the plaintiffs for their

loss:

[48]

Ultimately, the motion judge determined that the remedy provided by

the repair FCA offered was a remedy that provided access to justice for class

members. He did so as he had found there was no evidence of any

compensable loss remaining after the repair, and nominal damages were not

enough to justify certification. He also concluded that the behaviour

modification objective was met. Finally, he considered that a class

proceeding would not be a wise use of judicial resources in this case. His

finding is consistent with the Supreme Court's decision in Atlantic Lottery.

[132] Unlike the defendant in Maginnis, there is evidence here that Capital One did

not fully “repair” the problem. Dr. Scheurkogel describes two limitations of the risk

mitigation measures offered by Capital One. First, it is temporary: the free credit

monitoring and identity theft protection offered through TransUnion expires after two

years. Second, coverage is partial: some major banks, such as TD Bank, CIBC,

Desjardins and HSBC, do not report to TransUnion.

[133] In his third affidavit, Mr. Campbell deposes that he purchased credit

monitoring with Equifax for $20.95 per month because of his concerns about identity

theft. Equifax receives reports from banks that do not report to TransUnion. In his

first affidavit, Mr. Campbell attributes those concerns to the Data Breach.⁵This

⁵While Capital One tendered evidence that Mr. Campbell may have been the victim of other data

breaches in 2018 and 2019, this does not detract from his evidence that he purchased the Equifax

product because of the Capital One Data breach for the purposes of the “some basis in fact”

assessment.

Campbell v. Capital One Financial Corporation

Page 42

evidence satisfies the plaintiff’s obligation to demonstrate some basis in fact that

Capital One has not provided adequate risk mitigation measures.

[134] I conclude that the plaintiff has established some basis in fact for

compensable loss.

Some Basis in Fact - Identifiable Class

[135] A representative plaintiff must define a class with reference to objective

criteria, independent of the merits of the claim, that is rationally related to the

common issues such that it is clear who is entitled to notice, who is entitled to relief

and who is bound by any judgment. The evidence must provide some basis in fact

that at least two persons could self-identify as class members and later prove that

they are members of the class: Finkel at para. 21, citing Jiang v. Peoples Trust

Company, 2017 BCCA 119 at para. 82.

[136] Mr. Campbell’s proposed class definition is:

All Canadians who applied for or were issued a Capital One credit card and

who were notified by the defendants that their information may have been

compromised in the Breach.

[137] The Claim defines “Breach” as a cybersecurity breach of a Capital One

database between March 12 and April 21, 2019.

[138] As I have excluded Québec residents, the class definition must be amended

to read “All Canadians except for residents of the Province of Québec”.

[139] This Class definition is based on objective and easily ascertainable criteria.

Capital One does not argue otherwise. I am satisfied that Mr. Campbell has shown

some basis in fact that the risk of dissemination has caused compensable loss.

[140] The real issue under this heading is whether the plaintiff has established that

at least two persons could self-identify as class members and later prove that they

are members of the class.

Campbell v. Capital One Financial Corporation

Page 43

[141] There is no affidavit evidence from another potential class member. Instead,

the plaintiff tendered evidence of an expert’s analysis of the information provided by

people who chose to register on the website created by class counsel for this

litigation (Groehn affidavit), and evidence of email communications between a

paralegal at the law firm and registrants about whether they intended to or already

had purchased credit monitoring or related services because of the Data Breach

(Omran affidavits).

[142] Capital One says all of this evidence is inadmissible hearsay.

[143] As expert evidence is not necessary on this issue, I have not considered the

Groehn affidavit is unnecessary.

[144] The Omran affidavit was made by a lawyer at class counsel’s firm. Mr. Omran

deposes that 27 individuals who registered on counsel’s class action website stated

that they had purchased credit monitoring or similar services because of the Data

Breach. Some identified the product and the cost. The text of each individual

response is set out in an exhibit to this affidavit; however, names are not included.

The Omran affidavit also exhibits 62 individual responses to an email sent by class

counsel in July 2021, informing all registrants that the two years of free credit

monitoring would be expiring soon, that a certification hearing was upcoming, and

that for the hearing it would be helpful to know if the person had or intended to

purchase credit monitoring or credit flagging because of the Data Breach.⁶Again,

individual names are not included.

[145] Is such evidence admissible in a certification hearing?

[146] Courts have answered this question differently. In some cases, information

provided by potential class members on a law firm registration website has been

excluded as hearsay (e.g. Fresco v. Canadian Imperial Bank of Commerce (2009),

⁶Capital One argued that the letter is biased in that it invites individuals to incur these expenses in

order to further the claim, and exaggerates the risk to them. That is not an objectively reasonable

interpretation of the letter. It is communicating information of interest to the group and soliciting

information from it.

Campbell v. Capital One Financial Corporation

Page 44

71 C.P.C. (6^th) 97 (Ont. S.C.J.)), but in others it has been admitted (e.g. Chalmers v.

AMO Canada Company, 2009 BCSC 689 aff’d 2010 BCCA 560). Some courts have

concluded that such evidence is not hearsay because it is not tendered for the truth

of its contents (that is, not to show that an individual did incur such costs), but only to

show that they claim they did: John Doe v. R., 2015 FC 236 at paras. 11-13.

[147] While each case turns on its particular facts, it appears that compilations of

truly anonymous on-line complaints are generally not admissible to establish some

basis in fact at certification: see, for example, Pollack v. Advanced Medical Optics,

Inc., 2011 ONSC 850; Thorpe v. Honda Canada Inc., 2010 SKQB 39; Harris.

Beyond that, admissibility will turn on the nature of the particular evidence and the

court’s characterization of the purpose for which it is tendered. For example, in

Walter v. Western Hockey League, 2016 ABQB 588, the survey evidence in issue

consisted of substantive interviews by two different individuals of potential class

members. Names were anonymized. The evidence from one set of interviews was

excluded but the evidence from the other was admitted, based on the expertise of

the interviewer, the structure of the questions, and the fact that interview transcripts

were provided.

[148] In Tucci BCSC, a data breach case similar to this, Masuhara J. found that

responses by individuals who registered on class counsel’s website about the impact

of the data breach on them could satisfy this requirement: at para. 232; see also

Obodo at para. 237.

[149] The registrants in this case are not truly anonymous: class counsel know their

names and Capital One could seek a disclosure order. The Omran affidavit includes

the full text of each response, which I have read. The information itself is

straightforward: the individual says that they purchased credit protection services as

a result of the Data Breach and many also name the particular service and the cost.

[150] I find that this evidence is not hearsay because it is not tendered for the truth

of its contents, but to show that two or more individuals have claimed that they

incurred certain costs in purchasing additional credit protection because of the Data

Campbell v. Capital One Financial Corporation

Page 45

Breach. That is all that is required at this stage. Whether class members can actually

prove their losses is a matter for trial.

[151] The plaintiff has satisfied the requirements of s. 4(1)(b).

Some Basis in Fact – Common Issues

[152] This statutory requirement requires the plaintiff to show some basis in fact

that each proposed common issue actually exists and can be answered in common

across the class. A common issue exists if its resolution will avoid duplicative fact-

finding or legal analysis, it is a substantial component of each class member’s claim

that must be resolved to resolve the claim, and success for one class member

means success for all, although not necessarily to the same extent: Finkel at

paras. 22-23. This highlights that the focus of the inquiry, including the assessment

of the evidence, again is on the form of the proceeding, not on the merits of the

claim.

[153] I have found that the Claim discloses causes of action in negligence, contract,

statutory privacy torts, and breach of consumer protection statutes.

[154] The wording that the plaintiff has proposed for the negligence common issues

includes a reference to PIPEDA, which I have not accepted. The proposed common

issues in the negligence claim should track the elements of the tort, framed as

follows:

a) Did Capital One owe the Class a duty of care to take reasonable steps to

establish, maintain and enforce appropriate security safeguards against a

cyberattack and/or limit the exposure of the Class’s personal information

in the case of a successful cyberattack?

b) If so, did Capital One breach the applicable standard of care?

c) If so, did Capital One’s breach of the standard of care cause damage to

the Class?

Campbell v. Capital One Financial Corporation

Page 46

[155] Capital One does not take issue with the negligence common issues beyond

saying that there is no compensable loss. Assessment of the existence of a duty of

care, and breach of the applicable standard of care all arise from the relationship

between Capital One and the Class, and that relationship is the same for all class

members. As causation is alleged to arise from the Data Breach, it is also common

across the class.

[156] Capital One does not take issue with the proposed common issues relating to

the breach of contract claim beyond saying that there is no compensable loss.

Reworded to exclude the claims I have not certified, they are:

a) Did Capital One enter into a contract with each member of the Class that

included terms relating to their personal information?

b) If so, did Capital One breach the contract?

[157] The evidence shows that the contract is the Agreement, and that it is the

same standard form document for each Class member. Whether Capital One

breached the contract is an issue that must be decided by interpreting the

Agreement, also an issue that is common across the class.

[158] The plaintiff proposes common issues with respect to breach of each of seven

consumer protection statutes (excluding Québec) as follows:

a) With respect to residents of British Columbia, did the defendants violate the

Business Practices and Consumer Protection Act, S.B.C. 2004, c. 2, by

making false and misleading representations regarding their security

measures?

b) With respect to residents of Ontario, did the defendants violate the Consumer

Protection Act, R.S.O. 1990, c. C.31, by engaging in unfair and/or

unconscionable acts or practices?

Campbell v. Capital One Financial Corporation

Page 47

c) With respect to residents of Manitoba, did the defendants violate the Business

Practices Act, C.C.S.M. c. B120, by making false and misleading

representations regarding their security measures?

d) With respect to residents of Saskatchewan, did the defendants violate the

Consumer Protection and Business Practices Act, S.S. 2014, c. C-30.2, by

making false and misleading representations regarding their security

measures?

e) With respect to residents of Alberta, did the defendants violate the Fair

Trading Act, R.S.A. 2000, c. F2, by making false and misleading

representations regarding their security measures?

f) With respect to residents of Newfoundland and Labrador, did the defendants

violate the Consumer Protection and Business Practices Act, S.N.L. 2009,

c. C-31.1, by making false and misleading representations regarding their

security measures?

g) With respect to residents of Prince Edward Island, did the defendants violate

the Business Practices Act, R.S.P.E.I. 1988, c. B-7 by making false and

misleading representations regarding their security measures?

[159] As I have found that only one of the pleaded misrepresentations is capable of

founding a consumer protection claim, I would replace the clause, “by making false

and misleading representations regarding their security measures with “by failing to

designate individuals responsible for network security management of personal

information, storing personal information on an unsecured network and server, and

failing to encrypt personal information.”

[160] Capital One objects to the final proposed common issue under this heading,

which is:

Did the defendants otherwise breach the Applicable Consumer Legislation as

defined in the notice of civil claim?

Campbell v. Capital One Financial Corporation

Page 48

[161] Capital One submits that this invites an open-ended inquiry not grounded in

pleaded material facts. The plaintiff’s submissions did not address it. I agree, and do

not certify it.

[162] The plaintiff proposes common issues with respect to each of the four

pleaded privacy statutes as follows:

a) With respect to residents of British Columbia, did the defendants violate the

BC Privacy Act, s. 1? If so, how?

b) With respect to residents of Manitoba, did the defendants violate the

Manitoba Privacy Act, ss. 2-3? If so, how?

c) With respect to residents of Newfoundland & Labrador, did the defendants

violate the Newfoundland Privacy Act, s. 3-4? If so, how?

d) With respect to residents of Saskatchewan, did the defendants violate the

Saskatchewan Privacy Act, ss. 2, 3 and 6? If so, how?

[163] Again, Capital One’s only objection is that these issues do not “actually exist”

without evidence of loss.

[164] I agree with the plaintiff that each of the four questions require scrutiny of

Capital One’s conduct under each of the pleaded legal regimes. That conduct is the

same across the class. The legal issue concerning the meaning of “wilfulness” in the

BC, Saskatchewan and Newfoundland and Labrador privacy laws, discussed above,

does not change this. Capital One did not suggest that the evidence fails to meet the

“some basis in fact” standard.

[165] The plaintiff proposed five common issues relating to remedy and damages,

which I have modified to reflect the causes of action I have accepted:

a) Are the defendants liable in damages to the class for negligence, breach of

contract, statutory privacy torts, and breach of the applicable Consumer

Protection legislation?

Campbell v. Capital One Financial Corporation

Page 49

b) Are the defendants jointly and severally liable for damages to the class

pursuant to the applicable Negligence Acts?

c) Can the court assess damages in the aggregate, in whole or in part, for the

class? If so, what is the amount of the aggregate damage assessment(s) and

who should pay it to the class?

d) Should the defendants, or any of them, pay the costs of administering and

distributing any amounts awarded under ss. 24 and 25 of the CPA? If so, who

should pay what costs, in what amount and to whom?

e) Should the defendants, or any of them, pay prejudgment and post judgment

interest? If so, at what annual interest rate? Should the interest be simple or

compound?

[166] Capital One did not take issue with these questions except for c), relating to

aggregate damages. It pointed to the fact that aggregate damages are permitted

under s. 29 of the CPA only if the statutory preconditions set out in s. 29(1)(a) to (c)

are met. In particular, s. 29(1)(c) requires that the aggregate award “can reasonably

be determined without proof by individual class members”.

[167] That means an aggregate monetary award is not available if it depends in any

way on evidence of individual class members, including a statistical analysis of the

damage suffered by a sample of class members: Fulawka v. Bank of Nova Scotia,

2012 ONCA 443 at paras. 135-139. The evidence at this point does not rule out the

possibility of an aggregate award, so it should be left for trial.

[168] Mr. Campbell has also pleaded nominal damages for breach of contract.

Capital One argues, based on Babstock, that a nominal damages claim cannot be a

common issue. I do not read Babstock as saying this. As Brown J. noted, it was in

the unusual circumstances of a claim that expressly disclaimed any remedies based

on individual loss that the Court found that the breach of contract claim disclosed no

reasonable cause of action:

Campbell v. Capital One Financial Corporation

Page 50

[67] The remaining question on breach of contract is whether the plaintiffs'

claim should survive as a hollow cause of action that does not support any of

the remedies they seek. In my view, it should not. While I agree with my

colleague Karakatsanis J. that declaratory relief and nominal damages are

available in theory as remedies for breach of contract, a reasonable claim is

one that has a reasonable chance of achieving the outcome that the plaintiff

seeks. That is not this claim. To be sure, the circumstances here are unusual.

Not only did the plaintiffs plead only gain-based relief and punitive damages,

both of which I have concluded are unavailable in the circumstances the

plaintiffs also expressly disclaimed remedies quantified on the basis of

individual loss. At no point did the plaintiffs argue that their claim should

survive because nominal damages are available. In my view, the plaintiffs'

breach of contract claim should be assessed on the basis of the questions

put before the Court -- namely, whether a gain-based remedy or punitive

damages are available in the circumstances. And on that basis, it is obvious

that the plaintiffs' breach of contract claim does not disclose a reasonable

cause of action. To allow this claim to proceed to trial would simply be to

delay the inevitable, and would not reflect a "proportionate procedur[e] for

adjudication" (Hryniak, at para. 27).

[169] Here, there is no such disclaimer. Mr. Campbell has pleaded damages for

breach of contract quantified based on individual loss as well as remedies that are

not based on individual loss. I accept the proposed aggregate damages question as

a common issue.

Some Basis in Fact – Preferability

[170] The preferability analysis asks whether, in the context of the action as a

whole, a class action proceeding is a better way of resolving the common issues

than another type of proceeding in light of the goals of access to justice, judicial

economy and behaviour modification: AIC Limited v. Fischer, 2013 SCC 69 at

para. 19.

[171] Capital One does not make any submission on preferability other than its

general objection that there is no evidence of a class-wide injury.

[172] Here, the only alternative to a class proceeding is individual actions.

Resolution of the common issues, which are complex, will clearly advance the goals

of a class action procedure. That is so even if individual inquiries are necessary to

address damages. In Tucci BCCA, a very similar data breach case, the Court of

Appeal approved the certification judge’s reasoning on preferability: at para. 96. I am

Campbell v. Capital One Financial Corporation

Page 51

satisfied that the plaintiff has shown some basis in fact that a class action is the

preferable procedure.

Some Basis in Fact – Suitability of Representative Plaintiff

[173] In order to be a suitable representative, a plaintiff must be able to fairly and

adequately represent the class’s interests, must have a workable litigation plan, and

must not have a conflict with the interests of other class members on the common

issues.

[174] Capital One does not object to Mr. Campbell’s suitability as a representative

plaintiff beyond its general position on proof of loss.

[175] I have reviewed Mr. Campbell’s affidavit evidence. It does not mention a

litigation plan. A litigation plan is attached as an exhibit to Mr. Omran’s affidavit, but

he does not say anything about Mr. Campbell’s involvement in it or even his

awareness of it. Neither party addressed the litigation plan at the hearing.

[176] This is an unfortunate example of class counsel standing in the shoes of the

litigants. Although a litigation plan is prepared by counsel, the statute requires that

the representative plaintiff produce it. That is an aspect of demonstrating that this

person is able to vigorously represent the interest of the class: Tucci BCSC

para 274. The evidence should establish that a proposed representative plaintiff is

aware of and understands the litigation plan.

[177] Absent any objection from Capital One, I am satisfied that Mr. Campbell is a

suitable representative plaintiff. His evidence shows some basis in fact that he is a

member of the Class and he states unequivocally that he is aware of his obligations

as a representative plaintiff and is committed to active involvement in the litigation. I

conclude that he is a suitable representative plaintiff.

Campbell v. Capital One Financial Corporation

Page 52

CONCLUSION

[178] In conclusion, I make the following orders:

a) The action is certified as a multi-jurisdictional class proceeding under the

CPA;

b) The Class is defined as all Canadians, except residents of Québec, who

applied for or were issued a Capital One credit card and were notified by

Capital One that their information was compromised in the Data Breach;

c) Duncan Campbell is appointed as representative plaintiff for the Class;

d) The nature of the claims asserted on behalf of the Class are negligence,

breach of contract, breach of statutory privacy torts, and breach of

consumer protection legislation;

e) The relief sought by the Class is:

i.

ii

a declaration that the defendants owed a duty of care to the

plaintiff and the Class and breached the standard of care owed

to them;

a declaration that the defendants are jointly and severally liable

with the hacker pursuant to the negligence statutes of British

Columbia, Saskatchewan, Ontario and Newfoundland and

Labrador;

iii.

a declaration that the defendants breached their contract with

each Class member;

iv.

v.

damages in the amount of $800 million;

assessment of aggregate damages;

vi.

a reference or directions necessary to determine any issues not

determined at the trial of the common issues;

Campbell v. Capital One Financial Corporation

Page 53

vii.

pre-and post-judgement interest;

viii.

costs of administering a plan of distribution of the recovery in

this action; and

ix.

further and other relief as the Court deems just.

f) The common issues are:

Negligence

i.

Did Capital One owe the Class a duty of care to take reasonable

steps to establish, maintain and enforce appropriate security

safeguards against a cyberattack and/or limit the exposure of

the Class’s personal information in the case of a successful

cyberattack?

ii.

If so, did Capital One breach the applicable standard of care?

iii.

If so, did Capital One’s breach of the standard of care cause

damage to the Class?

Contract

iv.

Did Capital One enter into a contract with each member of the

Class that included terms relating to their personal information?

v.

If so, did Capital One breach the contract?

Statutory Privacy Torts

vi.

With respect to residents of British Columbia, did the defendants

violate the BC Privacy Act, s. 1? If so, how?

vii.

With respect to residents of Manitoba, did the defendants violate

the Manitoba Privacy Act, ss. 2-3? If so, how?

Campbell v. Capital One Financial Corporation

Page 54

viii.

With respect to residents of Newfoundland & Labrador, did the

defendants violate the Newfoundland Privacy Act, s. 3-4? If so,

how?

ix.

With respect to residents of Saskatchewan, did the defendants

violate the Saskatchewan Privacy Act, ss. 2, 3 and 6? If so,

how?

Breach of Consumer Protection Acts

x.

With respect to residents of British Columbia, did the defendants

violate the Business Practices and Consumer Protection Act,

S.B.C. 2004, c. 2, by failing to designate individuals responsible

for network security management of personal information,

storing personal information on an unsecured network and

server, and failing to encrypt personal information?

xi.

With respect to residents of Ontario, did the defendants violate

the Consumer Protection Act, R.S.O. 1990, c. C.31, by failing to

designate individuals responsible for network security

management of personal information, storing personal

information on an unsecured network and server, and failing to

encrypt personal information, which constitute unfair and/or

unconscionable acts or practices?

xii.

With respect to residents of Manitoba, did the defendants violate

the Business Practices Act, C.C.S.M. c. B120, by failing to

designate individuals responsible for network security

management of personal information, storing personal

information on an unsecured network and server, and failing to

encrypt personal information?

xiii.

With respect to residents of Saskatchewan, did the defendants

violate the Consumer Protection and Business Practices Act,

Campbell v. Capital One Financial Corporation

S.S. 2014, c. C-30.2, by failing to designate individuals

Page 55

responsible for network security management of personal

information, storing personal information on an unsecured

network and server, and failing to encrypt personal information?

xiv.

With respect to residents of Alberta, did the defendants violate

the Fair Trading Act, R.S.A. 2000, c. F2, by failing to designate

individuals responsible for network security management of

personal information, storing personal information on an

unsecured network and server, and failing to encrypt personal

information?

xv.

With respect to residents of Newfoundland and Labrador, did

the defendants violate the Consumer Protection and Business

Practices Act, S.N.L. 2009, c. C-31.1, by failing to designate

individuals responsible for network security management of

personal information, storing personal information on an

unsecured network and server, and failing to encrypt personal

information?

xvi.

With respect to residents of Prince Edward Island, did the

defendants violate the Business Practices Act, R.S.P.E.I. 1988,

c. B-7 by failing to designate individuals responsible for network

security management of personal information, storing personal

information on an unsecured network and server, and failing to

encrypt personal information?

Remedy and Damages

xvii. Are the defendants liable in damages to the class for

negligence, breach of contract, statutory privacy torts, and

breach of the applicable consumer protection legislation?

Campbell v. Capital One Financial Corporation

Page 56

xviii. Are the defendants jointly and severally liable for the damages

to the class pursuant to the applicable Negligence Acts?

xix.

xx.

Can the court assess damages in the aggregate, in whole or in

part, for the class? If so, what is the amount of the aggregate

damage assessment(s) and who should pay it to the class?

Should the defendants, or any of them, pay the costs of

administering and distributing any amounts awarded under ss.

24 and 25 of the CPA? If so, who should pay what costs, in

what amount and to whom?

xxi.

Should the defendants, or any of them, pay prejudgment and

post judgment interest? If so, at what annual interest rate?

Should the interest be simple or compound?

g) The proceedings in any other proceeding arising from the same facts as

those in the present proceeding are stayed, with the exception of the

Royer action in Québec (No. 500-06-001010-194); and

h) The defendants must provide the plaintiff with the names and last known

addresses of Class members.

[179] I decline to grant the orders sought with respect to notice and opt out process

at this time as these matters were not addressed by either party. The parties did not

address costs of this application. The parties may address these matters by way of

written submission or seek to appear before me for a brief hearing on these issues.

“Iyer J.”