On June 3, 2022, the Supreme Court of British Columbia (the Court) issued its decision in Campbell v. Capital One Financial Corporation, 2022 BCSC 928 (Campbell), certifying a class action lawsuit against Capital One Financial Corporation (Capital One). 

In Campbell, an individual hacked Capital One’s database and downloaded the information of residents from Canada and the U.S. who have applied for credit cards with Capital One (the Data Breach). Six million Canadian customers were affected by the Data Breach.  For the Canadian customers, the data that was stolen included: name, date of birth, address, phone number, annual income, banking information, credit scores, and social insurance numbers. 

The plaintiff in Campbell sought the certification of a single national class comprised of all Canadians that were informed by Capital One that their confidential information was affected by the Data Breach (the Class).  The Class also sought damages totaling 800 million dollars.  Capital One’s primary objection to certification was based on the evidence that no data had been disseminated beyond the hacker. 

In reviewing whether the plaintiff’s claims met the requirements for certification under British Columbia’s Class Proceedings Act, the Court determined the following:

  1. As there was already a class proceeding commenced in Québec that would better serve the interests of Québec residents, the Class should exclude residents from Québec;
  2. The plaintiff had sufficiently pleaded the: (i) negligence claim; (ii) breach of contract claim; (iii) statutory tort for breach of privacy under British Columbia’s Privacy Act (and of similar statutes in Saskatchewan, Manitoba, and Newfoundland and Labrador); and (iv) breach of consumer protection laws claim; and
  3. The plaintiff failed to sufficiently plead the: (i) breach of warranty claims; (ii) breach of contractual duty of honest performance claim; (iii) breach of confidence claim; and (iv) tort of intrusion upon seclusion.

As the Court found that many of the plaintiff’s claims were sufficiently pleaded, the Court then determined whether any of the Class members suffered compensable loss.  Based on previous jurisprudence where courts have held that a demonstrated real risk of future harm may give rise to compensable loss even where there is no evidence that stolen data has been used, the Court accepted the testimony from the plaintiff’s expert witness who provided some basis in fact that there is a real risk that the stolen data will be used in ways harmful to the Class.  Also, in concluding that there was some basis in fact for compensable loss, the Court accepted the plaintiff’s evidence that he had purchased credit monitoring because of the Data Breach.

Ultimately, as the Court also found some basis in fact that: (i) there was an identifiable class of 2 or more persons; (ii) the claims of the Class members raise common issues; (iii) a class action is the preferable procedure; and (iv) the plaintiff is a suitable representative plaintiff; the Court certified the action against Capital One as a class proceeding.

Summary By: Olalekan (Wole) Akinremi


22 07 13

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.