On May 30, 2017, the Ontario Superior Court of Justice granted an order approving a settlement agreement (the “Settlement Agreement”) in a class action lawsuit (the “Class Action”) against Wal-Mart Canada Corp. (“Wal-Mart”). The Class Action was brought after Wal-Mart notified its customers in July 2015 that its photo processing website, which was operated by a third party, had been compromised, potentially placing customers at risk. The Statement of Claim in the Class Action alleged that customers had been required to provide their name, address, telephone number and credit or debit card information (“Personal Information”) to Wal-Mart and its co-defendant in order to use the photo finishing website and that this Personal Information had been subject to unauthorized access and stolen. As a result, customers had experienced or were exposed to various harms, including identity theft, harassment and fraudulent credit card transactions.
The plaintiff and the class members in the Class Action sought general and special damages totalling $500 million, together with punitive and aggravated damages in the amount of $50 million on the basis that, among other things, Wal-Mart’s privacy policies, handling, storage and lack of security of the Personal Information had exposed them to harm. The plaintiffs also claimed that Wal-Mart had delayed notifying law enforcement and their customers of the breach and the loss of the Personal Information, resulting in additional harm and showing negligence and reckless disregard for the sensitivity and confidentiality of the Personal Information, and that Wal-Mart had breached the terms of an implied contract it had with its customers that it would safeguard their Personal Information and notify them promptly of any compromise or theft.
The Settlement Agreement makes various benefits available to eligible class members, including recovery of valid claims for out of pocket losses, unreimbursed charges and time spent remedying issues traceable to the privacy breach of up to $5000 and $15 per hour for up to five hours per person. The maximum cumulative total available for the recovery of expenses under the Settlement Agreement is $400,000, following which this obligation will have been discharged. Eligible class members will also be able to apply for free credit monitoring services for a maximum of one year, whether or not they submit a claim for the above-noted expenses, and can apply for a reimbursement for credit monitoring services where such services were already purchased as a result of the breach. The maximum cumulative total available for credit monitoring under the Settlement Agreement is $350,000. Additionally, under the Settlement Agreement, Wal-mart will pay up to a maximum of $250,000 for the costs of administering the recovery of expenses and the credit monitoring services.
All Canadian residents who used Wal-Mart’s photo website between June 1, 2014 and July 10, 2015 and who have not opted out are eligible for compensation under the Settlement Agreement.
Even though the actual quantum of damages reflected in the settlement agreement was not large at the end of the day, this privacy Class Action demonstrates the risk faced by organizations that collect, use, store and handle personal information in the course of their activities. Any compromise of that information can lead to claims for damages for privacy breach, identify theft, out of pocket expenses, damage to credit rating and other costs incurred by the persons impacted, and can result in significant reputational damage to the organization itself. In order to mitigate these risks, organizations that deal with personal information should put in place and monitor the implementation of enterprise-wide privacy policies. They should also ensure that their contractual arrangements with third party IT providers and consultants contain robust covenants to protect the organization in the event that the actions of the third party lead or contribute to a data breach. Finally, organizations should obtain cyber risk insurance to help protect against technology risks and exposures.