Law 25 Class Actions: The Financial Risk Small Firms Underestimate

When discussing Law 25 penalties, attention naturally falls on the big numbers: $10M in administrative penalties, $25M in criminal fines. For a financial services firm of 5 or 15 people, these amounts seem abstract, even impossible. And that's true: the CAI will consider your ability to pay before setting an administrative penalty.

But there's a third path the CAI doesn't control, that the judge doesn't adjust based on your revenue, and that can exceed your annual income in a matter of weeks. It's the private right of action under section 93.1 of the PPIPS, with its mandatory floor of $1,000 in punitive damages per person and the possibility of class action.

This is the risk most small firms don't see coming.

Section 93.1 in Plain Language

Section 93.1 of the Act respecting the protection of personal information in the private sector (PPIPS) provides that any person who suffers an unlawful infringement of a right conferred by the law may bring legal action against the responsible organization.

Three elements make this mechanism particularly powerful.

The floor is mandatory. The court has no choice: it must award punitive damages of at least $1,000 per person. This is not a discretionary maximum. it's a minimum imposed by law. The judge can award more, but cannot award less. There is no cap. Unlike AMPs (capped at $10M) and criminal fines (capped at $25M), the private right of action has no overall cap. The total amount depends on the number of affected individuals multiplied by the $1,000 minimum (or more if the court decides). Class actions are expressly permitted. The law authorizes groups of affected individuals to band together in a single lawsuit. This means a specialized law firm can represent all your clients affected by a breach, without each client having to file an individual lawsuit. Class actions reduce the cost and complexity for plaintiffs, considerably increasing the likelihood they'll be pursued.

Why This Is the Real Risk for SMBs

Administrative monetary penalties (AMPs) imposed by the CAI are adjusted based on ten criteria, including the company's ability to pay. The CAI's General Framework provides base amounts from $1,000 to $15,000 for companies, adjusted according to context. For a small firm, an AMP will remain proportionate to its size.

Class actions don't work that way.

The $1,000 floor per person applies regardless of your firm's size, revenue, or ability to pay. The court must award it. The only variable is the number of affected individuals.

Here are three concrete scenarios for a financial services firm.

Solo practice, 500 active clients. A breach exposes all your clients' financial data through gross fault. Minimum class action exposure: 500 × $1,000 = $500,000. If your annual revenue is $200,000, that's 2.5 times your income. 5-person firm, 2,000 active clients. Same scenario. Minimum exposure: 2,000 × $1,000 = $2,000,000. For a firm with $500,000 in revenue, that's 4 times annual income. Regional MGA, 10,000 clients. Minimum exposure: 10,000 × $1,000 = $10,000,000. And this amount is a floor: the court can award more per person if circumstances warrant.

Don't forget that exposure isn't limited to active clients. If you retain data from former clients (which the AMF requires you to do for at least 7 years), those individuals are also covered. In the Desjardins case, nearly 4 million of the 9.7 million affected individuals were former clients whose data had never been deleted.

Required Conditions for a Successful Claim

The right of action under section 93.1 is not automatic. Three conditions must be met.

The infringement must be intentional or result from gross fault. A simple good-faith error is not enough. Gross fault is gross negligence, a serious failure to meet basic obligations that any reasonable organization would respect. The bar is higher than a simple mistake, but lower than malicious intent. The plaintiff must demonstrate actual harm. It's not enough that data was exposed. The plaintiff must prove they suffered damage: stress, anxiety, time lost monitoring credit, costs incurred for protection, actual identity theft. In the context of financial data, Quebec courts tend to recognize that exposure of sensitive data causes presumed moral harm. A causal link must exist. The harm must result from the infringement. If a client suffers identity theft six months after a breach that exposed their SIN, the causal link will likely be established.

These conditions are not insurmountable for plaintiffs, especially in the financial sector where data is inherently sensitive and potential harm (fraud, identity theft) is direct and well-documented.

What Constitutes "Gross Fault" in a Financial Firm Context

The concept of gross fault is not defined in Law 25 itself, but Quebec civil law defines it as gross negligence demonstrating marked carelessness, imprudence, or recklessness. In the specific context of a financial services firm, here are situations that could be characterized as gross fault by a court.

Complete absence of a privacy policy. The privacy policy has been mandatory since September 2023. A firm that, in 2026, still has no policy demonstrates marked carelessness toward its legal obligations and client data protection. No security measures on client data. Client files stored on a passwordless computer, a CRM without authentication, unencrypted emails containing SINs. The absence of basic security measures, in a sector handling some of the most sensitive data, would be hard to defend. Ignoring a known confidentiality incident. You learn a former employee still has CRM access and do nothing for weeks. You discover a file containing client data was shared by mistake and don't document it. Inaction in the face of a known risk is a classic marker of gross fault. Transmitting sensitive data without any protection. Sending an Excel file containing dozens of clients' SINs and financial data by unencrypted email, without a password, to a vendor whose security practices you've never assessed. Never training staff. Your employees handle sensitive financial data daily and have never received any training on personal information protection, incident detection, or security best practices.

Conversely, a firm that has implemented reasonable protection measures, documented its practices, trains its staff, and responds quickly to incidents will have a strong argument for demonstrating the absence of gross fault, even if an incident occurs despite everything.

Interaction with AMPs and Criminal Fines

Law 25's three enforcement paths are cumulative, with one exception.

AMPs and criminal fines: not cumulative for the same facts. The CAI must choose between imposing an AMP or initiating criminal prosecution for a given violation. It cannot do both for the same facts. However, it can impose an AMP for one violation (e.g., failure to notify) and initiate criminal prosecution for another (e.g., obstruction of an investigation). Class action: always cumulative. The private right of action under section 93.1 is independent of the other two paths. A firm can receive an AMP from the CAI for failure to notify and face a class action from its clients for the data breach. Both proceedings run in parallel, before different bodies, with different criteria.

In theory, a firm that experiences a breach through gross fault could face an AMP from the CAI (a few thousand to tens of thousands for a small firm), a criminal fine if judicially prosecuted, and a class action with a $1,000-per-person floor unrelated to its ability to pay. The class action is by far the highest financial risk.

How to Protect Yourself

The best protection against a class action under section 93.1 is not being in a position of gross fault. Basic Law 25 compliance is your first line of defense.

Document your compliance measures. In the event of a lawsuit, your ability to demonstrate that you had policies in place, trained your staff, and took data protection seriously will be your most powerful argument against a "gross fault" finding. A firm that can produce its privacy policy, PIAs, incident register, and training records will be in a radically different position than one with nothing. React quickly to incidents. The speed of your response, the transparency of your communication, and the corrective measures you take are factors the court will consider. A well-managed, documented, and honestly communicated incident can remain just an incident. A concealed or ignored incident becomes gross fault. Choose compliant vendors. Your responsibility extends to vendors processing data on your behalf. If a breach occurs at a vendor with no certifications, no DPA, and no adequate security measures, the court could consider your vendor choice itself to be gross fault. Vendors certified SOC 2 Type II, ISO 27001, with data hosted in Canada and a DPA in place, considerably reduce this risk. [Our article on vendor evaluation details the criteria to verify](/blog/law-25-vendor-compliance-evaluation). Consider cyber insurance. A cybersecurity insurance policy can cover legal defense costs, notification costs, damages awarded in a class action, and crisis management expenses. For a financial services firm handling sensitive data, it's an investment that can make the difference between a costly but survivable incident and bankruptcy. Purge unnecessary data. The more data you retain, the larger your exposure surface in case of a breach. Former client data you're no longer legally required to keep (beyond AMF/CIRO retention periods) is risk without benefit. Establish a clear retention policy and enforce it.

---

*This article is part of a series on Law 25 and compliance for financial services firms. See also:*

• *[Quebec's Law 25: What Every Financial Advisor Needs to Know in 2026](/blog/quebec-law-25-guide-financial-advisors)*
• *[Law 25 Fines: Understanding Penalty Calculations for Your Firm](/blog/law-25-fines-penalty-calculations)*
• *[The 7 Law 25 Obligations Your Firm Must Meet Now](/blog/law-25-obligations-checklist)*
• *[Confidentiality Incident: What to Do in the First 72 Hours](/blog/confidentiality-incident-law-25-72-hours)*
• *[How to Evaluate Whether Your Tech Vendors Are Law 25 Compliant](/blog/law-25-vendor-compliance-evaluation)*