Executive Summary: Key Legal and Evidentiary Issues

• Cybersecurity incident involving Petro-Canada’s Petro-Points loyalty program allegedly exposed Quebec members’ personal data and triggered statutory privacy obligations.
• Central questions arise over Suncor’s contractual responsibility and statutory duties under Quebec’s private-sector privacy law and federal PIPEDA-style legislation to safeguard and properly manage notification of personal information.
• The plaintiff invokes consumer protection rules alleging misleading or minimizing communications about the breach and about a supposedly dedicated phone line for affected customers.
• Evidence issues focus on what data was actually accessed (including whether any financial data was compromised), the timeliness and sufficiency of notices, and the adequacy of remedial measures such as point adjustments.
• The Court finds an arguable basis for compensatory and punitive damages (including under the Charter and consumer statutes) while rejecting, at this stage, the request for a permanent injunctive “credit monitoring” order.
• Authorization turns on whether the representative plaintiff has a defendable cause of action and can adequately represent a large Quebec-only group, not on proving liability or quantifying damages at this stage.

Factual background and the Petro-Points cyber incident
The case stems from a cybersecurity incident that affected Petro-Canada’s Petro-Points loyalty program operated by Suncor Énergie inc. and Produits Suncor Énergie s.e.n.c. On or about 21 June 2023, an unauthorized third party accessed Suncor’s IT network, and data associated with members of the Petro-Points program was compromised. The plaintiff, Esteben Harguindeguy, had been a Petro-Points member for roughly 15 to 17 years and, like other members, had provided personal information to participate in the program. The plaintiff alleges that the compromised data included names, email addresses, postal addresses, dates of birth and, in some cases, banking or credit information. The defendants dispute that any financial information was accessed and insist that the exposed data was limited to basic personal contact details provided on enrollment. Public communications began on social media shortly after the incident. On 24 June 2023, Suncor posted on its Twitter (now X) account about the temporary unavailability of access to Petro-Points accounts, followed by further messages on 26 June 2023 describing a cybersecurity incident, service interruptions, a cash-only policy at stations, and the unavailability of the app, points access and some car washes. On 6 July 2023, after the original authorization application had already been filed, Suncor issued a more detailed notice stating that an unauthorized party had accessed its network and that Petro-Points was affected. This notice indicated that the data obtained was limited to the member’s name and information supplied on joining the program: email address, postal address, telephone number and date of birth. Members were told that Petro-Points systems had been disabled as a precaution, that point redemption was temporarily blocked, that point balances were safe, and that a credit of points would be granted to account for the outage. Members were also cautioned to watch for unusual communications and were given a customer service phone number. According to the plaintiff, some physical notices at service stations instead referred vaguely to a “major issue” with the national IT system, with no explicit reference to a cybersecurity breach. He further alleges that without access to Twitter or similar platforms, many members were not adequately informed of the incident’s nature or seriousness.

Individual impact on the plaintiff and alleged consequences
Harguindeguy contends that he tried multiple times to call the dedicated toll-free number provided by Suncor, waiting on hold around 25 minutes each time, but never managed to reach a live agent, only a recording that the line was receiving a high volume of calls. He claims this undermines the truthfulness of Suncor’s representation that affected members could obtain support through that line. In terms of personal consequences, the plaintiff says that on 8 July 2023 he received a notification from Equifax Canada that his email address had been found on a fraudulent data-trading website, which caused stress and concern about identity theft. A second Equifax alert in January 2024 again indicated his email appeared on a fraudulent data-exchange site. In response to these alerts and the Petro-Canada communications, he subscribed to an additional credit monitoring service from TransUnion Canada, paying a promotional first-month fee and then higher recurring monthly charges; he seeks reimbursement of these outlays as part of his claimed damages. More broadly, he alleges that group members face various burdens and risks: delays in future credit applications, the need to closely monitor banking and credit accounts over months or years, potential closure and reopening of accounts to protect themselves, regular credit report checks, out-of-pocket ATM fees if forced to pay cash during the program outage, and possible negative effects on credit scores. He also claims moral damages—stress, anxiety, fear, inconvenience and lost time—from the exposure of their personal information and the increased risk of fraud and identity theft.

Defendants’ response and remedial measures
Suncor was allowed to file a limited evidentiary record at the authorization stage, principally an affidavit from a corporate representative and supporting documents, to clarify aspects relevant to the statutory test. The defendants maintain that no financial data belonging to Petro-Points members was accessed, directly contradicting the plaintiff’s allegation that credit or bank-account information might have been compromised. They explain that on 6, 27 and 31 July 2023 they emailed members who had a valid email address attached to their accounts, and also those who had transacted at participating Petro-Canada locations in the year preceding the incident. Those emails reassured members that their Petro-Points balances were safe and that their points would be adjusted to account for the period during which the program was offline. A further email on 22 August 2023 informed those same members that the program was functioning again and set out the formula by which the compensatory point adjustment would be calculated. Applying that formula, the plaintiff’s account received an additional 44,111 Petro-Points, purportedly representing double his average daily accumulation of points over a three-month pre-incident period multiplied by the number of days the program was down. The defendants also argue that some of the allegedly “highly sensitive” data, such as the plaintiff’s date of birth, was already publicly available on his social media profile and thus could not reasonably be treated as highly confidential in this context. They add that the point adjustments and other measures were sufficient to compensate any inconvenience or lost earning opportunities in the loyalty program itself.

Legal framework and key policy/contract terms
A central legal issue is whether the relationship between Petro-Points members and Suncor is contractual and, if so, the nature of that contract. The plaintiff relies on the Petro-Points program “Conditions,” which outline how members accumulate and redeem points and what obligations apply. The Conditions explain that Petro-Points is a loyalty program designed to reward frequent Petro-Canada customers who purchase fuel and convenience store items. They specify that points have no cash value and may only be used to claim rewards offered within the program. Importantly, the Conditions provide that by using the Petro-Points card, digital card, or linked partner card, the member acknowledges and agrees to comply with the terms and consents to the collection, use and disclosure of personal information (including name, contact information and transaction data) for administration of the program, for sending offers and personalized information, and for other purposes consistent with Suncor’s privacy policy. This contractual framework is also relevant to consumer protection law: the plaintiff argues that even though no membership fee is charged, the arrangement is a “consumer contract” for services under Quebec’s Consumer Protection Act (LPC), thereby bringing into play the statute’s rules on misleading representations and its remedial provisions. On the privacy side, the claim is anchored in Quebec’s Loi sur la protection des renseignements personnels dans le secteur privé (LPRPSP), which imposes obligations on private enterprises that collect, hold and communicate personal information in the course of business. Among other things, that law requires organizations to implement governance policies to protect personal data, adopt security measures appropriate to the data’s sensitivity and use, and respond to confidentiality incidents by mitigating harm, preventing recurrence and notifying affected individuals when statutory conditions are met. The plaintiff also invokes the federal personal information statute (Loi sur les renseignements personnels et les documents électroniques / PIPEDA) and its Schedule 1, which set out accountability principles and security safeguards for personal information. In the plaintiff’s view, the alleged failure to maintain adequate safeguards and to provide timely, effective notice of the incident amounts to contractual breach, because these statutory duties are integrated into Suncor’s obligations towards Petro-Points members.

Consumer protection and alleged misleading representations
Harguindeguy’s case under the Consumer Protection Act focuses on two main categories of representation. First, he says Suncor downplayed the seriousness of the breach by characterizing the compromised data as “basic contact information” and portraying its protection practices and responses as robust, despite allegedly inadequate security and remedial measures. He treats Suncor’s generic statements that “the security of your personal information is important to us” as promises that were not borne out in practice and therefore amount to false or misleading representations. Second, he attacks what he describes as deceptive assurances about a “dedicated” toll-free line for affected customers; he alleges that in reality no one answered the line despite lengthy waits, which he frames as a misleading representation about the availability of assistance. The Court analyzes these allegations through the lens of article 219 LPC (false or misleading representation), drawing on the Supreme Court of Canada’s framework in Richard v. Time Inc., which emphasizes the “general impression” created for a credulous and inexperienced consumer and whether that impression is consistent with reality. At authorization, the Court accepts that the pleadings, taken as true, support an arguable case that Suncor’s public messaging after the incident could have misled consumers about the nature and extent of the breach, the sensitivity of the data, and the accessibility of support. Because article 219 is part of Title II (prohibited practices), the plaintiff relies on article 272 LPC, which provides a range of potential remedies, including punitive damages, where a consumer has been exposed to such a practice and the statutory conditions (exposure to the representation, a subsequent contract-related act, and sufficient proximity between the representation and the contract) are satisfied. The Court notes that the plaintiff’s pleadings on some of these elements are thin but, given the low “colour of right” threshold, finds that they are sufficient to justify letting the consumer protection claims proceed to the merits.

Charter-based claims and punitive damages
Beyond contractual and consumer-law remedies, the plaintiff invokes Quebec’s Charte des droits et libertés de la personne to seek punitive damages for an alleged illicit and intentional violation of the right to privacy. Under article 5 of the Charter, everyone has a right to respect for their private life, and article 49 allows a person whose rights are unlawfully and intentionally infringed to seek compensation for material and moral damage, plus punitive damages where the defendant’s state of mind shows a will to cause the consequences of the wrongful act or a conscious disregard of highly probable consequences. In his “Punitive Damages” section, the plaintiff characterizes Suncor’s behavior as grossly negligent or intentionally negligent, alleging that it failed to implement industry-standard data protections, failed to detect the incident earlier, delayed in notifying members and minimized the breach, declined to offer complimentary credit monitoring, misrepresented the functionality of a dedicated help line, and generally placed cost avoidance ahead of member protection. He argues that the combination of statutory violations (under LPRPSP, PIPEDA, and the LPC) and this allegedly reckless disregard for members’ rights justifies an award of punitive damages under the Charter, as well as under article 272 LPC and the specific punitive-damage provision in article 93.1 LPRPSP. At the authorization stage, the Court emphasizes that the threshold for establishing an “arguable case” for punitive damages is low and that a full factual record will later determine whether the high standard for intentional or quasi-intentional Charter violations is in fact met. For now, the judge accepts that the pleadings, if taken as true, support a defendable claim for punitive damages under these overlapping legal bases.

The injunctive relief request and its rejection
One important aspect of the plaintiff’s original application was a request for a permanent injunction compelling Suncor to provide ongoing credit and fraud monitoring services, as well as anti-tracking protection for electronic devices associated with the compromised information. This was framed as an “ordonnance de protection” under article 509 C.p.c. The defendants argued that this proposed order was disproportionate, difficult to enforce, and in any event unnecessary to the plaintiff, who had already subscribed to third-party monitoring services even before the incident. The Court ultimately refused to authorize this injunctive component. It observed that the authorization record contained no specific pleadings that addressed the legal and factual criteria for an injunction—such as the nature of the threat justifying an “order of protection”—and that the sought order was cast in terms more suited to interlocutory relief than as a final, merits-based outcome. Since the plaintiff also sought reimbursement for his monitoring expenses as damages, the judge concluded that the injunctive claim added little beyond what could be addressed through compensatory and, if warranted, punitive damages. In light of these deficiencies, the Court found no defendable cause of action to support the injunctive relief and declined to authorize that aspect of the proceeding, even while allowing the monetary claims to go forward.

Authorization of the class action and overall outcome
Applying article 575 of the Code de procédure civile, the Court examined each authorization criterion: common questions, arguable right, group composition and adequate representation. It found that the claim raises common questions about Suncor’s alleged negligence in safeguarding personal information, its conduct after the cybersecurity incident (including the timeliness and content of notices), and the potential entitlement of group members to compensatory, moral and punitive damages. The plaintiff’s allegations, supplemented by certain defense evidence accepted only for context, demonstrate an arguable cause of action in contractual liability, consumer protection, privacy and Charter law; the judge stressed that definitive conclusions on fault or damages must await a full trial. The proposed Quebec-only group, described as all persons residing in Quebec whose personal or financial data held by Petro-Canada was compromised in the June 2023 incident or who were notified of the incident, was considered sufficiently numerous and geographically concentrated to make individual joinder or mandates impractical. Finally, Harguindeguy was found capable of adequately representing the group’s interests; the adequacy test is intentionally “minimalist” in Quebec, and no conflict of interest was identified. As a result, the Superior Court partially granted the amended application for authorization, formally authorizing a class action for compensatory and punitive damages, designating Harguindeguy as representative, and defining common issues and conclusions to be determined collectively. Importantly, this judgment is confined to authorization: it does not decide liability and it does not award any specific monetary amount. The successful party at this stage is therefore the plaintiff, as he secures authorization and representative status while losing only on his request for injunctive relief. Because the case has not yet proceeded to a determination on the merits, no total monetary award, costs, or damages in favour of the plaintiff or the class can be calculated from this decision, and the eventual amounts—if any—will be established only after a future trial or settlement.