[BreachExchange] Canada - Number of class actions involving data breaches steadily increasing

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jan 26 14:14:46 EST 2018


Class-action lawsuits involving data breaches are on the rise in response
to a changing Canadian legal landscape and the growing dependence on
electronic records, says London class-action lawyer Sabrina Lombardi.

“As the world evolves and more and more of our information passes through
electronic forms, it’s natural that we would see an increase in this type
of litigation,” she tells AdvocateDaily.com.

Since 2005, upwards of 60 Canadian class actions have been launched, the
majority filed after 2010, due in part to an increase in reported data
breaches, she says.

The momentum continued in 2012 when the tort of intrusion upon seclusion
was recognized by the Ontario Court of Appeal in a high-profile ruling,
says Lombardi, a member of the class-action group at the London, Ont.-based
firm McKenzie Lake Lawyers.

The court adopted the tort as applying to privacy cases and awarded $10,000
in nominal damages, not for verifiable harm but simply for the risk of
harm, she says.

After the decision, the legal community seemed to gear up for more data
breach class actions, Lombardi says. It was also waiting to see what form
Canada’s Anti-Spam Legislation (CASL) would take, she adds.

The legislation came in three phases.

The first, the enforcement phase, came into effect in 2014, she says. The
next phase followed in 2015, when rules about consent to notice came into
effect along with additional measures to protect consumers from viruses and

The legal community was waiting for the next phase, due in 2017, dealing
with the private right of action. New measures were expected to allow
plaintiffs to claim both compensatory damages for actual recoverable losses
and, for the first time, statutory damages.

Statutory damages could have been awarded even though no actual harm was
proven, a much more direct way of winning compensation than previously
available, Lombardi says.

In some instances the awards could have been substantial, she adds. But
that last phase was not implemented, which may have discouraged some
lawsuits, she says.

“We’re still left with the law that we have, which is still developing,”
says Lombardi.

Many class-action lawsuits are still coming forward based on negligence
claims and torts like intrusion upon seclusion and breach of privacy, she

The Equifax case in the United States is one of the most significant to
reach Canada, she says. A cyberattack on the Atlanta-based credit reporting
company in the summer of 2017 may have compromised the data of 143 million
Americans and 100,000 Canadians, according to the Canadian Press.

In September 2017, an Ontario resident proposed a class action in Ontario
Superior Court seeking $550 million in damages on behalf of Canadian
victims of the Equifax hack, the article says.

Another key decision saw the Ontario Superior Court approve a data breach
class-action settlement for people whose credit card information may have
been hacked by criminal intruders.

In its 2016 decision, the court went a long way to saying that actual harm
is required to establish damages, Lombardi says. “It also went on to advise
companies to adopt more proactive approaches to mitigating their liability
when they’re faced with a data breach. So the law is definitely still
evolving in this area in Canada.”

Data breaches come in two categories, she says.

The first is a mishap. “For instance, someone in an organization misplaces
an external hard drive or a USB key that contains personal and confidential
information,” she says.

The second category involves an actual crime where, for instance, hackers
steal company data.

In both types of breach, affected customers often accuse the companies
involved of failing to secure their data and of not having policies to
quickly inform them of any breaches, she says.

The Digital Privacy Act, which is being phased in, will make it mandatory
for companies to report data breaches to Canada’s privacy commissioner and
to affected individuals.

These tougher reporting requirements will have a positive impact on
consumers and could increase the number of class actions as people become
more aware of data breaches, Lombardi says.

Lombardi’s firm, McKenzie Lake Lawyers, is involved in a data breach
class-action lawsuit against a university and an alleged hacker. The hack
exposed the private information of some 2,000 students — including contacts
data, banking numbers, loan information and academic records, she says. The
lawsuit, commenced in May 2017, is in its beginning stages.

Individuals who suspect their private information may have been compromised
by a data breach should take proactive steps and contact the organizations
involved, she says.

Some companies will offer affected consumers a period of credit monitoring
to give them some protection and assurance that their information hasn’t
been appropriated and misused, Lombardi says.

If people suspect a breach they experienced is part of a wider problem,
they should check if a class action has been commenced, Lombardi says. They
could also contact a lawyer to explore their legal options and preserve
their right to sue should a class action be launched, she adds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180126/2303c104/attachment.html>

More information about the BreachExchange mailing list