Download to read offline
Uploaded byDan Michaluk
Cyber class action claims at an inflection point
This document summarizes three Ontario court cases related to privacy class actions and data breaches. The first case found that the defendant's response to a data breach was exemplary and that plaintiffs failed to prove compensable damages or that identity theft was caused by the breach. The second and third cases found that failures to prevent data intrusions do not constitute the intentional tort of intrusion upon seclusion, and that vicarious liability does not apply to actions of former employees. These cases set precedents that make it difficult for plaintiffs to win privacy class actions in Ontario. The document discusses implications for data breach responses and potential alternatives to class actions for enabling justice around privacy issues.
Law◦
More Related Content
Similar to Cyber class action claims at an inflection point
Cyber class action claims at an inflection point
- 1. Presented By CICMA cyber securityUpdate Dan Michaluk October 18, 2021
- 2. o Self-regulatory organizationoversees all investment dealers o Laptop with unencrypted data left of subway in 2013 – never found o Estimated 48,000 affected individuals o Robust, transparent response by the organization o Plaintiff a victim of identity theft o Claimed compensatory damages (actual attempted fraud plus anxieties) and punitive damages based on response Lamoreaux The first class action merits decision 2
- 3. o No compensabledamages proven • Normal anxiety associated with receiving a notification is not compensable • Testimony provided (translation) “few details, concrete facts or significant manifestations of their psychological states” • No causation proven regarding identity theft – some evidence that plaintiff’s social insurance number and driver’s license were not even ever received by defendant from his brokerage • Defendant provided necessary protective measures Lamoreaux The first class action merits decision 3
- 4. o No punitivedamages - response exemplary • conducted investigations and carried out internal checks • promptly informed the police • retained a firm of consultants as quickly as possible to perform forensic investigation • notified the privacy commissions concerned of the loss • notified the brokerage firms having investors concerned about the situation • notified the class members concerned of the loss of their personal information, by means of bilingual letters • published a press release announcing the loss • informed class members that it was unaware of any identity theft Lamoreaux The first class action merits decision 4
- 5. o Ontario casesare about the scope of liability for the common law privacy torts, which give access to moral damages o In negligence, no harm means no foul o Privacy torts are intentional, so the wrong arises from the act alone, and one who is reckless has bad intent o Defendant attacked in 2017 via exploit of web application vulnerabilities o Announced as affecting 100,000 Canadians, 20,000 ultimately notified Owsianik Big wins for defendants in Ontario 5
- 6. o Div. Ct.overturns intrusion upon seclusion certification decision o “The intrusion need not be intentional; it can be reckless. But it still has to be an intrusion. It is the intrusion that has to be intentional or reckless and the intrusion that has to be highly offensive. Otherwise the tort assigns liability for a completely different category of conduct, a category that is adequately controlled by the tort of negligence.” o Leave to appeal to Ont. CA granted last month Owsianik Big wins for defendants in Ontario 6
- 7. o About thetheft of credit card application data by a former employee of a bank’s cloud service provider – alleged to have used her understanding to conduct exploits o “A failure to prevent an intrusion, even a reckless failure to prevent, is not an intrusion.” o No vicarious liability either - “absurd and unfair” to impose liability on a defendant for the actions of a former employee o Contractual claims failed based on the contract terms Thompson Big wins for defendants in Ontario 7
- 8. o The Lamoreauxand Owsianik defences are critical to the outcome the privacy class action “dialogue” o The Lamoreaux case provides good practical guidance for responders o This cynic’s view - all the harm flows from notification alone o We therefore must notify based on the facts and evidence – never, never notify because there’s a speculative risk of unauthorized access or theft o Yes, there is mischief, which is why we will see logging regulation come into force in the next five years – e.g. PHIPA We are at an inflection point Where does that leave us? 8
- 9. o If classactions prove themselves to be the wrong means of enabling justice, will there be alternatives o Ontario has posed an administrative compensation regime in its privacy reform materials o Questions • Will it be exclusive? • Will it be capped New administrative compensation regime? Keep an eye on Ontario 9
- 10.
- 11. For more information,contact: The information contained herein is of a general nature and is not intended to constitute legal advice, a complete statement of the law, or an opinion on any subject. No one should act upon it or refrain from acting without a thorough examination of the law after the facts of a specific situation are considered. You are urged to consult your legal adviser in cases of specific questions or concerns. BLG does not warrant or guarantee the accuracy, currency or completeness of this presentation. No part of this presentation may be reproduced without prior written permission of Borden Ladner Gervais LLP. © 2020 Borden Ladner Gervais LLP. Borden Ladner Gervais is an Ontario Limited Liability Partnership. Thank You Dan Michaluk Partner 416.367.6097 [email protected]
Editor's Notes
- #2 Nice to be here This is return performance In the past I've given practical advice on threat environment, defence and incident response This time I actually have some new law to talk about So I'll do that And give you an update on legal developments -first class action decision on its merits -two Ontario cases -a buried issue in
- #3 -we're about 10 years into our data seucirty and prrivacy class action experience -finally had our first decision on the merits … -quebec -Lamoreaux and Investment Industry Regulatory Organization of Canada … -simple scenario -good facts, good law -lost laptop, unencrypted -most beign scenario -no evidence of any malicious actor -lots of data, 48,000 affected individuals … -rep plaintiff victim of identity theft -tort lawyers – causation -nontheless claimed these damages
- #4 -Feb 2021 judgement – Quebec Superior Court – 2021 QCCS 1093 … two points -anxiety -more closely connecte to the loss -but draws on the common law of negligence – mustapha v culligan -damages for the ordinary anxities of life are not compensable -not suprising but imporatnt -only damages that can get over the causation burden of proof is the damaged caused when one opens the letter … -actual damage, from identity theft is not proven -very hard to prove that -here we had rebuttal ifnormation …. -make a point IIROC provided creidt monitoring -one years -suggestion is that this would have been compensale had it not been provided
- #5 -no punitive damages -response was exmplary -checklist like endorsement … -informed the police -court proably views that as mitigation of harms to affected individuals -cynical view is that isn't warranted -but if a court is going to view it that we... got to do it … Reporting to law enforcmenet and sharing threat iformation Is a big topic today Don't think it will mitigate harm to affected But it will helpin the long run
- #6 -Lamoreaux is a civil code claim, but behaves like a neglience claim … -common law jurisdictions -intentional privcy torts -access to moral or presumed damages -don't suffer from the causation problem that a negligence claim will almost certainly fail about … -but they are intentional torts -question about what that means -and whether the courts are willing to weed out claims alleging intentional conduct at the certification stage … -common and classic negligence scenario here - Equifax -stilen information -bad actor infoved
- #7 June 2021 decision – appeal of a cert decision – divi court -this is not intentional enough to warrant certification on this cause of action -really imporatnt point -if you take away intrusion claim -an neglience is going to run in to mustapha -what's really left? -looking at contractual claims, but contractual claims can be limited
- #8 -this is exactly what happened in Thompson – Captial One incident … -justice perrell make same finding as in equfax -more heafily articulated … -one scenario that will run you into another legal issue is an insider -insider is intentional -perell deals with that too -huge issue -favorable finding