Michael Ford (post until Oct. 31/19)
Class Action

Number of class actions involving data breaches steadily increasing

Class-action lawsuits involving data breaches are on the rise in response to a changing Canadian legal landscape and the growing dependence on electronic records, says London class-action lawyer Sabrina Lombardi.

“As the world evolves and more and more of our information passes through electronic forms, it’s natural that we would see an increase in this type of litigation,” she tells AdvocateDaily.com.

Since 2005, upwards of 60 Canadian class actions have been launched, the majority filed after 2010, due in part to an increase in reported data breaches, she says. 

The momentum continued in 2012 when the tort of intrusion upon seclusion was recognized by the Ontario Court of Appeal in a high-profile ruling, says Lombardi, a member of the class-action group at the London, Ont.-based firm McKenzie Lake Lawyers.  

The court adopted the tort as applying to privacy cases and awarded $10,000 in nominal damages, not for verifiable harm but simply for the risk of harm, she says. 

After the decision, the legal community seemed to gear up for more data breach class actions, Lombardi says. It was also waiting to see what form Canada’s Anti-Spam Legislation (CASL) would take, she adds.

The legislation came in three phases.

The first, the enforcement phase, came into effect in 2014, she says. The next phase followed in 2015, when rules about consent to notice came into effect along with additional measures to protect consumers from viruses and malware.

The legal community was waiting for the next phase, due in 2017, dealing with the private right of action. New measures were expected to allow plaintiffs to claim both compensatory damages for actual recoverable losses and, for the first time, statutory damages.

Statutory damages could have been awarded even though no actual harm was proven, a much more direct way of winning compensation than previously available, Lombardi says.

In some instances the awards could have been substantial, she adds. But that last phase was not implemented, which may have discouraged some lawsuits, she says. 

“We’re still left with the law that we have, which is still developing,” says Lombardi.

Many class-action lawsuits are still coming forward based on negligence claims and torts like intrusion upon seclusion and breach of privacy, she says. 

The Equifax case in the United States is one of the most significant to reach Canada, she says. A cyberattack on the Atlanta-based credit reporting company in the summer of 2017 may have compromised the data of 143 million Americans and 100,000 Canadians, according to the Canadian Press

In September 2017, an Ontario resident proposed a class action in Ontario Superior Court seeking $550 million in damages on behalf of Canadian victims of the Equifax hack, the article says.

Another key decision saw the Ontario Superior Court approve a data breach class-action settlement for people whose credit card information may have been hacked by criminal intruders. 

In its 2016 decision, the court went a long way to saying that actual harm is required to establish damages, Lombardi says. “It also went on to advise companies to adopt more proactive approaches to mitigating their liability when they’re faced with a data breach. So the law is definitely still evolving in this area in Canada.”

Data breaches come in two categories, she says.

The first is a mishap. “For instance, someone in an organization misplaces an external hard drive or a USB key that contains personal and confidential information,” she says. 

The second category involves an actual crime where, for instance, hackers steal company data. 

In both types of breach, affected customers often accuse the companies involved of failing to secure their data and of not having policies to quickly inform them of any breaches, she says. 

The Digital Privacy Act, which is being phased in, will make it mandatory for companies to report data breaches to Canada’s privacy commissioner and to affected individuals.  

These tougher reporting requirements will have a positive impact on consumers and could increase the number of class actions as people become more aware of data breaches, Lombardi says.

Lombardi’s firm, McKenzie Lake Lawyers, is involved in a data breach class-action lawsuit against a university and an alleged hacker. The hack exposed the private information of some 2,000 students — including contacts data, banking numbers, loan information and academic records, she says. The lawsuit, commenced in May 2017, is in its beginning stages.

Individuals who suspect their private information may have been compromised by a data breach should take proactive steps and contact the organizations involved, she says. 

Some companies will offer affected consumers a period of credit monitoring to give them some protection and assurance that their information hasn’t been appropriated and misused, Lombardi says. 

If people suspect a breach they experienced is part of a wider problem, they should check if a class action has been commenced, Lombardi says. They could also contact a lawyer to explore their legal options and preserve their right to sue should a class action be launched, she adds.

To Read More Sabrina Lombardi Posts Click Here
Lawyer Directory
BridgePoint Financial Services (post to 5.31.19)Toronto Lawyers Association (post to 6.30.19)MKD International (post until Sept. 30/19)Feldstein Family Law (post until May 31/19)Legal Print & Copy Inc.Kotak Personal Injury LawyersLawrence ForstnerAchkar Law