Siskinds files proposed class actions against banks
By Mia Clarke, Associate Editor
The proposed class actions were filed on June 15 in the Ontario Superior Court of Justice, alleging the institutions failed to establish robust security measures to protect clients’ personal information.
According to the statements of claim, the lawsuits, which have not yet been certified, seek general, compensatory, consequential and punitive damages on behalf of affected clients of the two banks.
“When you give your information to anyone, whether it be a bank or even a department store, you expect your information to be protected,” says Dillon, a partner who heads the privacy law group at Siskinds.
“Banks should have the highest level of protection possible at all times and not simply react when something like this occurs,” he says.
“They should always be on the cutting edge of data protection technology,” says Dillon. “Banks should prioritize data protection over everything else because financial institutions are one of the main targets for these attackers.”
Two of Canada’s largest banks were targeted by hackers on May 27, 2018.
Alleged fraudsters contacted bank officials and claimed to have accessed the data of 90,000 customers, according to a CBC story. Hackers demanded $1-million in cryptocurrency or they would sell the information to criminals.
The story also says fraudulent transfers were made from client accounts.
Both banks notified the affected clients and were taking steps to mitigate the damage caused by the security breach, says the CBC.
Dillon says it’s important to notify customers quickly, so they can “take additional steps to safeguard their information.”
He says one of the banks contacted those affected within 24 hours and offered complimentary monitoring of their accounts to determine if there had been any financial impact. They promised to reimburse customers 100 per cent for any money lost. They also replaced credit and debit cards.
The CBC report says the email from the hackers ended with a sample of the information they had — the names, dates of birth, SIN and account balances of an Ontario man and a woman living in British Columbia. The woman confirmed to CBC that the information — including the answers to her three security questions — was correct.
Dillon says the biggest concern is what criminals will do with that information.
With all the requisite information, they can then apply for credit cards and go on a spending spree, he says.
“While our systems today are much more secure than they were five or 10 years ago, banks need to stay ahead of the attackers with appropriate data protection technology. Anything that can make data more secure should be done,” Dillon says.
Although the lion’s share of the cybersecurity work is up to the banks, he says there are steps that customers can take to protect their information.
“You should make sure you do online or mobile banking only on a secure connection. Generally, public wi-fi connections are not secure,” Dillon says.
“Always log out of any online or mobile banking when you have finished your transactions," he says. "It’s also a good idea to change your PIN frequently.”
If a data breach does occur, there are things customers can do to mitigate the damage.
“If you bank with other financial institutions,” says Dillon, “let them know right away that your information has been compromised and change your passwords on these accounts, especially if they were the same as the passwords on the breached account.”
He says you should also monitor billing and financial statements regularly.
“This is a good habit to get into, but I would suggest doing it more often following a data breach to ensure there is no fraudulent activity on your accounts,” says Dillon.
“It would also be wise to check your credit rating after an incident. Within a month or two, check to ensure that nothing suspicious is occurring with your account. You may even consider signing up for credit monitoring services in order to help actively protect your credit report,” he says.
Dillon says the government can also be doing more to protect consumers. With the recent General Data Protection Regulations (GDPR) coming into force in the European Union in May, he says Canada risks falling behind.
“The privacy commissioner’s power is falling behind those granted to similar positions in the EU. With this recent data breach, and other recent scandals, it is now more prudent than ever to ensure that Canadian consumers’ rights to data protection are increased to stay on pace with those in other countries,” he says.
“Canada’s Personal Information Protection and Electronic Documents Act should be updated to ensure that we stay competitive,” says Dillon.