1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

8/13/2017

0 Comments

Counting the Cost of a Cyber Attack: Litigation Cost

 
Cyber attack litigation cost

Counting the Cost of a Cyber Attack: Litigation Cost

In the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.

Case #1: Lozanski v. The Home Depot

​The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
 
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office  of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach.
 
On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance.
 
On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach.
 
A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot.
 
On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings:
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.” 

Case #2: Drew v. Walmart Canada

Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
 
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart.
 
While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
  • Provide cash fund worth $400,000 to be distributed to the data breach victims – those who used Walmart’s photo center website between June 1, 2014 and July 10, 2015;
  • Provide credit monitoring services worth $350,000 for up to one year to be distributed in the order in which the claims are made; and
  • Pay the class action counsel’s fee worth $250,000.

​Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement.

Landmark Case: Jones v. Tsige

​While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
 
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000.  
 
“The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.”
 
Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.” 

Cases under Canada’s Digital Privacy Act

​According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
 
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada. 
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit