Counting the Cost of a Cyber Attack: Litigation Cost
In the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.
Case #1: Lozanski v. The Home Depot
The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach.
On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance.
On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach.
A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot.
On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings:
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.”
Case #2: Drew v. Walmart Canada
Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart.
While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement.
Landmark Case: Jones v. Tsige
While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000.
“The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.”
Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.”
Cases under Canada’s Digital Privacy Act
According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada.