Canada: Cybersecurity Litigation Trends

The number and destructiveness of cyberattacks has increased dramatically over the last few years. With the increasing prevalence of incidents across organizations of all sizes, we expect the threat of litigation will remain a leading concern for global business leaders.

This article focuses on some of the more significant cybersecurity litigation trends that occurred in 2021. The information was taken from our Canadian Cybersecurity Trends Study 2022 published earlier this year. Although the data is based on 2021 developments, the trends have continued throughout 2022 and are expected to do the same next year.

1. Privacy Class Actions in Canada

Plaintiffs continue to struggle with certification of privacy class actions. Five contested certification motions were dismissed across Canada in 2021. The most common barrier was the absence of evidence of either misuse of personal information or compensable harm arising from access. Several courts have held that general anxiety or distress from having one's personal information accessed is not reason enough for certification.

In Ontario, two privacy class actions were certified following contested motions, with only certain causes of action allowed to proceed. One privacy class action in B.C. was certified by default judgment, when the U.S. defendant failed to appear or participate.

2. More Clarity on Intrusion Upon Seclusion

In Owsianik v. Equifax Canada Co. (Owsianik), the Ontario Court of Appeal unanimously held that intrusion upon seclusion is not a viable cause of action against a defendant who has been the victim rather than the perpetrator of a cyberattack.

Owsianikwas the lead case in a trilogy of decisions clarifying the scope of the intrusion upon seclusion tort and confirming that a defendant's alleged failure to prevent a breach of privacy by an outside party will not give rise to a claim under this tort, even if the company's data security practices were arguably reckless. (See our November 2022 Blakes Bulletin to learn more.)

3. Privacy Commissioner Investigations

Federal and provincial privacy commissioners continue to actively investigate cybersecurity incidents. The Office of the Privacy Commissioner (OPC) released several investigation reports, many related to security of personal information. One investigation of the OPC related to a large-scale breach that resulted in sensitive personal information being stolen and posted online by malicious third parties. Another investigation related to the privacy practices of an online learning system for children.

The OPC also released a joint investigation report with Alberta, B.C. and Quebec commissioners relating to the mass collection, use and disclosure of facial recognition data in contravention of federal and provincial private-sector privacy law.

4. Settlement Values in Privacy Class Actions

Settlement values for members of a class action continue to be relatively low, likely reflecting the significant litigation risk to plaintiffs. In 2021, settlement values ranged from less than C$1 to C$100 per person allegedly affected.

There is also a continuing trend of cy-près distributions of settlement funds to non-profit organizations, typically provincial law foundations and organizations with privacy-related mandates, working to strengthen data privacy. (Cy-près awards direct funds to public interest organizations in lieu of class members.) Several court decisions have approved settlement agreements with these disbursement terms.

5. Litigation Risk Increasing With Rise in Ransomware Attacks

Historically, ransomware attacks consisted of encrypting data so victims could not access their data or network. Hackers then demanded a ransom in exchange for decryption keys. Organizations with effective backups were often able to rebuild their own systems and avoid paying a ransom.

In response to these mitigation strategies, hackers are exfiltrating data (including personal information belonging to employees or customers) and threatening to publish it online if a ransom is not paid. These breaches carry an increased litigation risk because they also compromise personal information that can give rise to mandatory notification requirements.

6. Criminal Consequences for Hacking in Canada

In early 2022, the Ontario Court of Justice sentenced a hacker to nearly seven years in prison for orchestrating large-scale ransomware attacks. The accused pleaded guilty to five offences, including mischief to data, unauthorized use of a computer, two counts of extortion and participating in a criminal organization's activities. The court also provided an ancillary order of restitution to victims totalling over C$2.8-million.

The cyberattacks were conducted in several countries, with 17 Canadian victims losing almost C$3-million. The RCMP were able to seize approximately 20 terabytes of stolen data and C$30-million in cryptocurrency.

This decision establishes an important precedent for cybercrime sentencing in the future.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.