2. o Self-regulatory organization oversees all
investment dealers
o Laptop with unencrypted data left of subway in
2013 – never found
o Estimated 48,000 affected individuals
o Robust, transparent response by the
organization
o Plaintiff a victim of identity theft
o Claimed compensatory damages (actual
attempted fraud plus anxieties) and punitive
damages based on response
Lamoreaux
The first class action merits decision
2
3. o No compensable damages proven
• Normal anxiety associated with receiving a
notification is not compensable
• Testimony provided (translation) “few details,
concrete facts or significant manifestations of
their psychological states”
• No causation proven regarding identity theft –
some evidence that plaintiff’s social insurance
number and driver’s license were not even
ever received by defendant from his
brokerage
• Defendant provided necessary protective
measures
Lamoreaux
The first class action merits decision
3
4. o No punitive damages - response exemplary
• conducted investigations and carried out internal
checks
• promptly informed the police
• retained a firm of consultants as quickly as possible to
perform forensic investigation
• notified the privacy commissions concerned of the loss
• notified the brokerage firms having investors concerned
about the situation
• notified the class members concerned of the loss of
their personal information, by means of bilingual letters
• published a press release announcing the loss
• informed class members that it was unaware of any
identity theft
Lamoreaux
The first class action merits decision
4
5. o Ontario cases are about the scope of liability
for the common law privacy torts, which give
access to moral damages
o In negligence, no harm means no foul
o Privacy torts are intentional, so the wrong
arises from the act alone, and one who is
reckless has bad intent
o Defendant attacked in 2017 via exploit of
web application vulnerabilities
o Announced as affecting 100,000 Canadians,
20,000 ultimately notified
Owsianik
Big wins for defendants in Ontario
5
6. o Div. Ct. overturns intrusion upon seclusion
certification decision
o “The intrusion need not be intentional; it can
be reckless. But it still has to be an intrusion.
It is the intrusion that has to be intentional or
reckless and the intrusion that has to be
highly offensive. Otherwise the tort assigns
liability for a completely different category of
conduct, a category that is adequately
controlled by the tort of negligence.”
o Leave to appeal to Ont. CA granted last
month
Owsianik
Big wins for defendants in Ontario
6
7. o About the theft of credit card application data
by a former employee of a bank’s cloud
service provider – alleged to have used her
understanding to conduct exploits
o “A failure to prevent an intrusion, even a
reckless failure to prevent, is not an intrusion.”
o No vicarious liability either - “absurd and
unfair” to impose liability on a defendant for
the actions of a former employee
o Contractual claims failed based on the
contract terms
Thompson
Big wins for defendants in Ontario
7
8. o The Lamoreaux and Owsianik defences are critical
to the outcome the privacy class action “dialogue”
o The Lamoreaux case provides good practical
guidance for responders
o This cynic’s view - all the harm flows from
notification alone
o We therefore must notify based on the facts and
evidence – never, never notify because there’s a
speculative risk of unauthorized access or theft
o Yes, there is mischief, which is why we will see
logging regulation come into force in the next five
years – e.g. PHIPA
We are at an inflection point
Where does that leave us?
8
9. o If class actions prove themselves to be the
wrong means of enabling justice, will there
be alternatives
o Ontario has posed an administrative
compensation regime in its privacy reform
materials
o Questions
• Will it be exclusive?
• Will it be capped
New administrative compensation regime?
Keep an eye on Ontario
9
Nice to be here
This is return performance
In the past I've given practical advice on threat environment, defence and incident response
This time I actually have some new law to talk about
So I'll do that
And give you an update on legal developments
-first class action decision on its merits
-two Ontario cases
-a buried issue in
-we're about 10 years into our data seucirty and prrivacy class action experience
-finally had our first decision on the merits
…
-quebec
-Lamoreaux and Investment Industry Regulatory Organization of Canada
…
-simple scenario
-good facts, good law
-lost laptop, unencrypted
-most beign scenario
-no evidence of any malicious actor
-lots of data, 48,000 affected individuals
…
-rep plaintiff victim of identity theft
-tort lawyers – causation
-nontheless claimed these damages
-Feb 2021 judgement – Quebec Superior Court – 2021 QCCS 1093
… two points
-anxiety
-more closely connecte to the loss
-but draws on the common law of negligence – mustapha v culligan
-damages for the ordinary anxities of life are not compensable
-not suprising but imporatnt
-only damages that can get over the causation burden of proof is the damaged caused when one opens the letter
…
-actual damage, from identity theft is not proven
-very hard to prove that
-here we had rebuttal ifnormation
….
-make a point IIROC provided creidt monitoring
-one years
-suggestion is that this would have been compensale had it not been provided
-no punitive damages
-response was exmplary
-checklist like endorsement
…
-informed the police
-court proably views that as mitigation of harms to affected individuals
-cynical view is that isn't warranted
-but if a court is going to view it that we... got to do it
…
Reporting to law enforcmenet and sharing threat iformation
Is a big topic today
Don't think it will mitigate harm to affected
But it will helpin the long run
-Lamoreaux is a civil code claim, but behaves like a neglience claim
…
-common law jurisdictions
-intentional privcy torts
-access to moral or presumed damages
-don't suffer from the causation problem that a negligence claim will almost certainly fail about
…
-but they are intentional torts
-question about what that means
-and whether the courts are willing to weed out claims alleging intentional conduct at the certification stage
…
-common and classic negligence scenario here - Equifax
-stilen information
-bad actor infoved
June 2021 decision – appeal of a cert decision – divi court
-this is not intentional enough to warrant certification on this cause of action
-really imporatnt point
-if you take away intrusion claim
-an neglience is going to run in to mustapha
-what's really left?
-looking at contractual claims, but contractual claims can be limited
-this is exactly what happened in Thompson – Captial One incident
…
-justice perrell make same finding as in equfax
-more heafily articulated
…
-one scenario that will run you into another legal issue is an insider
-insider is intentional
-perell deals with that too
-huge issue
-favorable finding