Data breach

Panasonic Canada Inc. brought an application for a declaration that its insurance claim with XL Specialty Insurance Company was subject to a $1.5 million USD retention and sought coverage for replacement laptops purchased as reasonable mitigation following a cyber-attack.

XL contended that a $3 million USD retention applied because the claim involved a "ransomware event" under Endorsement 23 of the policy.

The court found that Panasonic's claim attracted the lower $1.5 million USD retention, that the laptop purchases were reasonable and necessary mitigation expenses, and that the property damage exclusion did not apply.

The court granted Panasonic's application, save for six laptops that were not shown to be necessary.

This motion concerned the approval of a class action settlement arising from a 2020 ransomware attack on Blackbaud, a cloud software provider, which resulted in the exfiltration of personal data of its customers' constituents.

Despite the data breach, no evidence of actual harm or misuse of the exfiltrated data emerged over four years.

The plaintiff sought certification for settlement purposes and approval of a cy-près settlement of $340,000, to be distributed to two academic institutions focused on internet policy and data security.

The court approved the settlement, finding it fair and reasonable given the low likelihood of success in litigation due to the absence of provable damages and the unlikelihood of establishing claims in negligence or intrusion upon seclusion.

The court also approved an unusual notice plan, dispensing with pre-approval notice to the class due to the impracticality of identifying and notifying class members and the low value of the opt-out right.

However, the court significantly reduced class counsel's requested fees from 33.3% to approximately 17.5% of the settlement amount, citing the case's lack of objective success and to discourage the "churning of bad cases."

This appeal concerned the dismissal of a proposed class action against Capital One and Amazon Web following a data breach.

The motion judge had struck the appellants' pleadings without leave to amend and dismissed their certification motion, finding the case 'doomed to fail'.

The Court of Appeal upheld the motion judge's decision, affirming that the pleadings failed to disclose viable causes of action for data misuse (intrusion upon seclusion, misappropriation of personality, conversion, breach of confidence/trust/fiduciary duty) and data breach (negligence, statutory claims).

The Court also upheld the decision to deny leave to amend the pleadings, citing repeated opportunities and the defective nature of the claims.

The appellants' motion for an extension of time to appeal costs was also dismissed.

The defendant High Tide Inc. brought a Rule 21 motion to dismiss the action against it by Highland Cannabis Inc., alleging the claims were frivolous, vexatious, and an abuse of process, and that the pleaded torts of intrusion upon seclusion and conversion were not available.

The court found that the claims against High Tide Inc. were frivolous and vexatious, and that neither the tort of intrusion upon seclusion nor conversion applied to the facts of a data breach involving business sales data.

The motion was granted, and the action against High Tide Inc. was dismissed.

This is a motion for certification for settlement purposes in a proposed privacy law class action concerning a data breach affecting 8.6 million customers of LifeLabs.

The parties reached a settlement agreement, and the plaintiffs sought court approval for certifying the action for settlement, approving the settlement notices (Short and Long Form), and a plan for their dissemination.

The court granted the motion, finding that all criteria for certification were met, albeit less rigorously applied in the settlement context.

The settlement involves a guaranteed fund of $4.9 million and a contingent fund of $4.9 million, with claimants receiving a minimum of $50.

The appellant, Glenn Winder, appealed a motion judge's decision that his claim for the intentional tort of intrusion upon seclusion against Marriott International, Inc. did not disclose a cause of action.

The lawsuit stemmed from a data breach of Marriott's Starwood hotels reservation database.

Winder argued that Marriott's collection and storage of personal information, in a manner that did not meet its representations and legal obligations regarding security, constituted an invasion of privacy, vitiating consent.

The Court of Appeal affirmed the motion judge's decision, holding that the tort of intrusion upon seclusion requires an actual intrusion into private affairs, not merely a failure to safeguard information from third-party intrusion.

The court found no facts pleaded to support that Marriott itself disclosed or caused disclosure of the information, distinguishing it from a failure to protect against external hacking.

This appeal concerns the applicability of the tort of intrusion upon seclusion to "Database Defendants" (entities that collect and store personal information) when a data breach occurs due to the alleged negligence or recklessness of the defendant, but the actual intrusion is committed by independent third-party hackers.

The Court of Appeal for Ontario affirmed the Divisional Court's decision, holding that the tort of intrusion upon seclusion, as defined in Jones v. Tsige, requires an act of intrusion by the defendant itself, not merely a failure to prevent intrusion by others.

The court dismissed the appeal, concluding that the plaintiffs' claim, which alleged Equifax's failure to protect data from hackers, did not disclose a viable cause of action for intrusion upon seclusion against Equifax.

This is an appeal from a motion judge's refusal to certify a claim for intrusion upon seclusion against Trans Union of Canada, Inc. in a class action.

The appellant alleged that Trans Union, a "Database Defendant," enabled third-party hackers to access private information due to inadequate security.

The Court of Appeal for Ontario dismissed the appeal, holding that the tort of intrusion upon seclusion, as recognized in Jones v. Tsige, does not extend to "Database Defendants" for the actions of independent third-party hackers, as there is no basis for vicarious liability in such circumstances.

The court also confirmed its jurisdiction to hear the appeal, treating the refusal to certify as a final order effectively dismissing the claim.

This decision addresses a class action arising from a cyber breach of CarePartners' computer system.

The plaintiffs sought certification of the class for settlement purposes, approval of the settlement agreement, and approval of class counsel fees and honoraria for the representative plaintiffs.

The court granted all motions, certifying the class, approving a $3.44 million settlement fund, a 20% contingency fee for class counsel, and $5,000 honoraria for each representative plaintiff.

The judgment notably provides a detailed analysis and affirmation of the practice of awarding honoraria to representative plaintiffs in class actions, disagreeing with a recent decision that sought to end the practice, and outlining factors for assessing their quantum.

In a proposed class action arising from a data breach of Marriott's hotel reservation database, the parties stated a question of law under Rule 21(1)(a) as to whether the plaintiff pleaded a legally viable cause of action for intrusion on seclusion.

The plaintiff argued that Marriott, by allegedly obtaining data under false pretenses and failing to protect it, was a 'constructive intruder'.

The court rejected this argument, following binding precedent that the tort of intrusion on seclusion applies only to actual intruders, not to defendants who fail to prevent a third-party hack.

The court concluded the Statement of Claim did not disclose a cause of action for intrusion on seclusion against Marriott.

In a proposed class action regarding a data breach, the plaintiffs brought a motion for an injunction to enjoin or supervise communications from the defendants to putative class members.

The defendants intended to send a notice to 51,000 affected individuals offering free credit monitoring.

The court dismissed the motion, finding no reason to intervene as the proposed notice did not affect the integrity of the class proceedings or compromise the putative class members' rights.

The plaintiffs in a proposed class action regarding a data breach brought motions to compel answers to questions refused on cross-examinations of two affiants and an omnibus motion to strike out various affidavits, factum paragraphs, and a sealing motion.

The court dismissed the refusals motions, finding the questions asked were beyond the narrow scope of the underlying motions (an injunction motion and a sealing motion) and were properly refused.

The court also dismissed the omnibus motion, finding no reason to strike the evidence or alter the timetable for the upcoming jurisdiction and certification motions.

Three competing groups of law firms sought carriage of a proposed class action against LifeLabs following a massive data breach affecting 15 million patients.

The court evaluated the competing proposals based on factors including the experience of counsel, overall approach, and proposed fee arrangements.

Carriage was awarded to the McPhadden Group (the Carter action) because their proposal for a single national class action was preferred over parallel actions, and their proposed contingency fee arrangement was significantly more cost-effective for the class.

Two rival consortia of law firms brought a carriage motion to determine who would prosecute a class action against Capital One, Amazon, and GitHub regarding a massive data breach affecting 6 million Canadians.

The court evaluated the competing case theories, noting that while both actions were viable, the Del Giudice Action's strategy of including Amazon and GitHub as defendants, despite adding complexity and litigation risk, was preferable for advancing the interests of the class and the goals of the Class Proceedings Act.

Carriage was granted to the Del Giudice Action.

The plaintiffs brought a motion to certify a class action against Nissan following a data breach where an unknown employee accessed and stole the personal information of thousands of customers, demanding a ransom.

The court found that the plaintiffs satisfied the certification requirements under s. 5(1) of the Class Proceedings Act.

The court certified common issues relating to vicarious liability for the tort of intrusion upon seclusion, negligence, aggregate damages, and punitive damages, while narrowing the proposed class definition.

Two competing consortiums of class counsel brought a carriage motion to determine who would represent the proposed class in a national class action against Marriott regarding a massive data breach.

The court evaluated the standard carriage factors, finding most to be neutral.

The determinative factor was the interrelationship of class actions in multiple jurisdictions.

The court favoured the Winder Action because its counsel did not concede the necessity of overlapping regional class actions and was prepared to use multi-jurisdictional protocols to resolve the overlapping claims, whereas the Kogut Action consortium planned to run multiple overlapping actions across Canada.

Carriage was granted to the Winder Action and the competing actions were stayed.

In a proposed class action arising from data breaches, the plaintiffs brought a motion seeking production of Yahoo's database of 16.9 million Canadian users to cross-examine the defendants' expert on the certification motion.

The court dismissed the motion, finding that the plaintiffs failed to meet the onus of explaining how access to the database was relevant to the certification motion and that the request was disproportionate.

This motion concerned the approval of a class action settlement and class counsel fees following a data breach at Home Depot.

The court approved the settlement, finding it fair and reasonable given the low likelihood of success for class members.

However, the court denied honoraria for representative plaintiffs and significantly reduced the requested class counsel fees from $406,800 to $120,000, emphasizing that fees must be proportionate to the actual benefit received by the class members, which was valued at approximately $400,000.

The defendant bank sought leave to appeal to the Divisional Court from an order certifying a class proceeding arising from unauthorized access to customer information by a bank employee.

The proposed appeal challenged the class definition, the certification of a waiver of tort claim, and the certification of claims for non‑pecuniary damages in negligence and contract without proof of psychiatric injury.

The court held that the certification judge had applied the correct low threshold applicable at the pleadings and certification stage and that the bank had not shown conflicting authority or good reason to doubt the correctness of the order under Rule 62.02(4) of the Rules of Civil Procedure.

The court further held that the class definition was not impermissibly over‑inclusive and that the waiver of tort issue met the “some basis in fact” standard for certification.

Leave to appeal was therefore refused.

The representative plaintiff in a certified class proceeding sought court approval of a settlement and approval of class counsel fees under the Class Proceedings Act, 1992 following a cyber‑attack on the defendants’ PlayStation Network and related online services that allegedly compromised personal information and interrupted access.

The settlement provided cash payments for unused account balances, online service benefits, and reimbursement of up to $2,500 for proven identity theft losses.

Notice of certification and settlement was distributed to millions of account holders and resulted in minimal opt-outs and no objections.

The court considered the applicable factors for settlement approval in class proceedings and concluded the agreement was fair, reasonable, and in the best interests of the class.

The requested class counsel fee of $265,000 was also approved as reasonable in light of the risk and work undertaken.