Data breach

The plaintiff brought a consent motion to discontinue a proposed class action regarding a data breach involving Capital One.

The action had previously been stayed following a carriage motion where another action was granted carriage, but the stay was lifted after the other action was denied certification.

The court approved the discontinuance under section 29 of the Class Proceedings Act, 1992, finding that the test for discontinuance was met and ordering notice to be posted on class counsel's websites.

The plaintiff brought a motion to certify a class action against TransUnion arising from a data breach where hackers accessed the credit profiles of 37,444 individuals.

The plaintiff alleged intrusion upon seclusion, negligence, and breach of provincial privacy statutes.

The court certified the negligence and certain provincial privacy statute claims, finding they disclosed a cause of action and met the certification criteria.

However, the court refused to certify the intrusion upon seclusion claim, as binding authority established it does not apply to database defendants for hacker attacks, and struck claims under the privacy statutes of Manitoba, Newfoundland and Labrador, and British Columbia for lack of subject matter jurisdiction.

Following the dismissal of a proposed $240 billion class action regarding a data breach, the successful defendants sought costs.

The plaintiffs argued costs should be limited to a partial indemnity scale for a pleadings motion.

The court found that the plaintiffs' unsubstantiated allegations of professional misconduct against defence counsel, combined with their egregious violations of pleading rules and massive expansion of the claim, justified costs on a substantial indemnity basis.

The court awarded $725,000 to Capital One and $500,000 to Amazon Web.

The plaintiffs brought a motion to certify a $240 billion class action against a financial institution and a cloud storage provider following a massive data breach perpetrated by a former employee of the storage provider.

The plaintiffs alleged numerous causes of action, including intrusion upon seclusion, misappropriation of personality, conversion, breach of confidence, and negligence, arguing that the defendants misappropriated and misused the class members' personal information by retaining and aggregating it beyond its initial purpose.

The court dismissed the certification motion, finding that the plaintiffs' Fresh as Amended Statement of Claim egregiously contravened the rules of pleading and failed to disclose any legally viable causes of action against the corporate defendants.

The pleading was struck in its entirety without leave to amend.

The court reconsidered a previous costs award of $112,500 made against the plaintiffs following the dismissal of their refusals and interlocutory injunction motions in a proposed class action regarding a data breach.

The plaintiffs argued the defendants' costs claim reflected over-lawyering and sought costs in the cause.

The court rejected the plaintiffs' submissions, finding their motions were unnecessary, overreaching, and deplorably prosecuted.

The court confirmed the original partial indemnity costs award of $112,500 and awarded an additional $12,500 for the costs submissions, for a total of $125,000 payable to the defendants.

The plaintiffs in a proposed class action regarding a data breach sought court approval to settle and discontinue their claims against the defendant GitHub.

GitHub, an American corporation, had challenged the court's jurisdiction.

After an initial adjournment to address jurisdictional concerns, the plaintiffs submitted revised materials.

The court approved the settlement, finding that discontinuing the action against GitHub was fair, reasonable, and in the best interests of the class given the litigation risks, costs, and the fact that the remaining defendants had sufficient financial strength to meet any damages.

The plaintiffs in a proposed class action regarding a data breach sought court approval of a settlement with the defendant GitHub.

The court declined to approve the settlement as proposed, noting that it could not make a binding ruling on its own jurisdiction based on the consent of the parties, and that the substantive merits of the settlement (essentially a discontinuance) did not support approval at this stage.

At the parties' request, the motion was adjourned sine die.

The plaintiffs brought a motion to approve a class action settlement arising from data breaches at BMO and CIBC's Simplii Financial, which affected over 120,000 clients.

The hackers accessed personal information and demanded ransom payments.

The proposed settlement provided for a total payment of approximately $23 million, distributed among class members based on the type of information compromised and time spent addressing the breach.

The court applied the Mancinelli factors and found the settlement to be fair, reasonable, and in the best interests of the class, noting the litigation risks associated with the tort of intrusion upon seclusion for third-party hacker intrusions.

The parties brought a motion to approve settlement agreements and distribution protocols in class actions arising from data breaches at BMO and CIBC (Simplii) that affected over 120,000 clients.

The proposed settlements provided a combined $22.9 million to compensate class members for time spent and inconvenience, with tiered compensation based on the sensitivity of the compromised information.

The court applied the Mancinelli factors and found the settlements to be fair, reasonable, and in the best interests of the class, particularly given the litigation risks associated with the tort of intrusion upon seclusion for third-party hacker intrusions.

In a proposed class action regarding a massive data breach, the plaintiffs brought a motion for substitutional service on a defendant residing in the United States whose exact whereabouts were unknown.

The court held that because the defendant's address was unknown, the Hague Convention did not apply, and service could be effected under the Rules of Civil Procedure.

The court granted the motion, allowing substitutional service by emailing the documents to the defendant's U.S. criminal defence attorney.

The defendants in a proposed privacy class action regarding a data breach brought a motion to transfer and stay four identical Small Claims Court actions.

The court held that under s. 13 of the Class Proceedings Act, the small claims should be temporarily stayed pending the outcome of the certification motion, as allowing them to proceed would circumvent the opt-out provisions of the Act.

However, the court declined to transfer the actions to the Superior Court, finding such a transfer premature until the certification motion is decided.

The defendants brought motions across five Canadian jurisdictions to address overlapping multijurisdictional class actions regarding a data breach.

The parties reached a settlement to proceed only with the Ontario national class action and stay the actions in British Columbia, Alberta, Québec, and Nova Scotia.

The Ontario Superior Court of Justice approved the consent order dismissing the stay motion in Ontario, allowing the action to proceed subject to bi-annual reporting requirements to the case management judges in the other jurisdictions.

The defendants brought a motion to amend the class definition in a certified data breach class action.

They sought to narrow the class to persons who had active leases or loans with Nissan during a specific period, based on evidence that the stolen data sample only contained information from that timeframe.

They also sought to exclude corporate customers.

The court granted the motion to amend the timeframe, finding it supported by the evidence, but declined to exclude corporate customers at this stage, holding that the issue of whether corporations can claim intrusion upon seclusion should be determined as a separate question of law.

The plaintiff brought a motion to certify a class action against Equifax arising from a massive data breach where hackers accessed the personal information of Canadian consumers.

Equifax opposed certification of several claims, arguing that it was plain and obvious they would fail because Equifax was a victim of the hack, not the perpetrator.

The court rejected Equifax's objections, finding that the law on intrusion upon seclusion, breach of provincial privacy statutes, breach of contract, and consumer protection was not settled in the context of a database defendant allegedly recklessly enabling a hacker attack.

The court certified the proceeding as a class action.

The proposed representative plaintiffs in a class action arising from a cyberattack brought a motion for the production of third-party cybersecurity reports (the Mandiant Reports) prior to cross-examining the defendants' affiant on a certification motion.

The defendants opposed production, claiming privilege.

The court held that by relying on the investigation's findings regarding the size and scope of the class in their affidavit, the defendants waived privilege over those specific aspects of the reports.

Applying principles of waiver, relevance, and proportionality, the court ordered the defendants to produce only the excerpts of the reports relating to the size and scope of the class.

The representative plaintiff brought a motion for approval of a settlement and class counsel fees in a class action regarding a data breach on the defendants' online photocentre website.

The settlement provided for credit monitoring and reimbursement of out-of-pocket expenses up to a maximum exposure of $1.25 million.

The court found the settlement to be fair, reasonable, and in the best interests of the class, and approved the settlement along with class counsel fees of $250,000.

The plaintiff brought a proposed class action against Walmart Canada Inc. and PNI Digital Media Inc. following a data breach at Walmart's online photocentre.

The parties reached a settlement agreement providing for credit monitoring and reimbursement of out-of-pocket expenses up to a combined maximum of $750,000.

The plaintiff brought a motion on consent to certify the action as a class proceeding for settlement purposes.

The court found that all criteria under section 5(1) of the Class Proceedings Act, 1992 were met and granted the motion.