Court File and Parties

COURT FILE NO.: CV-16-564080-00CP

DATE: 20180606

SUPERIOR COURT OF JUSTICE - ONTARIO

RE: LEONID KAPLAN and CHERYL JANE MIZZI, Plaintiffs

AND:

CASINO RAMA SERVICES INC., CHC CASINOS CANADA LIMITED, PENN NATIONAL GAMING, INC. and ONTARIO LOTTERY AND GAMING CORPORATION, Defendants

BEFORE: Justice Glustein

COUNSEL: Tina Q. Yang, for the Plaintiffs

Catherine Beagan Flood and Nicole Henderson, for the Defendants Casino Rama Services Inc., CHC Casinos Limited, and Ontario Lottery and Gaming Corporation

HEARD: May 22, 2018

REASONS FOR DECISION

Nature of motion

[1] The proposed representative plaintiffs, Leonid Kaplan and Cheryl Jane Mizzi (collectively, the “Plaintiffs”), bring a putative class action against the owners and operators of Casino Rama Resort (“Casino Rama”), arising out of a cyberattack announced by Casino Rama on November 10, 2016. The defendant CHC Casinos Limited (“CHC”), which operates Casino Rama, notified approximately 200,000 individuals of the cyberattack.

[2] The Plaintiffs bring this motion under s. 12 of the Class Proceedings Act 1992, S.O. 1992, c. 6 (the “Act”) for an order requiring the defendants Casino Rama Services Inc., CHC, and Ontario Lottery and Gaming Corporation (collectively, the “Defendants”)[^1] to produce the following documents, in advance of the cross-examination of John Drake (“Drake”)[^2] on his October 20, 2017 affidavit (the “Drake Affidavit”) filed in response to the certification motion:

(i) a copy of any report(s) prepared by Mandiant, a third party cybersecurity company which conducted an investigation into the cyberattack,

(ii) copies of any supporting documentation prepared by Mandiant during the course of its investigation,

(iii) copies of any documentation prepared by Casino Rama and provided to Mandiant during the course of its investigation, and

(iv) a copy of any report(s) of security audits conducted at Casino Rama in 2016 and/or 2017, including all internal and audit and investigator records concerning the scope of the cyberattack and who was affected by it.

[3] Mandiant provided two reports pursuant to its retainer with CHC and Blakes LLP (as counsel to CHC): (i) a report summarizing Mandiant’s observations, findings, and opinions arising out of its investigation of the cyberattack on Casino Rama and (ii) a report outlining suggested remediation activities (collectively, the “Mandiant Reports”).

[4] The Defendants oppose all of the requested production and ask the court to dismiss the Plaintiffs’ motion.

The Drake Affidavit

[5] In his affidavit, at paragraphs 28 to 42, Drake sets out, in a section entitled “The 2016 Cyber-Attack on Casino Rama Resort”, his understanding of the facts relevant to the cyberattack. At paragraph 30, he states:

Below, I describe certain facts that CHC has learned as a result of its investigation of this cyber-attack, conducted together with Mandiant. By doing so, however, I am not waiving any privilege that exists over communications between CHC on the one hand, and Blakes and/or Mandiant on the other. [Emphasis added.]

[6] Drake then sets out the events related to the cyberattack. In addition to certain background facts, Drake sets out his evidence (all following his statement at paragraph 30 of his affidavit) that the hacker posted links to stolen data on November 11, 2016 and November 21, 2016.

[7] With respect to the size and scope of the class of persons affected by the cyberattack, Drake’s evidence is that he understands that the only information the hacker accessed appears to have come from two specific servers. Drake states, at paragraphs 40 to 42 of his affidavit:

CHC is not aware of any further stolen information being posted online by the hacker since November 21, 2016.

CHC also does not have any evidence that the hacker was able to access information other than what was posted online on November 11 and 21, 2016. All of the information released from the hacker appears to have been taken from two specific servers. As a result of the investigation by CHC and Mandiant, CHC understands that the hacker did not access the casino’s gaming systems, the Casino Rama Resort Player Management System (the database that houses information about members of Casino Rama Resort’s players loyalty program), or the third-party system that is used to process credit cards.

Given the nature of Casino Rama Resort’s IT architecture, and Mandiant’s assessment of the tools used by the hacker, I am advised by Mr. Maynard[^3] and believe that there are many parts of the Casino Rama Resort system that this hacker could not have accessed. [Emphasis added.]

[8] The impact of Drake’s evidence is that many of the individuals who received notices from CHC would not have been affected by the data breach. That evidence is relevant to the size and scope of the prospective class on the certification motion.

Analysis

i) Overview

[9] At the hearing, counsel for the Plaintiffs advised the court that the purpose of the motion was to obtain documents relevant to the size and scope of the class and, as such, no production was sought, at this time, with respect to background facts in the Drake Affidavit about the cyberattack and the subsequent investigation.

[10] Consequently, the issue before the court on this motion is whether any of the documents sought by the Plaintiffs relevant to the issue of the size and scope of the class ought to be produced, and, if so, whether any restrictions or redactions are appropriate for such production.

[11] At the hearing, considerable argument was engaged on whether the Mandiant Reports and the other documents sought were subject to either litigation privilege or solicitor-client privilege. However, for the reasons I discuss below, I do not address those issues.

[12] If the documents sought were privileged, then the Defendants waived privilege to the extent that the Mandiant Reports address the size and scope of the prospective class. A party cannot disclose and rely on certain information obtained from a privileged source and then seek to prevent disclosure of the privileged information relevant to that issue. Waiver of privilege would be required as a matter of fairness, but limited only to the issue disclosed.

[13] Conversely, if the documents sought were not privileged, then principles of relevance would limit production of the documents to only those parts relevant to the certification motion. The Plaintiffs fairly acknowledge that the relevant issue requiring further production, arising from the Drake Affidavit, relates to the size and scope of the prospective class. Consequently, the result of the motion is the same whether or not the documents are privileged.

[14] Finally, the doctrine of proportionality would limit production only to those documents proportionate to the needs of the certification motion and what is necessary to inform the certification hearing. On that rationale, there is no basis, at this time, to order production of anything other than the excerpts of the Mandiant Reports relevant to the size and scope of the class, given Drake’s stated reliance on Mandiant’s investigation on that issue.

[15] Similarly, the issue of the admissibility of an affidavit sworn by Bryan Zarnett (“Zarnett”) on March 27, 2018 (the “Zarnett Affidavit”), is irrelevant. Zarnett, a cybersecurity expert retained by the Plaintiffs, sought to adduce evidence on this motion as to why production of the Mandiant Reports was required.

[16] The Defendants challenged the admissibility of the Zarnett Affidavit on the basis that (i) the Plaintiffs were attempting to impermissibly split their case and (ii) the Zarnett Affidavit purports to opine on the sufficiency and probative value of the evidence in the Drake Affidavit, which is a question before the court on the certification motion.

[17] Again, this issue is not relevant to my analysis. Having found that the excerpts of the Mandiant Reports that relate to the scope and size of the proposed class are to be produced under the doctrine of waiver or relevance, the Zarnett Affidavit does not assist the court on the issue.

[18] Consequently, I review below the applicable law on waiver, relevance, and proportionality and apply the law to the evidence before the court on this motion.

ii) Waiver

[19] In S.&K. Processors Ltd. v. Campbell Ave. Herring Producers Ltd., 1983 407 (BC SC), [1983] B.C.J. No. 1499 (S.C.), McLachlin J. (as she then was), summarized the general principles on waiver, at para. 6:

(i) “[W]aiver may also occur in the absence of an intention to waive, where fairness and consistency so require” and

(ii) “Thus waiver of privilege as to part of a communication will be held to be waiver as to the entire communication”.

[20] This “fairness” test has also been described by Wigmore as follows (cited in Hunter v. Rogers, 1981 710 (BC SC), [1981] B.C.J. No. 1981 (S.C.), at para. 7):

There is always also the objective consideration that when his conduct touches a certain point of disclosure, fairness requires that his privilege shall cease whether he intended that result or not. He cannot be allowed, after disclosing as much as he pleases, to withhold the remainder. He may elect to withhold or to disclose, but after a certain point his election must remain final.

[21] In the present case, even if the Mandiant Reports were privileged, Drake (at paragraph 30 of his affidavit) asks the court on the certification motion to consider “certain facts that CHC has learned as a result of its investigation of this cyber-attack, conducted together with Mandiant”.

[22] At paragraphs 40 to 42 of his affidavit, Drake asks the court on the certification motion to:

(i) accept that “[a]s a result of the investigation by CHC and Mandiant, CHC understands that the hacker did not access” many of the Casino Rama systems on which the 200,000 person notice was based, including the loyalty program for which over 190,000 notices were delivered[^4] (see paragraph 52(g) of the Drake Affidavit),

(ii) accept that “CHC also does not have any evidence that the hacker was able to access information other than what was posted online on November 11 and 21, 2016”,

(iii) conclude that “[a]ll of the information released from the hacker appears to have been taken from two specific servers”, and

(iv) conclude that “Given the nature of Casino Rama Resort’s IT architecture, and Mandiant’s assessment of the tools used by the hacker … there are many parts of the Casino Rama Resort system that this hacker could not have accessed”.

[23] In the present case, it would be unfair to the Plaintiffs to ask the court to accept the Defendants’ evidence on the size and scope of the prospective class, based on the Mandiant investigation, without producing those parts of the Mandiant Reports relating to that issue.

[24] Further, this is not a situation of limiting disclosure to the “facts” relating to the size and scope of the prospective class. In both of the cases relied upon by the Defendants, i.e. Milne v. Dorais, [1999] B.C.J. No. 913 (S.C.) and Susan Hosiery Limited v. Minister of National Revenue, 1969 1540 (CA EXC), [1969] 2 Ex. C.R. 27, the courts distinguished between discovery of facts contained in an expert’s report, which are not privileged, and findings, opinions, and conclusions of an expert, which are privileged.[^5]

[25] However, unlike in the cases relied upon by the Defendants, Drake chose to rely on an opinion or analysis of an expert, and as such, any privilege attaching to that aspect of the opinion is waived. Fairness requires disclosure of all excerpts of the opinion relevant to the part of the opinion relied upon by the waiving party.

[26] Conversely, reliance on one aspect of an opinion or report does not waive privilege with respect to other unrelated aspects. Fairness is a two-way street and the court must be cautious not to waive privilege on unrelated aspects of an opinion as an overbroad remedy to address disclosure which relates only to one aspect of the opinion. Otherwise, a decision to rely on one issue in a privileged document would result in disclosure of the entire document, which is not necessary from a fairness perspective.

[27] By way of example, in the present case, it may be that the Mandiant Reports contain numerous findings, opinions, or conclusions about the events that relate to the cyberattack (including remediation), but issues such as the liability of the Defendants with respect to the breach are not raised in the Drake Affidavit. Privilege on such other issues is not waived, nor would such evidence be relevant to the certification motion.

[28] Consequently, if privileged, I would not order production of the entirety of the Mandiant Reports, as sought by the Plaintiffs in their notice of motion and in their factum. Counsel for the Plaintiffs acknowledged at the hearing that the only production sought with respect to the Mandiant Reports was in relation to the size and scope of the class, and this position was reasonable.

[29] Finally, the Defendants submit that they cannot be said to have waived privilege since (i) they are required, under s. 5(3) of the Act, to provide “evidence as to size of class” by “provid[ing] the party’s best information on the number of members in the class” and (ii) under s. 6 (4.) of the Act, the court shall not refuse to certify the class if the number of class members or the identity of each class member is not known.

[30] The Defendants submit that they will raise a number of legal arguments as to why the Plaintiffs’ proposed class of individuals whose private information was stolen or accessed[^6] is not appropriate as a basis for certification. Those arguments will have to be addressed on the certification motion.

[31] However, the requirement under s. 5(3) of the Act is imposed so that the court can have all of the evidence relevant to the size of the class when determining whether there is an identifiable class (even without necessarily knowing the identity of each class member). The legislation imposes this requirement as a relevant factor to be addressed on a certification motion. The Defendants, having chosen to rely on information obtained from Mandiant as a basis for that evidence, cannot shield relevant excerpts from the Mandiant Reports which address that issue.

[32] Consequently, based on the doctrine of waiver, I would order production of those parts of the Mandiant Reports that relate to the size and scope of the Class, including any findings, opinions, or conclusions reached by Mandiant on those issues in its reports.

iii) Relevance

[33] I reach the same result on a consideration of the principles of relevance, if the Mandiant Reports are not privileged.

[34] In Labourers’ Pension Fund of Central and Eastern Canada (Trustee of) v. Royal Bank of Canada, 2017 ONSC 87 (“Labourers”), Perell J. summarized the law on pre-certification production (Labourers, at para. 41, citations omitted):

In class actions in Ontario, courts limit or restrict pre-certification discovery and require the production of documents and examinations to be focused on the criteria for certification. The law in Ontario is that pre-certification, there should be a focused and limited production of those documents that are shown to be relevant to the issues on certification. The law in Ontario for pre-certification discovery is that the onus is on the party seeking documents for the certification motion to explain why the requested documents are relevant to the issues on certification. Pre-certification discovery is only available where the moving party shows that the discovery is necessary to inform the certification process.

[35] A party seeking pre-certification production must explain how the documents are relevant. Bald assertions or statements that the documents may be relevant will not suffice (Dine v. Biomet Inc., 2015 ONSC 1911, at para. 9).

[36] In the present case, the broad scope of relevance asserted by the Plaintiffs in their motion material would not meet the high threshold for pre-certification production. For example, producing the Mandiant Reports to “identify IT security strengths and deficiencies and develop plans to correct vulnerabilities and mitigate risk”,[^7] goes to the merits of the action and has no relevance to the certification issues.

[37] However, Drake’s reliance on the Mandiant investigation in relation to the size and scope of the class is relevant to the certification motion. While the court shall not refuse to certify the class if the number of class members or the identity of each class member is not known, the size and scope of the class is a factor the court can consider on certification.

[38] The Defendants’ legal arguments that an “access-based” class is not appropriate will need to be assessed at the certification hearing. However, the Defendants can still rely on Drake’s evidence to assert that even if their legal arguments are not accepted, the court should reject the Plaintiffs’ submission that the approximately 200,000 people provided with notice can serve as a “proxy” for the definition of the class. Based on Drake’s evidence, the Defendants can submit that even if notice can serve as a proxy for access, the size and scope of the class should be dramatically reduced to only those who received notice and whose data was found on the two allegedly affected servers.[^8]

[39] The Defendants have put into evidence their reliance on the Mandiant investigation. As in Walter v. Western Hockey League, 2016 ABQB 608 (“Walter”), at paras. 6 and 16, the court can reasonably conclude that the information relied upon by the Defendants is relevant to the issues before the court on the certification motion. In any event, the evidence as to the size and scope of the class is relevant for the reasons I discuss above.

[40] The Defendants submit that the appropriate process to address the relevance of the Mandiant Reports is at cross-examination on the affidavits. The Defendants submit that on cross-examination, any refusal by them to produce the reports (or parts thereof) can be addressed in the context of a refusals motion brought by the Plaintiffs supported by a transcript and existing productions. I do not agree.

[41] On the evidence before the court on the present motion, the Defendants rely on the Mandiant investigation to make submissions as to the size and scope of the class. If the Defendants’ submissions as to process were adopted, there would be cross-examinations, refusals, potentially further productions, and then a further set of motions for leave in order for the Plaintiffs to file a responding affidavit from their expert in relation to size and scope of the class. Such a process would be inefficient, highly expensive, and result in repeated attendances before the court.

[42] Consequently, I adopt the same approach as in Walter, in which R.J. Hall J. ordered production of financial statements[^9] and held (Walter, at para. 15):

I do not consider this application to be premature. It short circuits the necessity for a sham examination on affidavits before the application is brought, and conserves court time and litigation expense.

[43] For the above reasons, based on the principles of relevance, even if the Mandiant Reports were not privileged, I would order disclosure only to the extent those reports relate to the size and scope of the Class, including any findings, opinions, or conclusions reached by Mandiant on those issues.

iv) Proportionality

[44] Proportionality is a concern of the court when ordering production at the pre-certification stage. Production must be “proportionate to the needs of the certification motion and what is necessary to inform the certification hearing” (Daniells v. McLellan, 2016 ONSC 5958, at para. 41).

[45] Pre-certification production should not result in an “unfair imposition on defendants” or a “potential settlement tool in the hands of a plaintiff who may not have a certifiable class action” (Matthews v. Servier Canada Inc., 1999 5900 (BC SC), [1999] B.C.J. No. 435 (S.C.), at para. 6).

[46] In the present case, whether production is ordered as a result of waiver or on the basis of relevance, principles of proportionality result in only limited production of those aspects of the Mandiant Reports that relate to the size and scope of the class.

[47] Production of excerpts from the additional documents sought by the Plaintiffs, at this time (even if limited to the size and scope of the class), would result in an “unfair imposition on defendants” or a “potential settlement tool in the hands of” the Plaintiffs. The Defendants rely on the Mandiant investigation and, as such, the production of the relevant excerpts of the Mandiant Reports is a proportionate production order at this time so that the Plaintiffs can assess whether the information contained in those excerpts enables the Plaintiffs to test the strength of Drake’s assertions in his affidavit.

[48] If the Plaintiffs seek the production of any of the additional documents after production of the relevant excerpts from the Mandiant Reports, they can later seek such relief from the court based on the evidentiary record at that time.

Order and costs

[49] For the above reasons, I order the Defendants to produce the Mandiant Reports only to the extent they relate to the size and scope of the class.

[50] There was divided success on the motion. The Plaintiffs did not obtain full production of the Mandiant Reports, nor production of the additional documents at this time. The Defendants were not successful in refusing all production. Consequently, if the parties cannot agree on costs between themselves, I defer the assessment of costs to the certification judge.

GLUSTEIN J.

Date: 20180606

[^1]: The defendant Penn National Gaming, Inc. objects to the jurisdiction of the Ontario courts and has not appeared in this action. [^2]: (President and Chief Executive Officer of CHC) [^3]: (Mike Maynard, Casino Rama Resort’s Director of Information Technology) [^4]: (and over 175,000 notices were received after deductions for suppression or bounce back) [^5]: (assuming for the purposes of the waiver analysis that the Mandiant Reports are privileged) [^6]: At the hearing, the Defendants referred to the Plaintiffs’ proposed approach as an “access-based” class. [^7]: (as stated by counsel for the Plaintiffs in his affidavit filed in support of the motion) [^8]: The Defendants also assert that not everyone on the two servers was subject to a breach in the cyberattack. [^9]: (as the defendants in Walter had relied on their financial difficulties in responding to the certification motion)