SecurityInChina International Corp. v. Bank of Montreal

COURT FILE NO.: 1778/17 DATE: 2019-12-11

SUPERIOR COURT OF JUSTICE - ONTARIO

RE: SecurityInChina International Corp., Plaintiff AND: Bank of Montreal, Defendant

BEFORE: Justice A. K. Mitchell

COUNSEL: D. MacKeigan, for the moving party (Plaintiff) M. Doherty, for the responding party (Defendant)

HEARD: November 27, 2019

ENDORSEMENT

Overview

[1] The plaintiff brings this motion pursuant to Rule 30.06 of the Rules of Civil Procedure[^1] (the “Rules”) seeking production of the following documents in advance of examinations for discovery:

(i) details of the electronic transfers referred to in the statement of claim (i.e., which computers and IP addresses were used each time according to BMO’s records, country of origin, account funds were transferred to, whether the plaintiff’s security questions were asked or answered, logs showing when and how the account was accessed, etc.);

(ii) documents relating to other online bank security breaches between August 2015 and August 2016;

(iii) documents and specifications relating to the security applied to the bank’s website and application (i.e., level of encryption, secure headers, limiting login attempts, security misconfigurations, webapp components and security flaws, etc.); and

(iv) documents, notes and records relating to the bank’s alleged efforts to recover funds from TD Canada Trust, Bank of Nova Scotia, CIBC and Royal Bank of Canada and particulars of those accounts with TD Canada Trust, Bank of Nova Scotia, CIBC and Royal Bank of Canada and recipients of the unauthorized transfers.

[2] The defendant agrees to produce the documents described in (i) and (iv) on the basis they relate specifically to the subject transfers. The defendant opposes production of the documents described in (ii) and (iii) on the basis the documents are unrelated to the Transfers, are proprietary in nature and/or their production is prohibited by the provisions of the Personal Information Protection and Electronic Documents Act[^2] (“PIPEDA”).

[3] Out of an abundance of caution, the defendant brings a cross-motion seeking a sealing order should production of the documents in (ii) and/or (iii) be ordered by this Court.

Background

[4] This action involves a claim for damages in the amount of $150,000 arising from the defendant’s alleged negligence and breach of contract with respect to 87 on-line transfers from the plaintiff’s business bank account totalling $149,755 over the period August 19, 2015 through June 16, 2016 (collectively, the “Transfers”).

[5] The plaintiff claims that it did not authorize the Transfers and alleges the defendant was negligent in its oversight of the account during this period. The plaintiff claims the defendant bank’s negligence enabled unauthorized persons to access the plaintiff’s bank account and effect the Transfers.

[6] The defendant denies liability for the plaintiff’s losses and pleads and relies on the provisions of agreements governing the parties’ banking relationship. The defendant specifically denies the Transfers were unauthorized, denies it owed a duty of care, denies any gross negligence, technical problems and/or system malfunctions and alleges the plaintiff has failed to mitigate its damages for failing to monitor its account and report any unauthorized use promptly.

[7] The statement of claim was issued on August 4, 2017 and a statement of defence was served on June 6, 2018.

Analysis

[8] Rule 30.06 requires production of every document relevant to any matter in issue in an action. However, the law does not permit “fishing expeditions”[^3] nor does it permit production of documents relevant only to the issue of credibility[^4].

[9] Rule 30.02[^5] reads:

(1) Every document relevant to any matter in issue in an action that is or has been in the possession, control or power of a party to the action shall be disclosed as provided in rules 30.03 to 30.10, whether or not privilege is claimed in respect of the document.

(2) Every document relevant to any matter in issue in an action that is in the possession, control or power of a party to the action shall be produced for inspection if requested, as provided in rules 30.03 to 30.10, unless privilege is claimed in respect of the document.

[10] The concept of proportionality was expressly introduced on January 1, 2010. Proportionality is an overarching consideration for the court when applying the Rules. Rule 1.04(1.1)[^6] provides:

In applying these rules, the court shall make orders and give directions that are proportionate to the importance and complexity of the issues, and to the amount involved, in the proceeding.

[11] Since the January 1, 2010 amendments, the “semblance of relevance test” is no longer the law in Ontario. Relevance is determined by the issues raised in the pleadings.

[12] Discovery proportionality requires the court to consider whether,

(a) the time required for the party or other person to answer the question or produce the documents would be unreasonable;

(b) the expense associated with answering the question or producing the document would be unjustified;

(c) requiring a party or other person to answer the question or produce the document would cause him or her undue prejudice;

(d) requiring the party or other person to answer the question or produce the documents would unduly interfere with the orderly progress of the action; and

(e) the information or the document is readily available to the party requesting at from another source.[^7]

[13] The test for production of documents is relevance and proportionality. Relevance is the threshold issue on this motion; however, proportionality is the guiding principle at the outset. The test for proportionality in discovery requires a recognition that the time and expense related to any civil proceeding must be proportionate both to the amount in dispute as well as the importance of the issues at stake in the proceeding.[^8]

[14] With those general principles in mind, I will now turn to the specific documentation requested by the plaintiff.

1. Documents relating to other online bank security breaches between August 2015 and August 2016

[15] The Supreme Court of Canada in R. v. Handy held that similar fact evidence is presumptively inadmissible, except in rare cases where a plaintiff can establish that there is a pattern of behaviour.[^9] The Supreme Court outlined the following factors to consider in deciding whether to admit similar fact evidence[^10]:

(i) proximity in time of the similar acts;

(ii) extent to which the other acts are similar in detail to the charged conduct;

(iii) number of occurrences of the similar acts;

(iv) circumstances surrounding or relating to the similar acts;

(v) any distinctive feature(s) unifying the incidents;

(vi) intervening events;

(vii) any other factor which would tend to support or rebut the underlying unity of the similar acts.

[16] I was referred to the decision of the Ontario Court of Appeal in Blackburn v. Midland Walwyn Capital Inc.[^11] The defendants had appealed the trial decision finding them negligent and liable for the plaintiffs’ losses. The plaintiffs cross-appealed claiming the trial judge erred by failing to admit similar fact evidence at trial. At trial, the plaintiffs sought production of documents and evidence with respect to other account holders of their stockbroker who had been supervised by the same management at the brokerage firm. The Court of Appeal dismissed the appeal and cross-appeal finding at paragraph 37:

The proposed evidence was not relevant to the issue of whether Midland was negligent in its supervision of the Blackburns’ accounts. Arguably, the evidence was tendered to show a general disposition and to colour the trial judge’s view of the brokerage firm. The trial judge concluded that the essential items such evidence would address had already been tendered and would have no probative value.

[17] The admission of similar fact evidence requires that the probative value of the evidence outweigh the highly prejudicial effect of propensity reasoning which similar fact evidence invites.

[18] The plaintiff submits that at the discovery stage the court should not rigidly apply the Handy test. I was referred to the decision in City of Toronto v. MFP Financial Services Ltd.[^12] at para. 29 wherein Master MacLeod dealing with a motion to amend pleadings to plead similar facts stated: “…[T]he fact that similar facts are not pleaded will not necessarily prevent discovery of similar facts or preclude the trial judge from admitting similar fact evidence.”

[19] In response, the defendant referred me to the appeal decision in Meuwissen (Litigation Guardian of) v. Perkin which considered the issue of similar fact evidence in the context of document discovery. The plaintiffs brought a motion prior to examinations for discovery seeking records of previous complaints about a defendant doctor, as well as medical records from patients in five other court proceedings. Nolan J. sitting on appeal of the Master’s decision allowed the defendants’ appeal of the Master’s production order with respect to documents relating to proceedings involving the same defendant doctor. After citing the Handy principles, the court found the documents irrelevant, prejudicial to the defendants and a significant intrusion on the privacy rights of non-parties. It is important to note that in Meuwissen this form of documentary discovery was denied in circumstances where the plaintiffs had put the pattern of behaviour in issue in their pleading.

[20] That is not the case here. The plaintiff has not pleaded that the Transfers are part of a series or chain of unauthorized transfers occurring in the online accounts of other customers of the bank during the same time period. It is not alleged that the Transfers are part of a systemic issue which transcends the Transfers being simply an isolated breach of security with respect, only, to the plaintiff’s online account.

[21] The court’s statement in MFP is correct in the context of an amendment motion. However, on a production motion, there must be some basis for the document request. That basis must be relevance. In this case, there is no evidence of unauthorized transfers in other customer accounts. The evidence of the bank on examination for discovery may ultimately support this request; however, at this stage this request is purely speculative.

[22] In MFP, Blackburn and Meuwissen there was similar fact evidence for the court to consider. However, as was noted in Leduc v. Roman[^13] at paragraph 14: “…[A] motion under Rule 30.06 requires evidence, as opposed to mere speculation, that potentially relevant undisclosed documents exist. Here, there is no evidence suggesting the accounts of other customers of the bank were compromised during the same time period and therefore no evidence that documents relating to the accounts of these other customers exist. At this stage, the stated relevance of these documents relating to other bank customers is conjecture and the request for these documents constitutes a “fishing expedition”.

2. Documents and specifications relating to the security applied to the Bank of Montreal website and application

[23] With respect to the documents requested in (iii), the plaintiff points to an agreement between the parties entitled: Everyday Banking for Business Plan Agreement (the “Banking Agreement”). The Banking Agreement deals in part with unauthorized transactions and activity within the plaintiff’s account. Specifically, paragraph 4 provides:

The Customer will not be liable for any losses from unauthorized use of the Card or the services due to circumstances beyond the Customer’s control. These are situations where the Customer could not have prevented and did not knowingly contribute to the unauthorized use and did not breach the provisions of section 3 or this section 4. Such circumstances include Bank errors, technical problems or system malfunctions. The Customer may be liable for all losses from unauthorized use of the Card if the Customer:

• knowingly contributed to its unauthorized use;

• willingly disclosed the Secret ID Codes;

• did not keep the Secret ID Codes separate from the Card; or

• did not notify the bank by telephone within 24 hours of learning that the Card was lost or stolen or that the confidentiality of the Secret ID codes was compromised.

[24] The defendant pleads in its statement of defence that the plaintiff is liable for any losses arising from the Transfers on the basis its conduct falls within one or more of the four categories listed above. The defendant further relies on the Incorporated Company Certificate and Agreement dated November 16, 2007 (the “Certificate”) executed by the plaintiff in favour of the bank whereby the plaintiff agreed, upon receipt of the monthly statement associated with its business account, to check the debit and credit entries, examine the cheques and vouchers and notify the bank in writing of any errors, irregularities or omissions within 30 days of the delivery of the statement. The Certificate provides that upon the expiration of the 30-day period, the statement and the balances shown in the statement are deemed conclusively settled between the bank and the plaintiff and all amounts shown on the statement are authentic and properly charged to the plaintiff’s account. It is not disputed that the plaintiff did not check its monthly bank statements for a period of 10 months.

[25] Plaintiff’s counsel quite rightly reminded me that this is a motion for production, not a motion for summary judgment. Consequently, a thorough review of the merits of the plaintiff’s claim is not necessary. Moreover, I agree that interpreting the application, effect and supremacy of the various provisions of the agreements governing the parties’ banking relationship is a matter for the trial judge, not the motions judge.

[26] The plaintiff submits that it requires production of documents and specifications relating to the security applied to the bank’s website and application so as to enable it to determine whether the Transfers occurred as a result of bank errors, technical problems or system malfunctions for which the defendant is responsible pursuant to the Banking Agreement.

[27] The defendant opposes production on the basis the requested documents are too broadly described. Moreover, the defendant submits that disclosure of the bank’s proprietary information could lead to a security breach if the information was obtained by interested third parties (hackers) and would violate the bank’s privacy obligations pursuant to s. 4.7 of PIPEDA. Last, the defendant submits the requested documents are irrelevant as the plaintiff has not pleaded a security breach of the bank’s systems generally rather only unauthorized access of the plaintiff’s bank account.

[28] I find that at this stage in the proceedings, there is no evidence of a systemic problem or system-wide breach. I further find that the request for documents and specifications relating to the security applied to the bank’s website and application is premature and disproportionate to the losses claimed.

[29] Of further concern is that the plaintiff’s request is lacking in scope. The request conceivably includes disclosure of the bank’s software coding and algorithms which is proprietary. Surely, such information cannot form the subject matter of an order for production with respect to any claim between the bank and its retail customers based in negligence. It may be that evidence provided during the course of examinations for discovery will enable the plaintiff to narrow and focus its request. As was noted by Brown J. (as he then was) in Leduc further at para. 14: “…When dealing with categories of documents it may not be possible to determine the extent or depth of required production until preliminary questions have been asked, or a preliminary level of production of a category of documents has been made.”

[30] The potential risk to the bank should the information and documents the plaintiff seeks find their way into the wrong hands, is significant. A confidentiality agreement or sealing order cannot alleviate the risk and cannot justify disproportionate document discovery. The claim, as pleaded, is restricted to specific transactions occurring over a 10-month period in the plaintiff’s account. At this stage in the proceedings, there is no evidence of a systemic problem or system-wide breach. Relevancy of the documents and specifications relating to the security applied to the bank’s website and application has not been established and moreover production of these documents if ordered would be disproportionate to the amount claimed and the potential risk to the defendant.

Disposition

[31] On consent, the disclosure requested in (i) and (iv) is hereby ordered. The disclosure requested in (ii) and (iii) is denied; however, the rights of the plaintiff to renew its request for discovery of these documents, or a subset of these documents, on better evidence establishing their relevance to an issue at trial and their proportionality to the size of this claim, at a later stage in these proceedings, is expressly reserved.

Costs

[32] If the parties are unable to agree on an appropriate award of costs, they shall abide by the following timetable for serving and filing their respective costs submissions:

(a) the defendant shall serve and file its submissions within 10 days;

(b) the plaintiff shall serve and file its submissions within 10 days thereafter; and

(c) any reply submissions shall be served and filed within 5 days thereafter.

“Justice A.K. Mitchell”

Justice A. K. Mitchell

Date: December 11, 2019

[^1]: R.R.O. 1990, Reg. 194. [^2]: S.C. 2000, c. 5. [^3]: Bombardieri v. Baldini, 2003 CarswellOnt 4405 (S.C.J.) at para. 6. [^4]: Glowinsky v. Stephens & Rankin Inc., 1989 CarswellOnt 435 (Master) at para. 6. [^5]: O. Reg 438/08, s. 26. [^6]: O. Reg 438/08, s. 2. [^7]: Rule 29.2.03, s. 25. [^8]: Meuwissen, supra, at para. 48. [^9]: 2002 SCC 56 at paras. 36-37. [^10]: Ibid., at para. 82. [^11]: 2005 CarswellOnt 671 (C.A.). [^12]: 2002 CanLII 45516 (ONSC). [^13]: 2009 CanLII 6838 (ONSC)