As the digital landscape continues to evolve, cybersecurity has emerged as a critical concern for businesses worldwide. Amid increasing data breaches and privacy concerns, companies are finding themselves at the intersection of technological innovation and litigation risks. This article delves into the latest trends in cybersecurity litigation in Canada, surfacing the inherent risks and outlining actionable strategies for risk mitigation.
Rising Challenges in Privacy Class Actions
In the ever-evolving cybersecurity landscape, privacy class actions in Canada have posed a significant challenge for plaintiffs. Despite a flurry of activity, certification has proven elusive. In 2021, five contested certification motions were dismissed across the country. In 2022, appellate courts upheld the denial of certification in two notable privacy class actions, Broutzas v. Rouge Valley Health System and Setoguchi v. Uber BV.
The primary hurdle? Lack of evidence demonstrating misuse of personal information or compensable harm. This trend not only underscores the growing complexity of cybersecurity litigation but also emphasizes the need for robust evidence to support claims.
Increasing Clarity About Intrusion Upon Seclusion
The Ontario Court of Appeal recently clarified the scope of intrusion-upon-seclusion claims. In Owsianik v. Equifax Canada Co. (Owsianik), the court ruled that this tort does not apply to a defendant who has been a victim rather than a perpetrator of a cyberattack.
Owsianik was part of a trilogy of rulings that clarified the scope of intrusion-upon-seclusion and confirmed that a defendant's alleged failure to prevent a privacy breach by an external party does not give rise to a claim under this tort. The plaintiffs in all three cases sought leave to appeal the Ontario Court of Appeal’s decision to the Supreme Court of Canada. Leave was denied in July 2023, which means that Owsianik remains binding precedent in Ontario (and a persuasive authority in other common law provinces).
Privacy Commissioner Investigations on the Rise
In 2022, federal and provincial privacy commissioners in Canada took an active role in investigating cybersecurity incidents, reflecting an increasing trend of cyber incidents bridging both private and public sectors. Significant attention was given to incidents involving private-sector service providers working with government institutions. These investigations underscore the active stance taken by privacy commissioners to ensure compliance with privacy laws.
Settlement Values Remain Low
Settlement values remained low in 2021, ranging from less than C$1 to C$100 per person affected, indicative of the significant litigation risk faced by plaintiffs. Alongside these modest individual settlements, there has been a growing trend of cy-près distributions, where funds are directed to non-profit organizations focusing on strengthening data privacy. Several court decisions have approved settlements with cy-près disbursement terms, reflecting a shift in focus from compensating individuals to supporting broader privacy-related initiatives.
Ransomware Attacks Evolving
Ransomware attacks declined, possibly due to the impact of the war in Ukraine on Russian-speaking threat-actor groups. However, litigation risks remain as threat actors evolve their tactics, such as "double extortion" (hackers encrypt systems and threaten to publish exfiltrated data to induce ransom payments) and applying external pressure on organizations, such as contacting employees, media, and executives, to induce ransom payments. These newer tactics raise the profile of attacks, thereby increasing litigation risks.
Recouping Ransomware Costs
In early 2022, a landmark case set a precedent for future cybercrime sentencing and provided guidance on recouping ransomware costs.
The Ontario Court of Justice sentenced a hacker to six years and eight months in prison for conducting large-scale ransomware attacks, with 17 Canadian victims losing almost C$3-million. The court also ordered restitution to victims totaling over C$2.8-million.
The case emphasizes the need for Canadian organizations to take proactive steps in cybersecurity preparation to mitigate risks and losses.
Litigation Risks and Strategies
Businesses must be aware of the risks associated with cybersecurity litigation and implement risk mitigation strategies. This includes establishing robust cybersecurity protocols, regular security audits, and comprehensive incident response measures. Proactive risk management will continue to be essential as Canadian privacy and data protection laws governing both the public and private sectors are currently undergoing a transformation in response to growing threats to personal information.
Companies should consider measures such as investing in cybersecurity insurance, engaging legal counsel experienced in cybersecurity litigation, and ensuring compliance with data privacy laws and regulations. These strategies can militate litigation risk (including the attendant costs).
Takeaway
The cybersecurity landscape is fraught with potential litigation risks, but with strategic planning and proactive measures, businesses can effectively navigate these challenges. As privacy class actions and cybersecurity threats continue to evolve, staying abreast of trends and implementing robust risk mitigation measures will be crucial in minimizing potential legal repercussions.
***
Nicole Henderson is a Partner at Blake, Cassels & Graydon LLP in Toronto. She litigates class actions and other complex disputes, including in the areas of cybersecurity, product liability, and competition. She also practises public law, including constitutional, administrative, regulatory and freedom of information matters.
In her cybersecurity practice, Nicole frequently advises organizations dealing with a data breach or information security incident. She also represents defendants in privacy class actions and regulatory investigations arising out of cybersecurity incidents.
Sahil Kesar is an Associate at Blake, Cassels & Graydon LLP in Toronto. He maintains a diversified litigation and dispute resolution practice with a focus on domestic and international arbitrations, commercial litigation including public market, shareholder and other securities-related litigation, and class action litigation including product liability, negligence and other tort claims. He also advises clients on privacy, data breach and cybersecurity issues, and litigation considerations for corporate transactions.