Cyberattacks and privacy breaches: How companies can mitigate risks linked to privacy class actions

Leading litigators provide practical advice to reduce exposure from an online breach

Canada continues to experience a significant volume of privacy class action litigation. For more than a decade, this activity has largely been fueled by a rise in privacy breaches caused by cyberattacks and the potential for plaintiffs to obtain a significant award of damages for a breach of privacy without the need to prove harm or loss (as is required in torts such as negligence).

From a defence perspective, there have now been some helpful developments in the case law. However, plaintiffs continue to bring these cases and to advance creative new ways of framing their claims, including targeting not only cyber breaches but also ordinary course business practices that are alleged to constitute an invasion of privacy.

As artificial intelligence and a wide range of organizations’ activities are increasingly driven by large volumes of data, including personal information, privacy breaches and class action litigation will continue to be key risks. This article discusses a range of practical steps to mitigate these risks.

Read more: When would an organization need a privacy breach lawyer?

 

Overview of Canada’s common law privacy class action landscape

When considering a privacy class action, a prospective plaintiff will evaluate various factors, such as the sensitivity of the information and the number of class members. The plaintiff will also consider the organization’s response to an incident, including public statements, timing and content of notification to individuals, provision of credit monitoring or other mitigation steps. Privacy class action caselaw is of course also a significant factor. 

For more than a decade, Canada saw a significant increase in privacy class actions. In many cases, claims were commenced after an organization announced that it was the victim of a data breach in which unauthorized third parties gained access to information held by the organization.  Plaintiffs typically sought to affix liability for the hackers’ intrusive actions on the targeted organization (often referred to as “database defendants”), alleging that the organization should have done more to safeguard the information it held. Plaintiffs have historically sought to advance two general categories of claims:

  • claims for compensatory damages on behalf of individuals who are alleged to have experienced pecuniary loss following a privacy incident; and
  • privacy tort claims, such as intrusion upon seclusion and statutory torts, seeking “moral” damages—a form of damages that may be awarded without proof of pecuniary loss—on behalf of individuals whose information was subject to unauthorized access.

The novelty of many of these claims resulted in motion judges—at times reluctantly—certifying such claims to allow them to be tried on their merits. However, in most cases these actions were settled, resulting in an undesirable state of legal uncertainty in which novel privacy class actions claims were certified but were never tried.

Over the last two years, Canadian appellate courts have provided some much-needed guidance. For instance:

  • In 2022, the Ontario Court of Appeal released a trilogy of decisions that settled that the tort of intrusion upon seclusion is not actionable against database defendants based solely on an alleged failure to prevent an independent third party (e.g. a hacker) from gaining unauthorized access to information held by the defendant.
  • In 2023, the Alberta Court of Appeal held that a negligence claim cannot be sustained based on the plaintiff’s novel “first loss” damages theory that, if recognized, would have allowed the class to recover compensable damages based solely for the fact that information was subject to unauthorized access.
  • In 2024, the Ontario Court of Appeal struck out a negligence claim against a database defendant that sought to recover, among other things, alleged losses in the form of out-of-pocket costs and inconvenience. The plaintiffs had asserted that the defendant owed the class a duty of care to protect against these pure economic losses because their claims fell within the proximity category of “negligent performance of a service”. The appellate court rejected this argument, finding that the pleading failed to identify any services undertaken by the defendant specific to the information it had collected from the plaintiffs.

Despite the developments above, plaintiffs continue to bring privacy class actions. Plaintiffs have pursued other causes of action, such as breach of confidence, breach of honest performance, appropriation of financial personality and breach of warranty, in some cases without success. Plaintiffs have also tried to seek disgorgement or restitution to avoid having to demonstrate proof of loss, and they will also likely continue seeking remedies for breach of consumer protection legislation or breach of contract. 

Some plaintiffs have focused claims for breach of privacy in the jurisdictions, namely British Columbia, Saskatchewan, Manitoba, and Newfoundland and Labrador, which have a statutory tort of invasion of privacy. The British Columbia Court of Appeal has recently certified such a cause of action against a database defendant in a third-party hacking case, with the result that the availability of that claim will be determined at trial.

Cyberattacks that lead to privacy breaches remain a focus for plaintiffs. However, an increasing number of class actions have been brought against defendants for what many would consider ordinary business practices. For example, plaintiffs have brought claims alleging that an organization’s collection, use or disclosure of personal information without adequate consent or disclosures to individuals constitutes an intentional invasion of privacy for which moral damages or other remedies should be awarded.

Practical ways to mitigate risk during the response to a privacy breach

Organizations can take a range of steps during their response to a privacy breach to mitigate risks associated with class actions. Every step during the response process should be taken with the expectation that litigation may arise and that actions will be subject to scrutiny not only by stakeholders, the public and regulators but also by a plaintiff and the courts. The following are examples of key considerations to mitigate risk:

  • Conduct a robust investigation: Take the time to conduct a robust and defensible investigation with competent third-party experts to ensure that there is certainty about the facts and extent of exposure. All other steps flow from the investigation and it is important to get it right. Reliance on partial facts and cutting corners may cause an organization to overestimate or underestimate the scope of impact, which can increase litigation risk and create serious problems in litigation.
  • Implement and enforce a privilege protocol: In the wake of a cyberattack or privacy breach, it is crucial that organizations take steps to protect documents under privilege where appropriate. For example, as an organization seeks legal advice regarding its proposed communications about an incident or as it engages a third-party forensic investigator, privilege should be claimed and maintained in respect of such documents where appropriate. Forensic investigations are typically undertaken to assist legal counsel in providing advice to the organization and in anticipation of proceedings. Privilege should also be considered in relation to ordinary course cyber risk assessments.
  • Communicate with care: Be mindful of all internal and external communications about the incident, particularly in respect of how they may be viewed by stakeholders or a plaintiff after the fact. While it is important to communicate in many cases, organizations must not make misrepresentations about an incident and should not overcommit to facts or assurances without foundation.
  • Modify practices with litigation impacts in mind: During the investigation of an incident, areas for potential improvement of security, or areas for improvement regarding privacy are often identified. For example, it is common that organizations will identify that a large amount of personal information had been retained for an extended period of time, without the organization having specifically considered whether it was necessary to do so. However, before rushing to conclude that the retention was improper or that information should be purged, each of which may have adverse impacts in litigation, organizations should obtain legal advice to carefully consider whether the retention of information was defensible and to assess whether the information should be preserved to defend litigation. In cases where it is appropriate to modify practices, this should be done with care and on the advice of legal counsel to mitigate potential litigation impacts.
  • Manage regulatory requirements with care: In many cases, organizations are required to report incidents to privacy commissioners and other regulators, and to notify individuals about privacy breaches pursuant to privacy laws. In assessing and fulfilling these requirements, organizations should keep potential litigation impacts in mind. For example, if there is no evidence of a privacy breach, but only the potential that privacy may have been breached, organizations should think carefully about whether there is any requirement to notify individuals or report to regulators. Voluntary notification to a group may increase the likelihood of litigation and establish a potential class for the purposes of a class action. Examples of other considerations include:
    • Regulator communications: Information communicated to a privacy commissioner or other regulator may be made public by the regulator or may be sought by a plaintiff in litigation. Carefully consider all statements made and whether it may be appropriate to, for example, reserve rights and make no admissions in respect of whether the incident gives rise to a “real risk of significant harm”.  
    • Notifications: Notifications must sufficiently describe the information involved in an incident to meet privacy requirements. In determining the wording to be used, consideration should also be given to the risk the plaintiffs may accuse the organization of downplaying or misrepresenting the breach or failing to adequately inform individuals, putting them at greater risk or giving rise to additional causes of action.
    • Credit monitoring and other steps: While it is important to offer credit monitoring to relevant individuals in some cases and to explain to individuals the steps that they can take to protect their information, legal advice should be sought with respect to these decisions and the wording used. Plaintiffs may seek to use these steps against the organization in litigation.
  • Exercise diligence with insider attacks and breaches: Malicious insider attacks and privacy breaches present a unique set of risks. Vicarious liability law means that organizations face increased class action risk and greater exposure for the conduct of employees who perpetrate privacy breaches. Insider breaches can also put the spotlight on the adequacy of a wide range of practices, policies and controls, including background checks, access permissions and training. This heightened risk should drive a high standard of care throughout the investigation and response to insider incidents; it should also influence decisions about whether to take steps such as interviewing a suspected insider, demanding production of personal devices, handing the matter over to law enforcement and/or seeking an Anton Piller order and suing the employee.

Mitigating risk through privacy policies, disclosures and consents

Canadian privacy laws, such as the Personal Information and Protection of Electronic Documents Act (“PIPEDA”), require that organizations make available information about their policies and practices. Privacy policies are typically designed and implemented with the aim of compliance with privacy law.

Privacy policies can play an important role in mitigating risks associated with privacy class actions. Canadian courts have recognized that privacy policies can form contracts, potentially exposing organizations to civil liability if breached. When drafting privacy policies, organizations should balance applicable regulatory requirements with the need to limit potential exposure to civil liability. Several important considerations include:

  • Ensure accuracy: Some organizations include terms in their privacy policies that exceed applicable regulatory requirements or that are not accurate. For example, an organization subject to PIPEDA could include a term in its privacy policy guaranteeing that the personal information of consumers will not be subject to unauthorized access, even though PIPEDA requires only that organizations implement “security safeguards appropriate to the sensitivity of the information”. While subjective statements, e.g., “we take privacy seriously”, are typically not actionable contractual terms, organizations should exercise care when making any promises or when incorporating objective standards, e.g., “we protect your information through industry-leading security systems”.
  • Exercise care when referencing statutes: Some privacy policies expressly incorporate applicable privacy or other statutes, such as PIPEDA, by reference, in whole or in part. In such cases, the statute may be held to form part of the contract, meaning that a plaintiff could allege that a breach of the legislation could give rise to a breach of contract claim. Organizations should carefully consider whether to include statutory references in their privacy policies and to ensure that any such references are appropriately qualified.
  • Obtain “Meaningful Consent”: PIPEDA requires that organizations obtain consent when collecting personal information. In recent years, there have been an increasing number of class actions commenced based on alleged breaches of PIPEDA’s consent requirements. Plaintiffs allege that the collection, use or disclosure of personal information without meaningful consent is actionable under various causes of action, including privacy torts. Organizations should carefully review consents to ensure that they are compliant with PIPEDA. Consideration should be given to ensuring that consents contain appropriate language that explains risks to individuals, including the risk of cyberattacks or unauthorized disclosures. This may also help respond to plaintiff allegations that information would not be the subject of unauthorized access.
  • Review data retention policies and practices: PIPEDA requires that organizations destroy or anonymize personal information once it is no longer reasonably required to fulfil the purpose for which it was collected. Retention is determined based on the uses for which the information was collected. Organizations should carefully consider the uses when collecting personal information to ensure that they are able to lawfully retain personal information for as long as reasonably necessary to fulfil those purposes.

Privacy class actions remain a significant risk

Privacy breaches continue to proliferate in Canada. While changes to the law have reduced defendants’ potential exposure for privacy breaches in some cases, plaintiffs continue to bring privacy class actions and to advance novel claims. Privacy class actions will continue to represent a significant risk for organizations in Canada, particularly considering the increased adoption of data-driven technologies and practices, including artificial intelligence. As described in this article, it is critical for organizations to mitigate risks of privacy class actions through sound incident response practices and effective data governance and compliance practices.

***

Laura Cooper is an accomplished class action litigator with extensive experience defending complex cases. She is highly regarded and widely recognized as a leader in the area.  Laura regularly represents global clients in a wide variety of industries and has been lead counsel on groundbreaking privacy law class actions, representing major companies from around the world.   Laura is Chair of Fasken’s firm-wide Litigation and Dispute Resolution group.

***

Alex Cameron is widely recognized as one of Canada’s leading cybersecurity and privacy lawyers. Alex is consistently sought out in these areas by clients from all industry sectors, including numerous Fortune 100 and 500 companies. He has helped clients respond to large-scale cybersecurity attacks and he has acted as lead counsel in defence of some of the most significant cybersecurity class action litigation matters in Canada. In recognition of his expertise, Alex has received a doctoral degree in the field of privacy law and prestigious commissions from the Office of the Privacy Commissioner of Canada. He is consistently ranked in the highest band in the legal rankings guides Chambers, Who’s Who Legal, Lexpert and The Best Lawyers in Canada. He was recognized by his peers as the Privacy and Data Security Law “Lawyer of the Year” in Toronto in The Best Lawyers in Canada 2024.

***

Pavel Sergeyev is a partner in Fasken’s litigation and dispute resolution group. His practice focuses primarily on the defence of complex, multijurisdictional class action proceedings, and he has represented multinational clients in some of Canada’s most significant and precedent-setting privacy class action matters.  Pavel has been recognized as a “Rising Star” (2023, 2024) and as a “Next Generation Partner” (2025) in dispute resolution in The Legal 500’s Canadian rankings, and as “One to Watch” in Corporate and Commercial Litigation in Best Lawyer’s 2025 Canadian rankings.