The Ontario Superior Court recently released joint decisions in Mallette v. Bank of Montreal, 2021 ONSC 2924, and Bannister v. Canadian Imperial Bank of Commerce, 2021 ONSC 2927, approving the settlement of both class actions arising from a data breach that occurred at BMO and CIBC in May of 2018.
On May 28, 2018, both BMO and CIBC announced that hackers had breached their computer systems and stolen sensitive client information, including bank account numbers, balances, transaction histories, employment information, and in some cases birth dates and social insurance numbers. Some of this information was posted online. In total, 113,151 BMO customers and 10,101 CIBC customers were affected by this breach.
Upon appreciating this data breach, the banks took immediate action to notify their affected customers of the breach. Both banks committed to reimbursing their customers of any money stolen from their accounts through unauthorized online transactions, and offered the affected customers free credit monitoring and identity protection services. BMO confirmed that the cost it incurred for these services was $5.45 million.
Fraudulent transactions occurred following this data breach. BMO and CIBC reimbursed their clients for over $6.85 million and $1,786,517, respectively, of money stolen through these transactions.
Class actions were commenced against both BMO and CIBC on behalf of the affected customers. At certification, the plaintiffs led expert evidence from a cybersecurity expert, who opined on the industry standards and best practices for protection of electronically stored personal information. This expert further opined that reliable methods are available to assess the nature and extent of a cybersecurity breach.
The defendants led expert evidence on certification to the effect that the risk of economic loss to affected customers would be low, as well as psychological expert evidence to the effect that it was unlikely that the affected customers would suffer clinically significant psychological distress as a result of the data breach.
The parties reach an agreement during the certification process, and in October of 2020 sought consent certification for the purposes of settlement.
The Proposed Settlement
The parties’ proposed settlement for court approval contemplated payment of over $9 million in fixed funds from BMO, and $1.16 million from CIBC, with potential aggregate settlement amounts of $21,223,075 and $1,769,425 from BMO and CIBC respectively.
Class members are to be grouped according to whether their birth dates and social insurance numbers were accessed, whether their information was posted online, and whether they experienced unauthorized transactions on their accounts. For the BMO action, settlement funds will be paid out to claimants in each group according to a fixed amount for each group, as well as an additional claimable amount based on the amount of time each claimant spent addressing the data breach. In the CIBC action, payment will be made in a fixed amount for claimants in each group.
The basis of the compensation to be provided to the different groups of class members, depending on their level of privacy breach, is specified to be primarily for time spent addressing issues arising from the data breach, at a rate of $18/hour up to fixed maximums. An “inconvenience” amount is also provided to the most adversely affected group of claimants, those whose birth dates and social insurance numbers were posted online.
The Court’s Analysis
In considering whether to approve the proposed settlement, Justice Smith noted that the court must examine the fairness and reasonableness of the proposed settlement, and whether it is in the best interests of the class as a whole. Citing Mancinelli v. Royal Bank of Canada, 2016 ONSC 6953, His Honour noted that the settlement must fall within a “zone of reasonableness,” taking into account the following factors:
- the likelihood of recovery or likelihood of success;
- the amount and nature of discovery, evidence or investigation;
- the proposed settlement terms and conditions;
- the recommendation and experience of counsel;
- the future expense and likely duration of the litigation;
- the number of objectors and nature of objections;
- the presence of good faith, arm’s-length bargaining and the absence of collusion;
- the information conveying to the court the dynamics of, and the positions taken by, the parties during the negotiations; and
- the nature of communications by counsel and the representative plaintiff with class members during the litigation.
His Honour found that there is some risk to the success of the class in these cases. He noted that in Broutzas v. Rouge Valley Health System, 2018 ONSC 6315, Justice Perell had held that the disclosure of contact information did not qualify as information in which class members would have an expectation of privacy, and so was not actionable.
His Honour also noted that in Kaplan v. Casino Rama, 2019 ONSC 2025, Justice Belobaba had refused to certify a class action where a hacker stole the personal information of the defendant’s employees, customers, and suppliers, including names, addressed, dates of birth, social insurance numbers, bank account details, and photos, as there was no evidence that anyone had experienced fraud or identity theft as a result of this breach.
However, Justice Smith noted that in this case, there was evidence of theft from bank accounts, although the defendant banks had replaced the stolen money. His Honour also noted that whether a third-party hacker intrusion qualifies for the tort of intrusion upon seclusion, which he noted requires intentional or reckless conduct by the defendant, remains an outstanding issue.
Finally, Justice Smith also endorsed a decision of the Federal Court which had held that the quantum of damages in breach of privacy litigation is uncertain.
As a result of the foregoing analysis, Justice Smith approved the settlement in both class actions, finding the proposed settlement to be fair, reasonable, and in the best interest of the class.
Justice Smith’s analysis demonstrates that there is still a great deal of uncertainty in how damages are to be quantified in cyber breach cases. It is also unclear whether a third-party hacker intrusion may qualify for the tort of intrusion upon seclusion.