Court Approves $23 Million Settlement Of Bank Cyber Breach Class Actions

• Published date: 03 May 2021
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Technology, Data Protection, Class Actions, Security
• Law Firm: Rogers Partners LLP
• Author: Mr Andrew Yolles

The Ontario Superior Court recently released joint decisions in Mallette v. Bank of Montreal, 2021 ONSC 2924, and Bannister v. Canadian Imperial Bank of Commerce, 2021 ONSC 2927, approving the settlement of both class actions arising from a data breach that occurred at BMO and CIBC in May of 2018.

Background

On May 28, 2018, both BMO and CIBC announced that hackers had breached their computer systems and stolen sensitive client information, including bank account numbers, balances, transaction histories, employment information, and in some cases birth dates and social insurance numbers. Some of this information was posted online. In total, 113,151 BMO customers and 10,101 CIBC customers were affected by this breach.

Upon appreciating this data breach, the banks took immediate action to notify their affected customers of the breach. Both banks committed to reimbursing their customers of any money stolen from their accounts through unauthorized online transactions, and offered the affected customers free credit monitoring and identity protection services. BMO confirmed that the cost it incurred for these services was $5.45 million.

Fraudulent transactions occurred following this data breach. BMO and CIBC reimbursed their clients for over $6.85 million and $1,786,517, respectively, of money stolen through these transactions.

Class actions were commenced against both BMO and CIBC on behalf of the affected customers. At certification, the plaintiffs led expert evidence from a cybersecurity expert, who opined on the industry standards and best practices for protection of electronically stored personal information. This expert further opined that reliable methods are available to assess the nature and extent of a cybersecurity breach.

The defendants led expert evidence on certification to the effect that the risk of economic loss to affected customers would be low, as well as psychological expert evidence to the effect that it was unlikely that the affected customers would suffer clinically significant psychological distress as a result of the data breach.

The parties reach an agreement during the certification process, and in October of 2020 sought consent certification for the purposes of settlement.

The Proposed Settlement

The parties' proposed settlement for court approval contemplated payment of over $9 million in fixed funds from BMO, and $1.16 million from CIBC, with potential aggregate settlement amounts of $21,223,075 and $1,769,425 from BMO and CIBC...