Court Approves $23 Million Settlement Of Bank Cyber Breach Class Actions

• Published date: 03 May 2021
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Technology, Data Protection, Class Actions, Security
• Law Firm: Rogers Partners LLP
• Author: Mr Andrew Yolles

The Ontario Superior Court recently released joint decisions in Mallette v. Bank of Montreal, 2021 ONSC 2924, and Bannister v. Canadian Imperial Bank of Commerce, 2021 ONSC 2927, approving the settlement of both class actions arising from a data breach that occurred at BMO and CIBC in May of 2018.

Background

On May 28, 2018, both BMO and CIBC announced that hackers had breached their computer systems and stolen sensitive client information, including bank account numbers, balances, transaction histories, employment information, and in some cases birth dates and social insurance numbers. Some of this information was posted online. In total, 113,151 BMO customers and 10,101 CIBC customers were affected by this breach.

Upon appreciating this data breach, the banks took immediate action to notify their affected customers of the breach. Both banks committed to reimbursing their customers of any money stolen from their accounts through unauthorized online transactions, and offered the affected customers free credit monitoring and identity protection services. BMO confirmed that the cost it incurred for these services was $5.45 million.

Fraudulent transactions occurred following this data breach. BMO and CIBC reimbursed their clients for over $6.85 million and $1,786,517, respectively, of money stolen through these transactions.

Class actions were commenced against both BMO and CIBC on behalf of the affected customers. At certification, the plaintiffs led expert evidence from a...