Federal Court Of Canada Certifies Privacy Breach Class Action

• Published date: 30 September 2022
• Subject Matter: Litigation, Mediation & Arbitration, Privacy, Privacy Protection, Class Actions
• Law Firm: Lerners
• Author: Lerners Lawyers

Sweet v Canada,¹ is the latest privacy class action to be certified by the Federal Court of Canada. In this case, the data breach arose from a cybersecurity incident involving Government of Canada online accounts, which were accessed by hackers who then fraudulently applied for COVID-19 benefits on behalf of tens of thousands of Canadians. The decision is noteworthy because it is the first to certify a class action against the government for its negligent failure to safeguard personal and financial data from third-party hackers.

The decision in Sweet v Canada implies that public and private entities may yet be held accountable for third-party data breaches.² Ontario courts have thus far been reluctant to certify (or uphold certification on appeal) of class actions where the underlying breach of privacy was the result of third-party wrongdoing.³ As such, this decision may have implications for the future of privacy class action jurisprudence in Canada.

BACKGROUND

In the summer of 2020, thousands of Government of Canada online accounts were the subject of a "credential stuffing attack" by hackers, predominantly targeting the Canada Revenue Agency ("CRA") and Employment and Social Development Canada ("ESDC") as a means of fraudulently applying for COVID-19 relief benefits. This form of cyber attack relies on the use of stolen credentials (username and password) from one system to attack another system and gain unauthorized access to an account. It relies on the reuse of the same username and password combinations by people over several services that a hacker can then sell. Credential stuffing usually refers to the attempt to gain access to many accounts through a web portal using an automated bot system rather than manually entering the credentials.⁴

The Plaintiff claimed that he logged in to his CRA online account after receiving emails notifying him that his email address had been removed from his account. He discovered that his direct deposit information had been changed and that an unknown and unauthorized individual had made four applications for the Canada Emergency Response Benefit ("CERB"), a program initiated by the Government of Canada as part of COVID-19 relief efforts, to provide financial assistance to qualifying Canadians.⁵

The Plaintiff sought to represent a class of thousands of Canadians whose online Government of Canada accounts were vulnerable to hackers from approximately June to August of 2020, due to what the Plaintiff alleges were operational failures by the Defendant, Her Majesty the Queen (as representative of the Government of Canada), to properly secure the online portals providing access to these accounts. The Plaintiff alleged that, by obtaining unauthorized access to those accounts, hackers were able to commit identity theft and CERB fraud and access sensitive and personal information (e.g., Social Insurance Numbers, direct deposit banking information, tax information, dates of birth, records of employment, information regarding employment insurance, and other benefits information).⁶

...