2017 has brought with it an increasing number of cyberattacks, resulting in significant data breaches directly affecting Canadians. While news of a new data breach is alarming on its own, the most recent data breaches have exposed highly sensitive data, much of which has been accessed by hackers before the breach is even detected.
Cyberattacks leave behind a wake of victims and aggrieved third-parties. Businesses that store their consumers’ personal information face an increased risk of liability and regulatory investigations when a data breach occurs. This post discusses a few sources of increased exposure for businesses.
Data Breaches on the Rise
This September, Equifax, an international consumer credit reporting agency, which also offers its own “Comprehensive Identity Theft Protection” services, learned that hackers gained access to its servers for a period of over two months. Hackers accessed consumers’ names, addresses, social insurance numbers, and credit card numbers.
Earlier this week, Uber Technologies Inc., the giant global transportation technology company, announced it suffered a massive data breach in 2016, exposing the personal information of almost 60 million users worldwide. The information exposed in the Uber data breach includes names, email addresses, phone numbers, and may include location history, credit card numbers and even social insurance numbers. We wrote about Uber’s breach in detail here.
Our increasing reliance on technology and its pervasiveness in our lives means we are storing more and more information in the ‘cloud’, much of which is highly sensitive and vulnerable to being exposed.
Not surprisingly, one report cites Canada as having the third highest number of data breaches this year, behind only the United States and the United Kingdom. The true number of how many data breaches have occurred may be significantly higher as there is currently no mandatory requirement to report a data breach. As such, statistics highlighting the total number of Canadian data breaches only include those companies that are willing to disclose their breaches.
As data breaches affecting Canadians continue to rise, businesses – including Canadian subsidiaries of international organizations – will need to ensure they have taken adequate measures to protect their business and consumers from a cyberattack. Failure to take cybersecurity seriously can result in catastrophic consequences for your business.
The prevalence of data breaches over the past few years brings with it increased scrutiny and liability for businesses that store their consumers’ personal information. When a cyberattack occurs, businesses face liability on a number of fronts, including claims by consumers whose information has been exposed, and investigations by provincial and national regulators.
Consumers whose personal information was unknowingly accessed and exposed during a cyberattack are an obvious source of liability for businesses. Consumers may commence an action for any number of causes including, negligence, breach of contract, misrepresentation, and invasion of privacy.
A recent case from the Ontario Court of Appeal confirmed the existence of the tort of “intrusion upon seclusion”, and held that victims need not prove actual loss in establishing the cause of action. The court also held that damages for the tort may be up to $20,000 for each victim. Given the large number of victims from a data breach, the damages a business will face could be significant.
Litigation arising from a data breach can be costly. Equifax is facing two class actions in Canada, one of which is seeking $550 million in damages. While the full extent of Uber’s liability is not yet known, the company is already facing a class action lawsuit in California, and investigations from regulators in the United Kingdom, Italy, and the United States. The 2015 data breach of Ashley Madison has resulted in one Canadian class action seeking $760 million in damages for exposing consumers’ personal data.
In addition to increased liability from litigation, businesses that suffer a cyberattack are exposed to regulatory investigations, as the Uber breach demonstrates, in any jurisdiction where their consumers reside.
In Canada, public companies may face scrutiny from provincial securities regulators, and all businesses, regardless of whether they are publicly listed, may be investigated by federal agencies, including the Competition Bureau and The Office of the Privacy Commissioner of Canada. While the remedies and orders from regulators may differ, businesses can be sure that in the event of a data breach they will face increased scrutiny from some, or all, of these agencies.
Implications for Canadian Businesses
As the number of cybersecurity breaches continues to rise, it is incumbent upon businesses to take measures to protect the personal information of its consumers. Businesses who are not cyber-ready will suffer the consequences in the likely event they are targeted by a cyberattack.
To ensure your business has implemented adequate precautionary measures, and to coordinate efforts after discovering a data breach, it is essential to retain experienced counsel. Involving counsel at the outset can ensure compliance with notification and reporting obligations, as well as provide strategic guidance in dealing with the consequences of a data breach.
By: David Cassin
 Equifax Statement: <https://investor.equifax.com/news-and-events/news/2017/09-07-2017-213000628>.
 Uber Statement: < https://www.uber.com/newsroom/2016-data-incident/>.
 Risk Based Security, Data Breach Intelligence 2017 Mid-Year Report, <https://pages.riskbasedsecurity.com/hubfs/Reports/2017%20MidYear%20Data%20Breach%20QuickView%20Report.pdf> at 10.
 Jones v Tsige, 2012 ONCA 32 at paras 65, 74.
 Eliot Shore v Avid Life Media Inc., Statement of Claim, Court File No. CV-15-22622CP.