Sweet v Canada, is the latest privacy class action to be certified by the Federal Court of Canada. In this case, the data breach arose from a cybersecurity incident involving Government of Canada online accounts, which were accessed by hackers who then fraudulently applied for COVID-19 benefits on behalf of tens of thousands of Canadians. The decision is noteworthy because it is the first to certify a class action against the government for its negligent failure to safeguard personal and financial data from third-party hackers.
The decision in Sweet v Canada implies that public and private entities may yet be held accountable for third-party data breaches. Ontario courts have thus far been reluctant to certify (or uphold certification on appeal) of class actions where the underlying breach of privacy was the result of third-party wrongdoing. As such, this decision may have implications for the future of privacy class action jurisprudence in Canada.
In the summer of 2020, thousands of Government of Canada online accounts were the subject of a “credential stuffing attack” by hackers, predominantly targeting the Canada Revenue Agency (“CRA”) and Employment and Social Development Canada (“ESDC”) as a means of fraudulently applying for COVID-19 relief benefits. This form of cyber attack relies on the use of stolen credentials (username and password) from one system to attack another system and gain unauthorized access to an account. It relies on the reuse of the same username and password combinations by people over several services that a hacker can then sell. Credential stuffing usually refers to the attempt to gain access to many accounts through a web portal using an automated bot system rather than manually entering the credentials.
The Plaintiff claimed that he logged in to his CRA online account after receiving emails notifying him that his email address had been removed from his account. He discovered that his direct deposit information had been changed and that an unknown and unauthorized individual had made four applications for the Canada Emergency Response Benefit (“CERB”), a program initiated by the Government of Canada as part of COVID-19 relief efforts, to provide financial assistance to qualifying Canadians.
The Plaintiff sought to represent a class of thousands of Canadians whose online Government of Canada accounts were vulnerable to hackers from approximately June to August of 2020, due to what the Plaintiff alleges were operational failures by the Defendant, Her Majesty the Queen (as representative of the Government of Canada), to properly secure the online portals providing access to these accounts. The Plaintiff alleged that, by obtaining unauthorized access to those accounts, hackers were able to commit identity theft and CERB fraud and access sensitive and personal information (e.g., Social Insurance Numbers, direct deposit banking information, tax information, dates of birth, records of employment, information regarding employment insurance, and other benefits information).
The test for certification in a proposed class action before the Federal Court is set out in Rules 334.16(1) and (2) of the Federal Court Rules. The certification test is similar to the s. 5(1) criteria set out in Ontario’s Class Proceeding Act, 1992 and provides that a judge shall certify a proceeding as a class proceeding if: (a) the pleadings disclose a reasonable cause of action; (b) there is an identifiable class of two or more persons; (c) the claims of the class members raise common questions of law or fact, whether or not those common questions predominate over questions affecting only individual members; (d) a class proceeding is the preferable procedure for the just and efficient resolution of the common questions of law or fact; and (e) there is a representative plaintiff or applicant who (i) would fairly and adequately represent the interests of the class, (ii) has prepared a plan for the proceeding that sets out a workable method of advancing the proceeding on behalf of the class and of notifying class members as to how the proceeding is progressing, (iii) does not have, on the common questions of law or fact, an interest that is in conflict with the interests of other class members, and (iv) provides a summary of any agreements respecting fees and disbursements between the representative plaintiff or applicant and the solicitor of record. 
Cause of Action
The pleadings assert that the measures taken by the Defendant in the latter part of 2020 to protect its databases, systems, and other relevant online accounts should have been taken prior to the unauthorized data breaches and that the Defendant’s breaches caused the Plaintiff and proposed Class harm and ongoing damages, including distress, anxiety, mental anguish, lost time, lost opportunities, and out-of-pocket expenses. With respect to the cause of action criteria, the court concluded the pleadings disclosed a reasonable cause of action in the tort of negligence, breach of confidence, and intrusion upon seclusion.
From a privacy perspective, it is most notable that the court distinguished the present case from the Federal Court of Appeal’s decision in Canada v John Doe, in which it was held that the necessary elements of the privacy tort had not been pleaded. The case was differentiated on the basis that in the case herein, the Plaintiff expressly pleaded recklessness on the part of the Defendant in ignoring reports by Class Members and service providers such as accounting and investment firms of unauthorized data breaches of Class Members’ online Government accounts. The court found this was sufficient to disclose a reasonable cause of action in intrusion by seclusion, if recklessness in failing to prevent a data breach by a third party is legally sufficient to support this tort. The court noted, “Whether such recklessness is indeed legally sufficient is the question which remains unsettled” and, given that there was some potential support for the Plaintiff’s position in the jurisprudence of the Federal Courts, the court concluded that the cause of action in intrusion by seclusion was not bound to fail.
With respect to the class criteria, the court was satisfied there was a class extending to two or more persons and revised the proposed class definition to include an end date of December 31, 2020, selected by reference to evidence as to when the deficiencies in the Defendant’s system as alleged by the plaintiff were addressed.
With respect to the common issues, the court certified 7 of the 8 proposed common issues (rejecting the proposed common issue as to punitive damages as the plaintiff had not referred to any evidence to support a basis in fact related to punitive damages):
A. Did the Defendant owe the Class a duty of care?
B. If so, what was the applicable standard of care?
C. Did the Defendant breach the applicable standard of care?
D. Did the Defendant’s breach of duty cause damage to the Class?
Breach of Confidence
A. Is the Defendant liable for the tort of breach of confidence vis-à-vis Class Members?
Intrusion Upon Seclusion
A. Is the Defendant liable for the tort of intrusion upon seclusion vis-à-vis Class Members?
A. Can the Court make an aggregate assessment of all or part of the damages suffered by Class Members and, if so, in what amount?
With respect to the preferable procedure criteria, the court noted the Defendants had offered no alternative to the class action mechanism. In the absence of a class action, the court noted that the only apparent option for claimants who would otherwise be Class Members would be to bring individual actions against the Defendant. Based on the nature of the damages claimed, the court concluded that such actions would likely be uneconomic, effectively leaving claimants with no alternative at all. In assessing the three goals of class proceeding, access to justice, judicial economy, and behaviour modification, the court found the action met all three goals:
Access to justice is achieved in circumstances where such access would otherwise likely be unavailable due to the applicable economics. Judicial economy is achieved because there are at least some aspects of the litigation that can be advanced in common and, therefore, will not require repetition multiple times. By way of example, evidence surrounding the Defendant’s policies, practices, and the manner in which the 2020 cyber incidents occurred can be adduced only once rather than potentially thousands of times. With respect to the goal of behaviour modification, the Defendant submits that it followed all appropriate steps once it learned it was the victim of a breach and that behaviour modification, therefore, has no application. I agree with the Plaintiff’s response to this argument. Behaviour modification is intended to prevent breaches from occurring in the first place by creating the motivation to take proactive steps to avoid such events.
Representative Plaintiff and Litigation Plan
Finally, the court concluded the proposed representative Plaintiff put forward was appropriate in satisfaction of the final certification criteria. While the court noted the Plaintiff’s litigation was “relatively generic and does not engage in any substantive way with the potential need to address the common questions in a nuanced manner or otherwise address the potential issues upon which many of the defendant’s arguments focus,” the court was not convinced the plan was so inadequate that it should decline to certify the class proceeding, recognizing the relative threshold for this requirement
As fraud and cyber-attacks become more common in today’s online world, it is inevitable that an influx of proposed privacy class actions have and will continue to follow. While the number of actions commenced has increased, only a few privacy class action cases have made it past the certification motion stage, with many proposed privacy class actions ultimately being denied certification. We discussed recent cases where certification of proposed privacy class actions was denied in our earlier blog post.
As the certification judge undertook in this case, the court will look critically at the individual facts of the case against the certification criteria and, where appropriate, distinguish the case from the growing body of privacy jurisprudence. Here the court accepted that not all online Government of Canada accounts that were accessed in the data breaches would necessarily have contained sensitive information and that some Class Members’ accounts suffered a higher level of intrusion than others. However, the court was reluctant to find that these potential differences among Class Members’ claims amounted to an impediment to certification. Where individual issues may arise, the court noted the procedural mechanism afforded under Federal Court Rule 334.26 could address the determination of any individual issues that may remain following a judgement on the common issues.
For potential defendants, regardless of whether an action is brought as a class proceeding or not, this case will be one to watch in regards to the question of whether a person or entity that holds personal information can be liable for intrusion upon seclusion when they suffer a cyber attack if they have been reckless or acted in bad faith in their efforts to protect the data.
The Privacy Law lawyers at Lerners represent clients in civil litigation and in matters before the Information and Privacy Commissioner of Ontario and the Office of the Privacy Commissioner of Canada. They also provide advice in response to a privacy breach or in the development of risk mitigation strategies, such as policies, best practices, and insurance.
*Special thanks to articling student Miranda Brar for her assistance in preparing this article.