CyberLex Insights on cybersecurity, privacy and data protection law

Category Archives: Data Breach

Subscribe to Data Breach RSS Feed

When Employees Go Rogue: Are Employers Vicariously Liable for the Privacy Breaches of Their Employees?

Posted in Class Actions, Data Breach, Privacy

Although there has not yet been a definitive answer to this question in Canada, based on recent UK case law, it appears increasingly likely that, at least in some circumstances, the answer may be “yes”. In Various Claimants v WM Morrisons Supermarket Plc, (Rev 1) [2017] EWHC 3113 (QB) (“Morrisons”), the High Court said that the supermarket chain… → Read More

Estonian Blockchain-Based ID Card Security Flaw Raises Issues About Identity

Posted in Cybersecurity, Data Breach, Identity

On August 30, 2017, an international team of security researchers notified the Estonian government of a security vulnerability affecting the digital use of Estonian ID cards issued to around half of the Estonian population. Affecting 750,000 ID cards issued to a population of 1.3 million, the Estonian Information System Authority (RIA) has taken measures to… → Read More

McCarthy Tétrault Advance™: 6th Annual Privacy Law Update (Nov. 2, 2016)

Posted in Cybersecurity, Data Breach, Privacy

Returning for a 6th year, our Annual Privacy Law Update will review what’s new in privacy law. This year’s focus is on the ‘hot button’ issue of employees – snooping, unauthorized access, misconduct and employee-caused breaches. As you have come to expect, this session will provide practical advice for navigating both common and complex privacy… → Read More

Federal Privacy Commissioner Provides Submission on New Data Breach Notification and Reporting Regulations

Posted in Data Breach, Legislation, Privacy, Regulatory Compliance

The Office of the Privacy Commissioner of Canada (“OPC“) has provided its views on the data breach reporting and notification requirements that are soon to be prescribed by regulation under the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (“PIPEDA“). On June 18, 2015, the Digital Privacy Act (also known as Bill S-4)… → Read More

Federal Court of Appeal Comments on New Tort of “Publicity Given To Private Life”, Overturns Certification Order

Posted in Class Actions, Data Breach

The Federal Court of Appeal has provided some guidance on the recently-recognized tort of intrusion upon seclusion and the as-yet-unrecognized tort of publicity given to private life. In a class action decision largely reversing a Federal Court certification order, 2016 FCA 191, the Court of Appeal suggested that recognition of the tort of publicity given… → Read More

Shareholder Derivative Lawsuit Against Target’s Directors and Officers Dismissed

Posted in Data Breach, Retailing

It has been an open question as to whether derivative claims brought by shareholders against officers and directors of a breached corporation would gain a foothold in the litigation environment. With the recent dismissal of such a claim in the Target case, it appears that these types of actions still face significant hurdles.  The ruling… → Read More

Privacy Commissioner Releases Survey Results on Canadian Businesses

Posted in Data Breach, Privacy

Canadian businesses report increased knowledge of privacy issues, but little progress in implementing privacy policies or  response plans for data breaches – placing them at risk for new enforcement activities and fines. The Office of the Privacy Commissioner of Canada (“OPC“) recently commissioned a telephone survey of 1,016 Canadian companies to find out how Canadian businesses fare… → Read More

Bank Robbery 2.0: SWIFT Issues Cybersecurity Warning Following Bangladesh Central Bank Theft

Posted in Cybersecurity, Data Breach, Financial

In the wake of a cyberattack in which over $850 million worth of transactions were affected and which implicated the security measures of major banking institutions on several continents, banks were reminded to review and follow their security measures. While Canadian financial institutions were not directly affected, the event (and the subsequent warning) serves as… → Read More

Data Breach Protection Services: Taxable in Canada?

Posted in Data Breach

A recent IRS announcement raises questions about how Canadian tax authorities will treat the free data protection services that organizations often provide in order to mitigate data breaches. Here’s a less-than-cheerful thought: data breaches are now more common and costly than ever before—and one of the most common ways of mitigating the damage, offering free… → Read More

New PIPEDA Data Breach Regulations Proposed

Posted in Data Breach, Privacy

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed. The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. Background The Digital Privacy Act (also known as Bill S-4), which… → Read More

From Government Surveillance to Federal Data Breaches: Privacy Commissioner Tables Annual Report

Posted in Cybersecurity, Data Breach, Privacy, Uncategorized

On December 10, 2015, the Annual Report of the Office of the Privacy Commissioner (“OPC”) on the Privacy Act for 2014-2015 was tabled in Parliament.  The Annual Report provides details on privacy trends and investigations involving Canadian federal departments for the past year. Strategic Privacy Priorities Identified In his opening message, Privacy Commissioner Daniel Therrien… → Read More

Back on Target?  Quebec Class Action in Target Data Breach Not Dead Yet

Posted in Data Breach, Quebec

On March 23, 2015, the Superior Court of Québec (per Justice Pinsonnault) granted a motion by Defendant Target Corp. to dismiss a proposed class action related to the 2013 data breach. Justice Pinsonnault dismissed the proposed class action on the grounds that the courts of Québec lacked jurisdiction (see our previous post here). The Court… → Read More

Annoying Ain’t Enough: Moral Damages in the Context of Security or Data Breaches

Posted in Data Breach, Financial

In early 2013, an employee of the Investment Industry Regulatory Organization of Canada, the national self-regulatory organization which oversees all investment dealers and trading activity on debt and equity in the Canadian marketplace (“IIROC”), lost an unencrypted USB drive containing confidential and personal data of approximately 50,000 customers of its dealer members (the “Security Breach”)…. → Read More

NAIC Releases Cybersecurity Bill of Rights for U.S. Insurance Consumers

Posted in Cyberinsurance, Cybersecurity, Data Breach, Standards

On October 15, 2015, the U.S. National Association of Insurance Commissioners (“NAIC”) released the Cybersecurity Bill of Rights (the “Bill”). The Bill, released during cybersecurity awareness month, is intended to improve consumer protection and to assist with updating model laws.  It may, in practice, potentially expand protections to consumers and obligations of insurance companies and… → Read More

Data Breaches: All’s Not Lost, Even if Your Data Is (And if You’ve Taken Precautions)

Posted in Cybersecurity, Data Breach

As anyone who’s ever left a USB key in a Kinko’s knows, it’s easy to lose a mobile device containing sensitive user information. As a recent statement from the Newfoundland and Labrador’s Office of the Information and Privacy Commissioner (OIPC) shows, taking preemptive steps to make the user information on a mobile device more secure… → Read More

Federal Court Conditionally Certifies Privacy Breach Class Action

Posted in Data Breach, Privacy

In the recent decision of Doe v Her Majesty The Queen, 2015 FC 916 (“Doe”), the Federal Court granted conditional certification of a class action brought on behalf of members of the Marihuana Medical Access Program (“MMAP“). This conditional certification is notable as it, alongside the recent case Evans v. Bank of Nova Scotia (“Evans“), is… → Read More

Hospital Privacy Breach Results in OSC Laying Charges

Posted in Data Breach, PHIPA, Privacy

The Ontario Securities Commission (“OSC”) has announced a series of criminal and quasi-criminal charges following an investigation related to the misuse of confidential patient information from the Rouge Valley Health System and the Scarborough Hospital. The OSC charges stem from allegations that a RESP sales representative purchased stolen maternity patient labels from a hospital nurse… → Read More

Adobe’s Data Breach Class Action Settled in California

Posted in Class Actions, Data Breach

Parties to the proposed class action in California over Adobe Systems Inc.’s alleged failure to safeguard clients’ data from a breach that compromised more than 3 million credit card records reached an agreement to settle. The settlement has not yet been approved by a Court, but if it is approved, it will result in the… → Read More

Proposed Class Action Misses its “Target” in Quebec

Posted in Class Actions, Data Breach, Privacy, Quebec, Retailing

On March 23, 2015, the Superior Court of Québec (per Justice Pinsonnault) granted a motion by Defendant Target Corp. to dismiss a proposed class action related to the 2013 data breach that affected millions of customers in the U.S. and allegedly many hundred thousand in Canada, on the grounds that the Courts of Québec lacked… → Read More

Recent Breaches Spur Renewed Focus on Strengthening Ontario’s Health Privacy Laws

Posted in Data Breach, PHIPA, Privacy, Uncategorized

According to a recent news report,  Ontario Health Minister Eric Hoskins is looking into re-introducing the Electronic Personal Health Information Act (EPHIPA) and strengthening Ontario’s Personal Health Information Act (PHIPA) following recent health-related privacy breaches. Although PHIPA was introduced over ten years ago, only one person has ever been charged under the legislation: a nurse who… → Read More

U.S. regulators review brokerage cybersecurity, provide guidance

Posted in Data Breach, Regulatory Compliance

U.S. regulators review brokerage cybersecurity, provide guidance Earlier this month, the U.S. Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) each released reports addressing cybersecurity. FINRA’s report targeted its broker-dealer members, and the SEC’s report targeted broker-dealers and investment advisers, but the twin reports provide a roadmap to cybersecurity for financial… → Read More

The most hackable month of the year: steps companies can take to protect themselves from data breaches

Posted in Data Breach, E-Commerce, Privacy

The most hackable month of the year: steps companies can take to protect themselves from data breaches In a few short days it will be Cyber Monday, the kickoff to the financial madness that is the holiday shopping season. For cybercriminals and fraudsters, December represents the mother lode of hackable data. How big is the… → Read More

Cybersecurity Governance and D&O liability

Posted in Data Breach

Cybersecurity Governance and D&O liability The assessment of a corporation’s cyber risks is part of a board of directors’ general risk oversight responsibilities. Since lawsuits, including class actions, are often commenced soon after a data breach, directors and officers should now consider that the board’s oversight of cyber risks may also be closely and thoroughly… → Read More

New Year, New Mandatory Breach Reporting

Posted in Data Breach, Privacy

New Year, New Mandatory Breach Reporting Overview It is rumoured that Bill 12 that amended the Alberta Health Information Act (“HIA”), passed on May 14, 2014, will come into force this year.  Bill 12 made 3 significant changes to the HIA: 1. adds mandatory breach notification provisions; 2. authorizes the Office of the Information and… → Read More