Canadian government named in class-action privacy breach lawsuit

The federal government is facing a proposed class-action lawsuit over data breaches earlier this year affecting thousands of users of online service users.

Criminals were able to get the user names and passwords of 9,041 users of GCKey, the federal government announced in August. GCKey lets people access multiple federal government services – including Employment and Social Development Canada’s MyService Canada Account – over the Internet.

In response to the breach, Vancouver-based law firm Murphy Battista LLP is proposing a class action. The proposed class is all persons whose personal or financial information in their federal Credential Service account or their Canada Revenue Agency account was disclosed to a third party on or after Mar. 15, 2020.  Murphy Battista lawyers Angela Bespflug and Janelle O’Connor filed the statement of claim Aug. 24. Three representative plaintiffs are named.

Among the allegations contained in the statement of claim are that Canada Revenue agency failed to notify victims of the breach and the general public in a timely manner that people’s personal and financial information had been compromised. The statement of claim also alleges the government failed to take reasonable steps when it knew or ought to have known that cyber security incidents were taking place.

Allegations against the government contained in the statement of claim have not been proven in court. A court must first agree to certify a class before it can establish the facts and judge the merits of the claim.

For its part, the government said Aug. 15 it has “robust systems and tools in place to monitor, detect and investigate potential threats, and neutralize them as quickly as possible.”

The class action lawsuit alleges the personal and financial information of the plaintiffs were disclosed to a third party. That information includes social insurance numbers (“SIN”), annual tax returns, banking information, family information, disability benefit information, and home addresses.

The causes of action include obligations under the federal Privacy Act, as well as the common law duty and care in the collection, retention and disclosure of people’s personal and financial information. Another head of damage is the controversial new tort “intrusion upon seclusion,” which was first established in Ontario in 2012. The tort essentially recognizes significant invasions of privacy.

Related: Canada Revenue Agency suspends online services after cyberattacks

In the lawsuit filed against the federal government Aug. 24, 2020, the plaintiffs did not put a specific dollar value on damages in the claim filed in court. They did however identify a number of heads of damage, including costs incurred in preventing identity theft, damage to credit reputation, mental distress, and time the plaintiffs lost in notifying parties such as credit card providers.

Canada has seen “an explosion in privacy class actions over the last number of years,” David Fraser, Halifax-based privacy lawyer for McInnes Cooper, told Canadian Underwriter earlier.

In the event of a privacy breach, an organization could be sued for negligence, breach of confidence, breach of fiduciary duty, or breach of contract, Fraser said at the time, commenting in general on cyber risk and not on any specific case.

The federal government announced Aug. 15 that of about 12-million active GCKey accounts, the passwords and usernames of 9,041 users were acquired fraudulently. Criminals used those credentials to try and access government services. A third of those did access such services “and are being further examined for suspicious activity,” the government said at the time.

As part of that GCKey attack, and a separate “credential stuffing” attack,  about 5,500 Canada Revenue Agency accounts were targeted.

The government defines “credential stuffing” as attacks that use passwords and usernames collected from previous hacks of other attacks, taking advantage of the fact that many people reuse passwords and usernames across multiple accounts.

Feature image via iStock.com/Olena_T