An Ontario court has certified a class action lawsuit against fund manager Mackenzie Financial Corp. and compliance communications firm Investorcom Holdings ULC over a cyberattack that potentially exposed the personal data of over 1 million investors to criminals on the “dark web.”
The Ontario Superior Court of Justice approved a motion to certify the case as a national class action, ruling that a class action is the preferable proceeding for this sort of case. It did not evaluate the actual merit of the allegations beyond establishing that the plaintiffs have, at least, a plausible case.
According to the court’s ruling, in 2023, hackers allegedly accessed personal information on Mackenzie clients through a vulnerability in Investorcom’s systems, and attempted to extract a ransom from the firm for the exposed data. The court noted that, while there’s no doubt that investors’ data was accessed, it’s not clear whether the hackers actually managed to extract any of the data. In addition, there’s no evidence at this point that any of the data has been sold on the dark web.
Given that Mackenzie has provided its clients with free credit monitoring, the court said that the judge hearing the case may conclude that investors haven’t suffered any harm as a result of the breach — yet, the plaintiffs argue that the fact that they now have to guard themselves against identity theft reflects a breach of a duty of care, which merits some compensation to affected investors.
“The plaintiffs’ expert provides examples where exfiltrated [personal information] from a data breach event is misused many years after the event. The plaintiffs argue that this risk, resulting anxiety and the ongoing need to take precautions against identity theft and other misuse of the [personal information] demands compensation,” it said.
“The critical question then is whether the defendants owed a duty to foresee and prevent a hacker attack and whether the plaintiff is entitled to damages or other remedies in the absence of specific proof of misuse of the [personal information],” the court said.
Among other things, the plaintiffs argue that the firms were negligent in protecting investors’ data, that they breached their duty of care to keep that data safe, and that investors were harmed as a result.
“The issue at the core of the litigation is whether the duty of the defendants extends to protecting clients of Mackenzie from the risk of pure economic loss, or from the risk of future potential losses, if cybercriminals gain access to [personal data] and might misuse that data in the future,” the court said.
The court found that it’s arguable that the defendants owed duty of care to investors that was breached in this case, and that it’s possible that the plaintiffs may be able to argue that the firms had a fiduciary duty to investors that was breached too.
“Even if there is no applicable or enforceable statutory obligation in a particular jurisdiction, the almost constant attention to this issue by legislatures across Canada and around the world for that matter, supports an argument that data custodians should now be alert to the highly sensitive nature of [personal data] and have a duty to protect it,” it said.
Beyond concluding that there’s potentially a viable claim, the court also found that the other elements required for a class action are also present in this case — there are common issues to be determined, there’s an identifiable group of affected investors, the proposed plaintiff is suitable and has a reasonable litigation plan, it found.
B.C. court case
The court was also asked to address an additional issue — whether to carve out investors in certain provinces from the Ontario class action, given that there’s a parallel suit that is being brought in British Columbia, where the legislative environment may be more conducive to this sort of claim.
Acting as an intervenor, the plaintiff in the B.C. case asked the court to carve out B.C. residents from the class covered by the Ontario suit, arguing that it would be more appropriate for these investors to be included in that action, although it has yet to be certified.
However, the Ontario court denied that request, saying that it is premature to provide a carve out for these investors before the courts there have decided whether to certify that case as a class action, or not — however, that may change as the cases proceed.
“Where there are competing class proceedings in different jurisdictions and more than one is certified, class definitions may have to be adjusted as events unfold,” the Ontario court said, noting that the certification motion for the case in B.C. is now expected to be heard in December.
“Once the court in British Columbia has ruled, it may be appropriate to revisit the question of whether or not the classes in this proceeding should be adjusted or limited,” it said.
This story has been edited.