An Ontario court has allowed a class action to go ahead against Bank of Nova Scotia from a group of bank customers who had their personal information stolen by a bank employee.

The Ontario Superior Court of Justice has ruled largely in favour of the proposed plaintiffs in a class action against the bank and a former employee of the bank, Richard Wilson, who admitted to providing confidential customer information to his girlfriend, who then disseminated that information to third parties “for fraudulent and improper purposes.”

The decision dated June 6 notes that Wilson was employed by the bank as a mortgage administration officer, from September 24, 2007 until June 12, 2012, which gave him access to highly confidential customer information. It says that the bank discovered a spike in the number of customer files accessed by Wilson beginning on July 1, 2011, and that it identified 643 bank customers whose files were accessed by Wilson between July 1, 2011 and May 18, 2012, when his access was terminated.

As a result of the breach, the decision notes, a substantial number of the customers “became victims of identity theft and fraud, which has negatively affected their credit rating.” While the bank offered the victims complimentary credit monitoring and identity theft protection, so far 138 of them have advised the bank that they have been the victims of identity theft or fraud in the past year.

The bank has compensated these victims for the losses they have suffered, it says, yet a proposed class action has also been brought seeking damages against the bank on various grounds. Those allegations have not been proven. According to the decision, the bank opposed the class action on a number of grounds, and suggested instead that the victims should proceed with a test case, or numerous individual actions in small claims court.

However, the court sided with the plaintiffs, ruling that there are a number of possible grounds for action against the bank, including the possibility that they may claim additional damages for the emotional suffering, hardship and inconvenience. “This is a unique situation, where their personal financial records were distributed to third party criminals and where such confidential information has been used to steal their identity and commit fraud and has negatively affected their credit ratings,” it notes.

The court ruled that there is an identifiable class of plaintiffs that can be broken into two subgroups — those who have suffered damages due to identity theft, and those who had their personal information stolen, but haven’t been victimized by identity theft, as yet.

“Deciding the common issues in one legal proceeding rather than hundreds of small claims court proceedings or arbitration proceedings is a much more efficient use of judicial resources,” it says. “In addition it promotes access to justice given the relatively small amount of the damages claimed and the complexity and the novelty of the legal issues in these claims.”

The court notes that it received very few submissions on the case’s litigation plan, and that a further case conference or motion may proceed “to resolve the further issues now that the terms of the certification motion, the class definition and common issues have been identified,” it says.