An investor and a former registrant whose personal data were stolen in the Canadian Investment Regulatory Organization’s (CIRO) cybersecurity breach last year have asked a court in British Columbia to certify a class action against the regulator. On behalf of other potential class members, the two plaintiffs allege CIRO was negligent in protecting personal information, and they seek damages for alleged losses.
One plaintiff is a B.C. resident with investment accounts at two of the big banks, and the other is an Ontario resident who is a former CIRO registrant. According to the Canadian Securities Administrators’ national registration search, the latter plaintiff’s registration ended in 2023. This publication isn’t naming the plaintiffs, given that the case relates to privacy.
On Aug. 18 last year, CIRO said it detected a cybersecurity threat on Aug. 11. The regulator confirmed on Sept. 9 that current and past registrants’ personal information was hacked, and on Jan. 14, CIRO said about 750,000 investors’ personal information was also stolen.
The claim — the second against the regulator — was filed on Friday with the B.C. Supreme Court in Vancouver by Slater Vecchio LLP. It is on behalf of “all legal persons, excluding residents of Quebec,” whose information was accessed in the CIRO breach.
“Canadians are required to provide highly sensitive financial and personal information to regulators like CIRO, with the expectation that it will be rigorously protected,” Anthony Vecchio, King’s Counsel, a partner with Slater Vecchio and one of the lawyers for the plaintiffs, said in a release on Tuesday.
“When that trust is broken by a cyberattack, the consequences can be serious and long-lasting, including heightened risks of identity theft, fraud, and ongoing privacy harms. This action seeks to hold CIRO accountable and to reinforce that safeguarding personal information is a fundamental component of any regulator’s public-interest mandate.”
CIRO declined to comment, as this is a pending legal matter.
The claim alleges that the “loss and/or damages suffered by the plaintiffs and class members,” including the costs of long-term credit monitoring and insurance, “were the reasonably foreseeable consequences of CIRO’s negligence.” Specifically, alleged harm was caused by CIRO’s “acts and omissions” in the “design, implementation, operation and security of its information technology systems,” the claim alleges.
In outlining CIRO’s obligation to protect and limit the retention of personal information, the claim cites federal and provincial privacy laws, as well as the provincial securities commissions’ recognition orders and CIRO’s bylaw, which has a section on information exchange.
“CIRO willfully violated the plaintiffs and class members’ reasonable expectations of privacy,” the claim alleges, by failing to comply with its obligations under the statutes, and with the terms and conditions of the recognition orders and bylaw.
It also alleges that the breached personal information was collected, processed or stored in “an inadequate and unreasonable manner.” For example, the regulator failed to “destroy and/or anonymize” the breached personal information after it was no longer needed, the claim alleges.
The claim further alleges that the regulator failed to give those affected by the breach “prompt and sufficiently detailed notice” about which data were breached.
It seeks general and special damages for negligence, punitive damages and, in certain provinces, moral damages (e.g., for stress).
CIRO faces another potential class action, filed last October in the Superior Court of Quebec on behalf of “all persons in Canada” affected by the regulator’s data breach. The plaintiff in that case is a past registrant, and the application alleges that the regulator was negligent in protecting private information. The application hasn’t been authorized.