Canadian firms don’t do basics to minimize data breach risk: Lawyer

Few Canadian organizations are prepared to handle data breaches, says a Canadian lawyer who focuses on cyber security and data protection law.

“Many Canadian organizations haven’t done some of the basic things that regulatory guidance and best practices suggest to minimize risk of a data breach,” Bradley Freedman, Vancouver-based partner at the Borden Ladner Gervais law firm said in an interview Sunday.

“In many cases its because decision-makers decide maybe the costs aren’t justified, or it’s not a profit centre and they want to spend the money in other ways.”

Either way, he said, “in my view it’s short-sighted and misguided.”

Freedman was interviewed after publishing a blog on the weekend on lessons learned following the recent settlement of up to $1.25 million in a class action lawsuit against Walmart Canada and PNI Digital Media Inc., who were sued in the wake of a 2015 data breach at Walmart’s Photocentre photo processing website. PNI provided the site’s software.

Sometime between June 1, 2014 and July 10, 2015 the site was breached, giving attackers access to personal and financial information of customers.

In a May 30 Ontario court decision the plaintiffs were ordered to pay

–one year of credit monitoring for victims up to a total of $350,000;

–out of pocket loses up to $5,000 a person up to a total for the group of $400,000;

–claims administration costs of up to $250,000 to Deloitte Canada, which is administering the payment of claims;

–and legal costs of $250,000.

As part of the settlement neither Walmart Canada nor PNI admitted any wrongdoing.

Freedman wasn’t involved in the case, but said a number of lessons can be learned from this and other data breaches:

–every organization should establish a documented, comprehensive information security governance framework to ensure that appropriate practices, procedures, policies and systems for the protection of personal information and payment card information are established, consistently understood and effectively implemented;

— a cyber risk management program should include risks arising from suppliers of products and services it uses as well as from business partners with access to the organization’s systems or who might otherwise be a risk to the organization’s cybersecurity posture;

— an organization should have a comprehensive and suitable data security incident response plan and a trained multidisciplinary incident response team;

–an organization should give timely notice of a data security incident to affected individuals and organizations (including payment service providers), regulators and law enforcement in accordance with data incident notification obligations.

Meanwhile the Toronto Star reports a U.S. judge has given interim approval to a US$11.2 million deal with the Canadian-based parent of online dating service Ashley Madison to settle class action lawsuits in the United States after the 2015 data breach involving approximately 36 million user accounts around the world. A final approval hearing will be held Nov. 20

There is a separate class action suit in Canada.

Earlier this month Ruby Corp. and Ruby Life Inc. (which had been called Avid Dating Life before the breach), issued a statement describing the proposed settlement, which consolidates several  lawsuits into one before the United States District Court for the Eastern District of Missouri.

If approved the money will go into a settlement fund to pay class members who submit valid claims for alleged losses resulting from the data breach and alleged company misrepresentations.

The consolidated class action complaint alleges that the defendants misrepresented that they had taken reasonable steps to ensure was secure and that the data breach resulted in the public release of personal information including data of some users who had paid a fee to delete their information from the website.

In settling Ruby denies any wrongdoing. The statement says the parties have agreed to the proposed settlement “to avoid the uncertainty, expense, and inconvenience associated with continued litigation, and believe that the proposed settlement agreement is in the best interest of ruby and its customers.”

The statement also says that account information wasn’t verified by the company so the names of alleged members released by the hackers may not have actually been a members of Ashley Madison.

The statement adds that since July 2015, Ruby also implemented numerous remedial measures to enhance the security of its customers’ data.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now