On June 20, 2019, Desjardins Group (Desjardins) announced a data breach affecting the personal information of approximately 2.9 million of its customers. The data breach, which affected approximately 2.7 million people and 173,000 businesses, was caused by an “ill-intentioned” employee who shared the information with others outside of the financial institution. A class action lawsuit has since been filed against Desjardins.
The leaked information included member names, addresses, birth dates, social insurance numbers, email addresses and transactional information. However, Desjardins assured its customers that certain authentication information including security questions, passwords and personal identification numbers were not compromised. Desjardins has announced that they will be contacting every customer affected by the breach. Affected customers will be offered complementary identity theft insurance and credit-monitoring, and will be compensated for any financial loss caused.
The Desjardins data breach comes several months after the Office of Superintendent of Financial Institutions (OSFI) enacted new incident reporting obligations for federally regulated financial institutions (FRFI’s). FRFI’s have some flexibility in defining incident characteristics. However, the high number of customers affected suggests reporting to OSFI will be necessary. For more information on the Advisory, please refer to our previous E-TIPS® article here. Desjardins has already reported the incident to the Office of the Privacy Commissioner of Canada.
Summary By: Sam Hargreaves
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.