Federal Court Of Canada Certifies Data Breach Class Action Against The Federal Government

On August 25, 2022, the Federal Court of Canada (the Court) in Sweet v Canada, 2022 FC 1228, certified a class action against the Government of Canada (the Defendant) relating to data breaches in which hacker(s) gained access to the personal, financial and other information of thousands of Canadians through Government of Canada websites.

The proposed class representative, the plaintiff, Todd Sweet (the Plaintiff), alleged that from approximately June 2020 to August 2020, due to operational failures by the government to secure their online portals, Canadian taxpayers’ personal and financial information on Government of Canada websites was improperly accessed by hackers, and for 12,700 accounts, fraudulent Canada Emergency Response Benefit (CERB) claims were submitted and changes made to direct deposit information.  The Plaintiff alleged that he and other class members have suffered damages including costs in preventing identify theft, damages for identity theft, damage to credit reputation, mental distress, out-of-pocket expenses, and time lost in communicating with the Canadian Revenue Agency and other Crown agencies.

This decision dealt with the Plaintiff’s motion for class certification for actions based on the torts of systemic negligence, breach of confidence, and intrusion upon seclusion.  

In response, the Defendant submitted that the Plaintiff had failed to plead any facts to support a relationship of proximity necessary to establish a prima facie duty of care and that the claim should fail because it seeks to impose a duty of care in circumstances that would result in indeterminate liability to an indeterminate class.  The Defendant also argued that there were applicable policy considerations that would negate the Defendant’s duty of care in this case, including that the Plaintiff’s allegations were merely a criticism of the Government’s policy decision to use existing systems to roll out the CERB benefits at the beginning of the pandemic.

However, the Court concluded that it was not plain and obvious that the Plaintiff’s causes of action in systemic negligence, breach of confidence, and intrusion upon seclusion would fail.

In considering the requirements for certification, the Court found that: (1) the Plaintiff’s pleadings disclosed a reasonable cause of action for each of the three torts; (2) there was some basis in fact to conclude that there was an identifiable class of two or more persons; (3) there was some basis in fact for the claims of the class members raising common questions of law or fact; (4) a class proceeding was the preferable procedure for the just and efficient resolution of the common questions in this action; and (5) the Plaintiff was a representative who would fairly and adequately represent the interests of the class and had satisfied certain conditions.

Summary By: Sharan Johal