TORONTO – An eastern Ontario children’s aid society is facing a $75 million lawsuit after a cyber attack resulted in a list of client names being stolen and shared on local Facebook groups.
At least three dozen people have expressed interest in taking part in the proposed class action against Family and Children’s Services of Lanark, Leeds and Grenville (CFSLLG), according to the lawyer representing the plaintiffs.
Sean Brown of Flaherty McCarthy LLP said the organization took a lax approach to protecting the confidentiality of those under investigation and alleged that their negligence resulted in a serious violation of privacy.
“That institution made the decision to use an online portal system that was easily accessed by an individual without any obvious hacking skills,” Brown said. “The most sensitive and confidential information held by that body, specifically the names of those under its investigation, have now been published on the Internet. The damage has been done. That bell can not be unrung.”
CFSLLG Executive Director Raymond Lemay said the suit did not come as a particular surprise, since some clients had expressed considerable anger upon seeing their names surface online.
It was a client who first alerted the agency to the hack on April 18, Lemay said, adding she had seen the list on a Facebook group usually dedicated to local trading.
“People are acting within their rights and as they should,” he said. “It’ll be up to the courts to determine whether or not there was neglect and who’s responsible.”
According to the statement of claim, FCSLLG had prepared a report for its board of directors including new cases taken on between April and November 2015. That report included the list of all 285 specific clients and was saved to a portal that board members could access, the statement said.
The suit alleges that an unknown hacker obtained access to the list and posted it to Facebook groups for the Smiths Falls Swapshop and Families United.
The suit names negligence and breach of confidence among the causes for legal action, alleging that the organization didn’t take proper measures to secure its data.
“They knew or ought to have known that the encryption of their computer systems, if any, was inadequate to protect against breach and compromise by computer hackers and they failed to take any or sufficient steps to remedy the same,” the claim reads. “They employed computer personnel and/or computer contractors who lacked the necessary skills, education, training, and expertise in computer data and security and encryption.”
Lemay acknowledged that the agency had struggled with security issues in the past, saying there had been a data breach involving less sensitive information in February.
Lemay said a third party had been called into tighten security on the board portal, but declined to discuss details because the matter is before the courts.
The suit is being led by a client referred to simply as M.M.
The emotional consequences of the privacy breach were considerable, the claim reads.
“The loss of the plaintiff’s and class members’ personal and private information occasioned by the defendants’ lax security measures was highly offensive to the plaintiff and class members, causing them distress, anxiety, shame, humiliation, and anguish,” it said.
Lemay said the breach is currently being investigated by the Smiths Falls police department, who did not immediately respond to a request for comment.