June 13, 2019 by Greg Meckbach
Defendants who won a class-action lawsuit were recently awarded $166,000 to reimburse them for legal costs, but the plaintiffs are appealing.
Casino Rama, located near Orillia, Ont. was the target of a cyber breach in 2016 by an unknown criminal. As a result, a lot of information on vendors, employees and customers was stolen.
In Kaplan v. Casino Rama, released May 7 by the Ontario Superior Court of Justice, Judge Ed Belaboba ruled that a lawsuit against Casino Rama by some of the victims should not be certified as a class action.
Ted Charney, the plaintiffs’ lawyer, told Canadian Underwriter Wednesday that an appeal has been filed.
The ruling on how much the plaintiffs owe the defendants was released June 6.
“The very basis for this class action was questionable. When the cyber-hack was discovered, the defendant Casino reacted quickly in a reasonable and responsible fashion,” Justice Belobaba wrote.
Leonid Kaplan and four other plaintiffs are listed as representative plaintiffs. One plaintiff’s name, address, data of birth, social insurance number, bank account details were posted online, Justice Belobaba wrote, but added there is no evidence that any victims suffered economic losses.
Class-action lawsuits are often filed against firms which are targets of cyber breaches, even when the defendants are innocent of wrongdoing. Often the defendants are accused of not doing enough to stop hackers from stealing data that should be confidential.
But the ultimate perpetrator was the hacker, Justice Belobaba suggested.
Ultimately, Justice Belobaba ruled that the lawsuit does not raise common issues – one of the prerequisites under Ontario’s Class Proceedings Act.
Casino Rama is managed by Reading, Penn.-based Penn National Gaming Inc. Co-defendants include the parent firm and the Ontario Lottery and Gaming Corporation. Penn manages Casino Rama on behalf of OLGC. Rama’s facility includes 2,523 gaming machines, 101 table games and 10 poker tables, a 5,000‑seat entertainment facility and a 289‑room hotel, Penn National reported in an earlier securities filing.
The $166,000 cost award was 35% lower than the $255,707.13 that Rama sought for legal fees, disbursements and taxes.
But the plaintiffs argued no costs should be awarded because the proposed class action “raised novel legal issues and was in the public interest.”
Justice Belobaba disagreed.
“Simply because the action involves a criminal hacker accessing a company’s computer system and publishing the stolen information online does not make it novel,” he wrote.
Other Canadian defendants in cyber breach class actions have included Home Depot Inc., whose payment card system was hacked by criminals in 2014. Home Depot settled its lawsuit in Ontario. The hardware retailer agreed to create a fund of $250,000 to compensate plaintiffs for the risk of a fraudulent charge on credit cards, the risk of identify theft and the inconvenience for checking their credit card statements.
Class action lawsuits were also filed against hotelier Marriott International Inc., which announced a data breach this past November.
In class action lawsuits, representative plaintiffs propose to the court a description of the “class” of plaintiffs who should be awarded damages.
In Kaplan v. Casino Rama, the proposed class was comprised of all residents of Canada – with some exceptions – who fit in one of three categories. The first was people who received a notice of breach from Casino Rama. The second was people whose personal details were posted online during two “data dumps” in November of 2016. The third category is people whose information was contained on one of the two servers accessed by the cybercriminals in the breach.
The plaintiffs listed 30 “proposed common issues.” One issue was the question of whether Casino Rama established, maintained and enforced appropriate security safeguards against a cyber-attack to limit the exposure of the plaintiffs’ personal information.
But many of those PCIs “require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments,” Justice Belobaba wrote. “This proposed class action collapses in its entirety at commonality.”
Casino Rama reacted, yes, by notifying people in a fairly timely way after the fact, but from following this story, I read that the main issue is that these files were not encrypted on the Casino servers. If those files had been encrypted but built in Windows Server disk encryption, nothing really special, the hacker would not have been able to open them and post them online. Part of their point in the hack was to show that the Casino was lazy and reckless in not even enabling disk encryption. Simply because those who’ve had their SINs, etc posted online have not yet suffered identity theft, etc, does not mean someone won’t use their info later. That information is all there, sitting online in various places, backed up too. Does every change their SIN to prevent this? I’m surprised the court didn’t address that.
I’m interested in the status of this claim as I received a notification as an employee of Rama.