Canadian Underwriter
News

How this cyber breach defendant got a six-figure cost award


June 13, 2019   by Greg Meckbach




Print this page Share

Defendants who won a class-action lawsuit were recently awarded $166,000 to reimburse them for legal costs, but the plaintiffs are appealing.

Casino Rama, located near Orillia, Ont. was the target of a cyber breach in 2016 by an unknown criminal. As a result, a lot of information on vendors, employees and customers was stolen.

In Kaplan v. Casino Rama, released May 7 by the Ontario Superior Court of Justice, Judge Ed Belaboba ruled that a lawsuit against Casino Rama by some of the victims should not be certified as a class action.

Ted Charney, the plaintiffs’ lawyer, told Canadian Underwriter Wednesday that an appeal has been filed.

The ruling on how much the plaintiffs owe the defendants was released June 6.

“The very basis for this class action was questionable. When the cyber-hack was discovered, the defendant Casino reacted quickly in a reasonable and responsible fashion,” Justice Belobaba wrote.

Leonid Kaplan and four other plaintiffs are listed as representative plaintiffs. One plaintiff’s name, address, data of birth, social insurance number, bank account details were posted online, Justice Belobaba wrote, but added there is no evidence that any victims suffered economic losses.

Class-action lawsuits are often filed against firms which are targets of cyber breaches, even when the defendants are innocent of wrongdoing. Often the defendants are accused of not doing enough to stop hackers from stealing data that should be confidential.

But the ultimate perpetrator was the hacker, Justice Belobaba suggested.

Ultimately, Justice Belobaba ruled that the lawsuit does not raise common issues – one of the prerequisites under Ontario’s Class Proceedings Act.

Casino Rama is managed by Reading, Penn.-based Penn National Gaming Inc. Co-defendants include the parent firm and the Ontario Lottery and Gaming Corporation. Penn manages Casino Rama on behalf of OLGC. Rama’s facility includes 2,523 gaming machines, 101 table games and 10 poker tables, a 5,000‑seat entertainment facility and a 289‑room hotel, Penn National reported in an earlier securities filing.

The $166,000 cost award was 35% lower than the $255,707.13 that Rama sought for legal fees, disbursements and taxes.

But the plaintiffs argued no costs should be awarded because the proposed class action “raised novel legal issues and was in the public interest.”

Justice Belobaba disagreed.

“Simply because the action involves a criminal hacker accessing a company’s computer system and publishing the stolen information online does not make it novel,” he wrote.

Other Canadian defendants in cyber breach class actions have included Home Depot Inc., whose payment card system was hacked by criminals in 2014. Home Depot settled its lawsuit in Ontario. The hardware retailer agreed to create a fund of $250,000 to compensate plaintiffs for the risk of a fraudulent charge on credit cards, the risk of identify theft and the inconvenience for checking their credit card statements.

Class action lawsuits were also filed against hotelier Marriott International Inc., which announced a data breach this past November.

In class action lawsuits, representative plaintiffs propose to the court a description of the “class” of plaintiffs who should be awarded damages.

In Kaplan v. Casino Rama, the proposed class was comprised of all residents of Canada – with some exceptions – who fit in one of three categories. The first was people who received a notice of breach from Casino Rama. The second was people whose personal details were posted online during two “data dumps” in November of 2016. The third category is people whose information was contained on one of the two servers accessed by the cybercriminals in the breach.

The plaintiffs listed 30 “proposed common issues.” One issue was the question of whether Casino Rama established, maintained and enforced appropriate security safeguards against a cyber-attack to limit the exposure of the plaintiffs’ personal information.

But many of those PCIs “require so much in the way of individual inquiry that any commonality is overwhelmed by the need for individualized assessments,” Justice Belobaba wrote. “This proposed class action collapses in its entirety at commonality.”