March 25, 2019 by Greg Meckbach
Equifax may have to defend itself against separate privacy class action lawsuits in at least two Canadian provinces as a result of a cyber breach in 2017.
A cyber insurance claim can be triggered when a client is subject to a data breach and personal data falls into the wrong hands. Corporate clients can be sued by plaintiffs alleging the corporation did not do enough to safeguard the data (credit card numbers, for example) it was storing.
Thousands of Canadians were affected by an intrusion into Equifax’s online dispute portal, the credit bureau announced in 2017.
Lawsuits were filed in several jurisdictions, including Saskatchewan, Ontario and Quebec. Allegations against Equifax have not been proven in court.
Equifax asked a Quebec Superior Court to stay a class-action suit in that province because a different class action arising from the same breach is taking place in Ontario. The Quebec Superior Court rejected Equifax’s application, a decision upheld in Equifax Inc. et Equifax Canada Co. v. Daniel Li by the Quebec Court of Appeal.
On March 21, 2019 the Supreme Court of Canada announced it will not hear an appeal from Equifax.
The Quebec Superior Court ruled against Equifax primarily because Daniel Li filed his lawsuit before the Ontario class action had been filed.
In Agnew-Americano v. Equifax Canada, released in early 2018, Justice Benjamin Glustein of the Ontario Superior Court of Justice ruled that law firm Sotos can proceed with a class action against Equifax Inc. and Equifax Canada Co. The representative plaintiffs are Bethany Agnew-Americano and a “Jane Doe” plaintiff who is requesting anonymity. Justice Glustein stayed a separate class action lawsuit in Ontario against Equifax filed by Merchant Law Group on behalf of Laura Ballantine. The Agnew-Americano v. Equifax Canada ruling was not on the merits of the allegations against Equifax. Instead it was essentially a dispute between two plaintiff’s law firms on which of the two class-actions should proceed and which one should be stayed.
In September, 2017, Equifax said criminals had exploited a vulnerability on an application on its U.S. website from May through July of that year.
The data breach exposed credit card numbers for about 209,000 U.S. customers, Equifax said at the time.
For Canadians with Equifax files, the information “potentially” affected by the breach includes names, addresses, social insurance numbers and, in some cases, credit card numbers, Equifax said in 2017. It could also have affected people’s user names and passwords.
On Oct. 16, 2107, Equifax said the number of Canadians affected was about 8,000. It later updated that number to 20,000.