Log in
Log in


  • 10 Mar 2023 12:53 PM | CAN-TECH Law (Administrator)

    Where sharing is unexpected or unobvious, consent needs to be explicitly obtained

    On January 26, 2023, the Office of the Privacy Commissioner of Canada (OPC) released a report of findings following its investigation into Home Depot of Canada Inc.’s compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). The OPC concluded that organizations can’t rely on implied consent obtained via a privacy policy for certain unexpected uses and disclosures of customer personal information, even where that information isn’t sensitive in nature.

    The OPC’s investigation followed a complaint from a customer surprised to discover, upon a review of his Facebook account information, that Facebook had a record of many of his in-store purchases from Home Depot. In the course of the investigation, the retailer confirmed that when in-store customers chose to receive their receipt by email instead of or in addition to a paper receipt, it forwarded to Meta the customer’s hashed email address and in-store purchase details (for example, date and dollar amount of purchase, and general type of purchase) for analysis using Meta’s “Offline Conversions” tool. Meta would then match the hashed email address to determine if it had a Facebook account that corresponded to that email address. If the customer had a Facebook account, Meta would compare the customer’s offline purchase information to the retailer’s ads delivered to the customer by Meta to measure the effectiveness of those ads. If, for example, the customer had purchased goods in-store that had been previously advertised to the customer via Meta’s advertising tools, that would indicate the effectiveness of that particular ad. Meta would provide the results of that analysis back to the retailer in the form of an aggregated report, giving insight into the impact of its advertising on its customers’ ‘offline’ purchasing behavior. This report that was provided back to Home Depot would not identify any particular customers, but give broader insights into the general effectiveness of its online ads.

    For more details please click here

  • 12 Dec 2022 9:34 AM | CAN-TECH Law (Administrator)

    Ontario Court of Appeal holds that accused had no standing to challenge search of vehicle he rented under a false name

    In R. v. Dosanjh, the accused was convicted of first degree murder, arising from having shot the victim and escaped in a “getaway car” moments later. Among the evidence against him was data taken from the vehicle’s “infotainment system” that, among things, tracked the movement of the car. At trial the tracking data was admitted after the trial judge refused to exclude the evidence despite finding a breach of s. 8 of the Charter. On appeal, the accused argued that the trial judge had made various errors in this analysis, and the Crown countered with the argument that, since the accused had rented the car using a false name, the trial judge had erred in finding the accused even had standing to raise the s. 8 breach. The Court of Appeal agreed with the Crown, holding that the trial judge had erred in finding that the accused’s subjective expectation of privacy in the data was also objectively reasonable, and without this the accused had no standing to argue the breach.

    For the Court Fairburn ACJO held:

    [124]   Not all biographical core information is made equal. In relation to each set of data, the trial judge should have calibrated the degree to which the appellant’s biographical core of personal information was engaged. We are not talking here about medical records, private communications or the like, all of which presumptively contain a high degree of personal information. Rather, we are talking about information that rests further down the privacy line.

    [125]   As for the contact list, it was not even the appellant’s contact list. While it may have held the appellant’s number and name, thereby connecting the appellant to Mr. Passi, there was nothing more that could have engaged the appellant’s privacy interest.

    [126]   While I accept that GPS data stored in an Infotainment system can inform where a car was and, by implication, where the driver was during a specific period of time, it is really just a form of tracking data. To this end, it has been long established that tracking information “is a less intrusive means of surveillance than electronic audio or video surveillance”: R. v. Wise, [1992] 1 S.C.R. 527, at para. 48. The somewhat diminished privacy interest engaged by tracking data is reflected in the fact that, even where an individual has standing in relation to that data, the police can obtain a judicial authorization to have it produced on the lower standard of “reasonable grounds to suspect”: Criminal Code, ss. 487.017. As well, also engaging the lesser standard of suspicion, the police can obtain an authorization to install a tracking device on a vehicle and have that vehicle tracked in real time for lengthy periods: Criminal Code, s. 492.2(1).

    [127]   Therefore, there exists both a jurisprudential and legislative recognition that, while tracking data may engage a biographical core of personal information, that data rests a good distance away from the more intimately personal end of the privacy spectrum. As part of the “totality of circumstances”, the trial judge should have considered these factors when calibrating the objective reasonableness of the appellant’s subjective privacy interest.

    [128]   As well, the trial judge should have considered other factors informing the objective analysis. What is absent from his reasoning is how the appellant came to be in possession of the QX60 – which was relevant to an assessment of both the place where the search occurred and the appellant’s control over the subject matter.

    [129]   It was the appellant’s burden to establish on a balance of probabilities that he had a reasonable expectation of privacy in the subject matter of the search. Although he did not have to demonstrate a proprietary interest in the vehicle, he had to establish something beyond a tenuous connection to it…. By holding himself out to the rental agency as Jaspinder Nagra – personating Jaspinder Nagra – the appellant came into fraudulent possession of the QX60, thereby rendering his connection to the vehicle tenuous at best. Not only was the appellant in unlawful possession of the QX60 when it was collecting and storing data on the Infotainment system, but he had no colour of right over the vehicle – no excuse for his possession. In short, he could neither use the car nor exclude others from it. 

    [130]   In fact, and in the most minimalist of terms, he was a trespasser in the QX60 when it was collecting and storing the subject matter of the search: Simpson, at paras. 50-51; R. v. Caza, 2005 BCCA 318, 198 C.C.C. (3d) 273, at paras. 32-33. The fact that the appellant fraudulently accessed the place and his lack of control over the QX60 – without a colour of right – are relevant circumstances informing whether he could objectively expect privacy in the data generated by his use of the QX60.


    [134]   The question is whether Canadians ought to have a reasonable expectation of privacy in GPS data and the contents of a friend’s contact list, all of which has been created and stored in a vehicle they have, in essence, stolen. The answer to this question does not depend on whether the information contains evidence of illegal activity.

    [135]   The answer to this question is: “no”.

    [136]   Although a person may reasonably expect that, barring prior judicial authorization, the tracking data produced by a car that they drive will be protected from state seizure, that expectation is not objectively reasonable here because the appellant had no right to possess or use the car that produced that data. In addition to other considerations, the appellant cannot plausibly assert that his dignity, integrity, or autonomy are at stake when his claim to privacy hinges on the very fraud that he committed to obtain that car in the first place: Chow, at para. 34.

    [137]   I do not doubt that the appellant desired privacy and hoped for it; that is clear from his subterfuge in obtaining the car. The appellant hoped to avoid detection; he hoped that however the car was used, it could not be traced back to him. But that is a far cry from establishing a reasonable expectation that he was entitled to privacy: R. v. Van Duong, 2018 ONCA 115, at para. 7.

    [138]   In all of these circumstances, including the nature of the subject matter, the place where the search occurred and the appellant’s lack of control over the subject matter, I conclude that the appellant did not have a reasonable expectation of privacy in the subject matter of the search.

  • 12 Dec 2022 9:34 AM | CAN-TECH Law (Administrator)

    American Bar Association publishes formal opinion providing caution regarding cc’ing clients on emails

    On 2 November 2022 the American Bar Association’s Standing Committee on Ethics and Professional Responsibility (the “Committee”) issued its Formal Opinion No. 503, which deals with the use of “reply all” in email communications by lawyers. The opinion begins by noting the obligation on counsel not to communicate directly with represented parties without the consent of that party’s counsel (unless legal or ethical obligations require it), usually referred to as the “no contact rule.” It then observes that some disputes have arisen around situations where counsel for a party sends an email to an opposing lawyer and cc’s the client on the email. If the opposing lawyer responds to the email using “reply all,” has that lawyer breached the no contact rule? At the state regulatory level, the view had been expressed that the cc’ing of the client in the email did not necessarily mean that the sending lawyer was waiving the no contact rule, but that such waiver could be implied in some circumstances.

    The Committee felt this situation was unsatisfactory, as it muddies the interpretation of the Rule, making it difficult for receiving counsel to discern the proper course of action or leaving room for disputes. It concluded that: “given the nature of the lawyer-initiated group electronic communication, a sending lawyer impliedly consents to receiving counsel’s “reply all” response that includes the sending lawyer’s client, subject to certain exceptions...” This was justified on a number of grounds. First, a lawyer who brings a client in on a physical meeting or conversation with an opposing lawyer is impliedly waiving the rule and it would be reasonable for the opposing lawyer to think so, and the same logic should apply here. The purpose of the no contact rule is to prevent the opposing lawyer from “overreaching or attempting to pry into confidential lawyer-client communications,” and the obligation is and should be on the sending lawyer to impose clarity on the situation and not undermine this purpose. It is fairer and more efficient to impose the burden on the sending lawyer, and resolving the issue is simpler for the sending lawyer.

    The Committee did note that the presumption of consent was rebuttable, by “an express oral or written remark” indicating lack of consent. Also:

    the presumption applies only to emails or similar group electronic communications, such as text messaging, which the lawyer initiates. It does not apply to other forms of communication, such as a traditional letter printed on paper and mailed. Implied consent relies on the circumstances, including the group nature and other norms of the electronic communications at issue. For paper communications, a different set of norms currently exists.

  • 12 Dec 2022 9:33 AM | CAN-TECH Law (Administrator)

    Amendments made to satisfy requirements CUSMA trade agreement 

    A provision tucked into the Budget Implementation Act, 2022 amends the Copyright Act to give effect to terms of copyright protection, including the general term, from 50 to 70 years after the life of the author to give effect to one of Canada’s obligations under the Canada–United States–Mexico free trade agreement. The general term, contained in s. 6 of the Copyright Act will be replaced with the following:

    Term of copyright

    6 Except as otherwise expressly provided by this Act, the term for which copyright subsists is the life of the author, the remainder of the calendar year in which the author dies, and a period of 70 years following the end of that calendar year.

     Order in Council 2022-2019, published on November 17, 2022 has fixed December 30, 2022 as the date that these amendments go into effect. Notably, by virtue of the transitional provisions contained in s. 280, the change from a 50 to a 70 year term will not revive any copyrights that have expired before the coming-into-force date.

  • 12 Dec 2022 9:32 AM | CAN-TECH Law (Administrator)

    Revelations of the use of facial recognition and spyware by the RCMP results in a long list of recommendations and a call for accountability

    The House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (also known as “ETHI”) has had a busy few months examining how Canadian police have been using or have considered using particularly intrusive technologies and techniques to advance their examined. In two separate studies and reports, the Committee examined the use of facial recognition and artificial intelligence technology (report) and the use of so-called on-device investigative tools (report), principally by the Royal Canadian Mounted Police. 

    The review of the use of facial recognition by the Committee followed media reports and a Privacy Commissioner Investigation into the practices of Clearview AI. The company was actively crawling social media websites and ingesting billions of photos into its databases, analyzing them biometrically and then providing a service mainly to police agencies which it touted could identify a person or a suspect in any image. Initially the RCMP denied that it had used the company’s facial recognition services, but ultimately admitted they had trialed it. The Commissioner concluded that the images would have been harvested in contravention of Canadian law and that the RCMP should only use services where the underlying data had been lawfully compiled. 

    Among its 19 recommendations, the Committee recommended tighter regulation of the use of the technology both in the public and the private sectors, that there be a moratorium imposed on the use of facial recognition by the police until a framework for review has been approved and that there be a much more transparent approach to the use of facial recognition and artificial intelligence in the public sector. Scrutiny by the Committee and the Privacy Commissioner are credited with prompting the RCMP to establish a “National Technology Onboarding Program” to review police use and adoption of new technology and investigative tools. 

    The same Committee carried out a study of the police use of spyware as an investigative tool after documents tabled in Parliament disclosed that the RCMP had been using “on-device investigation tools” (or “ODITs”), akin to spyware, for some years. This coincided with media reporting on an Israeli cybersurveillance company, NSO Group, and their software called “Pegasus”, which has reportedly been widely used journalists, lawyers and politicians. 

    In testimony before the Committee, the RCMP stated that ODITs provide law enforcement agencies with the capability to secretly collect private communications and other data that can no longer be obtained through conventional wiretap activities or other less intrusive investigation techniques. 

    A range of witnesses commented on the fact that the use of ODITs relies on vulnerabilities existing in devices and operating systems that manufacturers are likely not aware of. If they exist on suspects’ devices, they exist on the devices of many others. As a result, they can be exploited by a range of actors, both foreign and domestic. The Privacy Commissioner confirmed that his office had not been consulted at any time regarding the use this invasive technology. 

    The recommendations of this study closely parallel, thematically, the recommendations of the facial recognition study. They focus on increased accountability, increased scrutiny and increased transparency about the use of these tools. The Committee recommended a review of the provisions of Criminal Code related to the interception of private communications and the creation of an independent advisory body composed of relevant stakeholders from the legal community, government, police and national security, civil society, and relevant regulatory bodies to review new technologies used by law enforcement and to establish national standards for their use.

  • 12 Dec 2022 9:04 AM | CAN-TECH Law (Administrator)

    “Intrusion” privacy tort does not apply to third party hacking claims

    Ontario CA determines that the defendant must be the party who did the intruding

    The Ontario Court of Appeal, in considering a trilogy of cases together, has definitively determined that the privacy tort of “intrusion upon seclusion” does not apply to a defendant whose information systems were intruded by a malicious third party. The three cases were heard together with three sets of reasons issued: Winder v Marriott International, Inc., Obodo v Trans Union of Canada, Inc. and Owsianik v Equifax Canada Co.

    In the landmark case of Jones v Tsige, the Ontario Court of Appeal had determined that the “Prosser privacy torts” exist in Ontario common law, including the tort of intrusion upon seclusion. Since then, numerous privacy class actions have been brought, many of which have pled this privacy tort. The question of whether this tort can be the basis of liability for a company that is itself a victim of a third party’s act has rested on the meaning of the word “reckless” in the articulation of the elements of the cause of action from Jones:

    [71] The key features of this cause of action are, first, that the defendant's conduct must be intentional, within which I would include reckless; second, that the defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action. I return below to the question of damages, but state here that I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum. [emphasis added]

    Plaintiffs in such data breach class actions have argued that the breaches are the result of the defendant’s recklessness, usually with respect to the handling or safeguarding of personal information. 

    The most extensive reasons in the trilogy of cases were given by Justice Doherty in Owsianik. In all three cases, the question before the courts below was whether to certify the proposed class actions, which requires that there be a legally viable claim. The plaintiffs had experienced varied success in the courts below. 

    In its analysis of the intrusion tort, the Court summarized the elements and explicitly categorized the conduct, state of mind and consequences requirements:

    [54] The elements of the tort of intrusion upon seclusion are laid down in Jones, at para. 71. I would describe them as follows:

    • the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];
    • the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and
    • a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the consequence requirement].

    The plaintiff argued that the state of mind requirement was applicable to the defendant, Equifax in this case. The Court disagreed: The state of mind requirement applies to the “intruder”. 

    [59] Ms. Owsianik’s submission misunderstands the relationship between the two elements of the tort. The first element, the conduct requirement, requires an act by the defendant which amounts to a deliberate intrusion upon, or invasion into, the plaintiffs’ privacy. The prohibited state of mind, whether intention or recklessness, must exist when the defendant engages in the prohibited conduct. The state of mind must relate to the doing of the prohibited conduct. The defendant must either intend that the conduct which constitutes the intrusion will intrude upon the plaintiffs’ privacy, or the defendant must be reckless that the conduct will have that effect. If the defendant does not engage in conduct that amounts to an invasion of privacy, the defendant’s recklessness with respect to the consequences of some other conduct, for example the storage of the information, cannot fix the defendant with liability for invading the plaintiffs’ privacy.

    The Court noted that Equifax may be liable to the plaintiff on some other basis, but not as an intruder of the plaintiff’s privacy. 

    [61] …. Equifax’s negligent storage of the information cannot in law amount to an invasion of, or an intrusion upon, the plaintiffs’ privacy interests in the information. Equifax’s recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs’ privacy committed by the independent third-party hacker. Equifax’s liability, if any, lies in its breach of a duty owed to the plaintiffs, or its breach of contractual or statutory obligations.

    The plaintiffs argued that the tort of intrusion upon seclusion should be extended to clearly be applicable to the “Database Defendants”, otherwise the plaintiffs would be without a remedy in these circumstances. This was dismissed by the Court of Appeal:

    [79] The plaintiffs’ “no remedy” argument really comes down to the assertion that because the remedies available in contract and negligence require proof of pecuniary loss, the plaintiffs who cannot prove pecuniary loss are left with no remedy. With respect, this is not what the court meant in Jones when it described the plaintiff as being without remedy. The plaintiffs here are in the same position as anyone else who advances the kind of claim the plaintiffs have advanced here. Because the claim sounds in negligence and contract, the plaintiffs must prove pecuniary loss. The plaintiffs’ position is miles away from the predicament faced by the plaintiff in Jones.

    [80] While it cannot be said the plaintiffs are left without a remedy, it is true that the inability to claim moral damages may have a negative impact on the plaintiffs’ ability to certify the claim as a class proceeding. In my view, that procedural consequence does not constitute the absence of a remedy. Procedural advantages are not remedies.

    The court finally noted, before dismissing the appeal, that if parliament or the provincial legislatures wanted to extend the law so far as to provide moral damages in cases like this, they are able to do so. 

  • 8 Nov 2022 5:03 PM | CAN-TECH Law (Administrator)

    We had a wonderful turnout at the 2022 CAN-TECH Law Fall conference November 2-3, 2022 at the Sheraton Centre Toronto Hotel.

    Click here for the highlights:

  • 16 Sep 2022 6:00 PM | CAN-TECH Law (Administrator)

    Recommendations are limited to improving processes outside of the courts

    The province of Nova Scotia has completed its legislated review of the Intimate Images and Cyber-protection Act, with feedback resulting in a dozen recommendations. The Act replaced the province’s Cyber-safety Act, which was struck down in its entirety in 2015 by the Nova Scotia Supreme Court in Crouch v Snell, which found the former law violated sections 2(b) and 7 of the Charter of Rights and Freedoms. 

    The original law created a CyberScan unit within the Department of Public Safety to assist victims of cyberbullying, which was continued in the new legislation. Individual recourse to the courts was continued, but through a much more arduous formal application process to the Nova Scotia Supreme Court (the ex parte procedures in the previous law were found to violate the principles of fundamental justice). All of the recommendations put forward by the review group focus on augmenting and improving the CyberScan unit, including:

    • improving legal, mental health and crisis supports for victims;

    • creating a centralized, trauma-informed referral process for victims seeking advice and support; and

    • improving training for CyberScan staff, who help victims understand their options and navigate the justice system.

    None of the recommendations address access to the courts for legal relief on behalf of victims of cyber-bullying and the non-consensual distribution of intimate images.

    Nova Scotia remains the only province with a specific law to address cyberbullying, while other provinces have enacted statutes that are restricted to providing legal relief for victims for the non-consensual distribution of intimate images.

  • 16 Sep 2022 5:59 PM | CAN-TECH Law (Administrator)

    Breach notification and reporting obligations come into effect on September 22, 2022

    As part of its significant overhaul of the Act respecting the protection of personal information in the private sector in Bill 64 (now also known as Law 25), the province has introduced mandatory reporting and notification related to data breaches. The provisions in section 3.5 of the Bill will come into effect on September 22, 2022. The provisions are similar to those found in the Personal Information Protection and Electronic Documents Act (Canada) and the Personal Information Protection Act (Alberta), but not surprisingly use different terminology. 

    Regulated businesses will be required to promptly notify the Commission d’accès à l’information (“CAI”), as well as to the affected individuals whenever such businesses experience a “confidentiality incident” that poses a “risk of serious injury” to an individual. This is similar to a “breach of security safeguards” that results in a “real risk of significant harm” under PIPEDA. Again, similar to PIPEDA, businesses will be required to keep a register of all confidentiality incidents in the manner prescribed by regulation, regardless of the risk of injury. 

    On June 29th, 2022, a draft regulation regarding confidentiality incidents was published in the Gazette officielle du Québec. The Draft Bill 64 Regulation provides businesses with details related to the content of the new notification and record-keeping requirements. Interestingly, the new regulation also applies to public sector organizations. 

    Reports to the regulator must include:

    (1) the name of the body affected by the confidentiality incident and any Québec business number assigned to such body under the Act respecting the legal publicity of enterprises (chapter P-44.1);

    (2) the name and contact information of the person to be contacted in that body with regard to the incident;

    (3) a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;

    (4) a brief description of the circumstances of the incident and what caused it, if known;

    (5) the date or time period when the incident occurred or, if that is not known, the approximate time period;

    (6) the date or time period when the body became aware of the incident;

    (7) the number of persons concerned by the incident and the number of those who reside in Québec or, if that is not known, the approximate numbers;

    (8) a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;

    (9) the measures the body has taken or intends to take to notify the persons whose personal information is concerned by the incident, pursuant to the second paragraph of section 63.8 of the Act respecting Access to documents held by public bodies and the Protection of personal information or the second paragraph of section 3.5 of the Act respecting the protection of personal information in the private sector, and the date on which such persons were notified, or the expected time limit for the notification;

    (10) the measures the body has taken or intends to take after the incident occurred, including those aimed at reducing the risk of injury or mitigating any such injury and those aimed at preventing new incidents of the same nature, and the date on which the measures were taken or the expected time limit for taking the measures; and

    (11) if applicable, an indication that a person or body outside Québec that exercises similar functions to those of the Commission d’accès à l’information with respect to overseeing the protection of personal information has been notified of the incident.

    Notably, and unlike PIPEDA and PIPA, the regulations create a requirement to keep the CAI updated as more information relevant to (1) through (11) becomes known. 

  • 16 Sep 2022 5:58 PM | CAN-TECH Law (Administrator)

    CRA security failure resulted in hackers’ access to thousands of accounts for CERB fraud

    The Federal Court of Canada in Sweet v Canada has certified a negligence, breach of confidence and intrusion upon seclusion class action against the Canada Revenue Agency in connection with widespread “My CRA” account takeovers during the pandemic. Of particular interest is that the class was defined to exclude individuals who had provided their personal information to a BC law firm that first filed its claim and then was itself subject to a cybersecurity incident that may have exposed class member information. 

    During the summer of 2020, a large number of “My CRA” accounts were compromised and access by unknown third parties. The compromised accounts had their banking and direct deposit information changed and many accounts were enrolled in benefits programs, such as the Canada Emergency Response Benefit. The threat actors were also able to access sensitive personal information contained in the accounts, such as addresses, birthdates, employment details and SIN numbers. 

    A BC law firm quickly filed a putative class action in the Federal Court. In April 2021, that firm was itself the victim of a data breach that potentially exposed the personal information of potential class members. The government filed a motion to have the action stayed because it was proposing a third party claim against the law firm for contribution and indemnity for any persons whose information was exposed by both the government and the law firm. That third party claim would not be within the jurisdiction of the Federal Court. As a result, the first law firm withdrew and a second law firm began carriage of the case, and amended the pleadings to narrow the class of plaintiffs to exclude those whose information may have been exposed in the law firm data breach. A new representative plaintiff was substituted. 

    The Court described the incidents which resulted from an apparent failure on the part of CRA:

    [66] In the summer of 2020, GCKey and CRA’s My Account were the subject of what the cybersecurity industry describes as a “credential stuffing attack” by a threat actor, predominantly targeting CRA and ESDC as a means of fraudulently applying for COVID relief benefits (CERB and the Canada Emergency Student Benefit [CESB]) that had been introduced by the Government in the spring of 2020). Credential stuffing is a form of cyber attack that relies on the use of stolen credentials (username and password) from one system to attack another system and gain unauthorized access to an account. This type of attack relies on the reuse of the same username and password combinations by people over several services. Threat actors sell lists of credentials on the Dark Web. Credential stuffing usually refers to the attempt to gain access to many accounts through a web portal using an automated bot system rather than manually entering the credentials. On dates in July 2020, CRA’s My Account experienced large numbers of failed logins, which have since been identified as a precursor to, or otherwise part of, a credential stuffing attack against that service.

    [67] A threat actor attempting to access a particular My Account through credential stuffing would typically have encountered the requirement to successfully answer one of the five security questions selected by the user. However, during the attack that occurred in the summer of 2020, the threat actor(s) were able to bypass the security questions, and access My Account, because of a misconfiguration in CRA’s credential management software. CRA learned of this method to bypass the security questions on August 6, 2020, when it received a tip from a law enforcement partner that such a method was being sold on the Dark Web. Among other steps taken to respond to the data breach, CRA subsequently identified the relevant misconfiguration in its software, which it remedied on or about August 10, 2020.

    [68] In the meantime, at least 48,110 My Accounts were impacted by the unauthorized use of credentials, meaning that the threat actor was able to enter a valid CRA user ID and password. Of those 48,110 My Accounts, 21,860 involved no progress by the threat actor beyond entering the ID and password, such that the threat actor did not access the accounts. This is potentially understood as a stage of the attack in which the threat actor was ensuring that the credentials worked. The threat actor(s) actually logged in to 26,250 My Accounts. In 13,550 of the My Accounts, although the security question bypass was used, the threat actor only viewed the homepage, meaning that some personal information was accessed, but no application was submitted for CERB. In 12,700 of the My Accounts, the threat actor changed the relevant taxpayer’s direct deposit banking information and fraudulently applied for CERB.

    The plaintiffs sought to certify the class action on the basis of systemic negligence, breach of confidence and intrusion upon seclusion. The court noted that there were differing authorities on whether these causes of action could be applicable in circumstances such as these, but overall found that this area of law continues to develop and that the plaintiff’s claims were not bound to fail, based on the pleadings. 


Canadian Technology Law Association

1-189 Queen Street East

Toronto, ON M5A 1S2

Copyright © 2023 The Canadian Technology Law Association, All rights reserved.