Questions? Call 416-367-4222
Picture of computer with cursor on security button

Published: February 3, 2023

Last Updated: February 3, 2023

On August 25 of 2022, the Federal Court of Canada (the Federal Court) in Sweet v Canada, 2022 FC 1228 certified a class action suit against the Government of Canada (CRA). It is the latest privacy class action to be certified by the Federal Court of Canada in which the Government of Canada is being sued for its negligent failure to safeguard personal and financial data from third party hackers.

Class action lawsuit brought by Todd Sweet, who is one of the thousands of Canadian taxpayers affected by Cyber Attacks

In the summer of 2020, as per the facts of the evidence presented in the motion, 48,110 Canada Revenue Agency (CRA) My Accounts were impacted by unauthorized use of credentials, with 12,700 of those accounts showing evidence of being used for fraud. CRA My Account is a secure portal that lets taxpayers view personal income tax and benefit information and manage their tax affairs online.  Similarly, the evidence indicates that 5,957 accounts across several Enabled Services of Employment and Social Development Canada (EDSC) were potentially impacted by the data breach, including 3,200 compromised MSCA’s that were used to access CRA My Accounts via link between My Service Canada Account (MSCA) and CRA. 1,200 of these accounts were used to apply for Canada Emergency Response Benefit (CERB) or other COVID-related benefits.

The Plaintiff, Todd Sweet, is the class representative for this class action suit. He is a resident of Clinton, British Columbia. He asserts that, on July 2, 2020, he logged in to his CRA online account after receiving emails notifying him that his email address had been removed from his account. He discovered that his direct deposit information had been changed and that, on June 29, 2020, using his account, an unknown and unauthorized individual had made four applications for the CERB, a program initiated by the government to provide financial assistance to qualifying Canadians during the COVID-19 pandemic.

BASIS OF THE PRIVACY BREACH LAWSUIT AGAINST CRA

The Canadian tax litigation lawyer on behalf of the taxpayers seek judicial relief from the Federal Court against the CRA based on the torts of:

  1. systemic negligence,
  2. breach of confidence, and
  3. intrusion upon seclusion; as well as invoking the
  4. vicarious liability provisions of the Crown Liability and Proceedings Act, RSC 1985, c C-50.

The taxpayers allege that CRA due to operational failures, failed to properly secure the online portals providing access to these accounts. Furthermore, the taxpayer also asserts that the measures taken by the CRA at the end of 2020 to protect its databases, systems, and other relevant online accounts should have been taken prior to the unauthorized data breaches.

The taxpayers claimed damages due to their privacy breach on various grounds

The taxpayer’s claim that they have suffered damages including: costs incurred in preventing identify theft; identify theft, increased risk of identity theft; damaged to credit reputation; mental distress and comparable effects; monies withdrawn from their bank account without their consent; loans applied for in their names without their consent; credit card fraud; inability to access benefits and payments they were entitled to and other losses resulting therefrom; out-of-pocket expenses; time lost in communication with the CRA, ESDC and other Crown agencies to address the data breaches; and time lost in precautionary communication with third parties such as credit agencies to inform them of the potential that personal and financial information may have been compromised.

The Test for Certification in the Federal Court of Appeal where the subject matter of the class action is an application for judicial review

The test for certification in a proposed class action before the Federal Court of Canada is set out in the Rules 334.16(1) and (2) of the Federal Court Rules. It states that a judge shall certify a proceeding as a class proceeding if:

  1. The pleadings disclose a reasonable cause of action.
  2. There is an identifiable class of two or more persons.
  3. The claims of the class members raise common questions of law or fact, whether or not those common questions predominate over questions affecting only individual members.
  4. A class proceeding is the preferable procedure for the just and efficient resolution of the common questions of law or fact.
  5. There is a representative plaintiff or applicant who:
    1. would fairly and adequately representative the interest of the class
    2. has prepared a plan for the proceeding that sets out a workable method of advancing the proceeding on behalf of the class and of notifying class members as to how the proceeding is progressing.
    3. does not have on the common questions of law or fact, an interest that is in conflict with the interests of other class members, and
    4. provides a summary of any agreements respecting fees and disbursements between the representative plaintiff or applicant and the solicitor of record.

COMMON QUESTIONS IN THIS CLASS ACTION SUIT:

The following issues are certified as common questions of law or fact for the class:

  1. Systemic Negligence
    1. Did the defendant owe the Class a duty of care?
    2. If so, what was the applicable standard of care?
    3. Did the Defendant breach the applicable standard of care?
    4. Did the Defendant’s breach of duty cause damage to the Class?
  1. Breach of Confidence
    1. Is the Defendant liable for the tort of breach of confidence vis-à-vis Class Members?
  2. Intrusion upon Seclusion
    1. Is the Defendant liable for the tort of intrusion upon seclusion vis-à-vis Class Members?
  3. Damages
    1. Can the Court make an aggregate assessment of all, or part of the damages suffered by Class Members and, if so, in what amount?

Preferable Procedure in Class Action Suits in order to maximise litigation efficiency and judicial economy

With the respect to the preferable procedure criteria, the court noted that the CRA had offered no alternative to the class action mechanism. In the absence of a class action, the court noted that the only apparent option for claimants who would otherwise be Class Members would be to bring individual actions against the CRA. Based on the nature of the damages claimed, the court concluded that such actions would likely be uneconomic, effectively leaving claimants with no alternative at all. In assessing the three goals of class proceeding, access to justice, judicial economy, and behaviour modification, the court found the action met all three goals.

“Access to justice is achieved in circumstances where such access would otherwise likely be unavailable due to the applicable economics. Judicial economy is achieved because there are at least some aspects of the litigation that can be advanced in common, and therefore, will not require repetition multiple times. By way of example, evidence surrounding the Defendant’s policies, practices and the manner in which the 2020 cyber incidents occurred can be adduced only once rather than potentially thousands of times.

With respect to the goal of behaviour modification, the CRA submits that it followed all appropriate steps once it learned it was the victim of a breach and that behaviour modification, therefore, has no application, I agree with the taxpayers’ response to this argument. Behaviour modification is intended to prevent breaches from occurring in the first place by creating the motivation to take place proactive steps to avoid such events.”

  • Judge Richard F. Southcott, Sweet v Canada, 2022 FC 1228 at paras 186-187.

Todd Sweet: Decision of the Federal Court on Representative Taxpayer for the Class Action Suit against CRA and the Litigation Plan of the Taxpayer for achieving maximum amount of damages

The Federal Court concluded the proposed representative taxpayer put forward was appropriate in satisfaction of the final certification criteria. While the court noted the taxpayers’ litigation was relatively generic and does not engage in any substantive way with the potential issues upon which many of the defendant’s arguments focus, the court was not convinced that the plan was so inadequate that it should decline to certify the class proceeding.

What can we expect to happen next, in times when our confidential information is at an ever-increasing risk due to sophisticated cyber attacks

As instances of cyber crime and tax fraud has increased in recent times, it is inevitable that an influx of proposed privacy class actions has and will continue to follow. However, only a few privacy class action cases have made it past the certification motion stage.

As the certification judge stated in his decision, the court will look critically at the individual facts of the case against the certification criteria, and where appropriate, distinguish the case from the growing body of privacy jurisprudence. Here the court accepted that not all online Government of Canada accounts that were accessed in the data breaches would necessarily have contained sensitive information and that some taxpayers’ accounts suffered a higher level of intrusion than others. However, the court was reluctant to find that these potential differences among taxpayers’ claims amounted to an impediment to certification. Where individual issues may arise, the court noted the procedural mechanism afforded under Federal Court Rule 334.26 could address the determination of any individual issues that may remain following a judgement on the common issues.

For potential defendants, regardless of whether an action is brought as a class proceeding or not, this case will be one to watch regarding the question of whether a person or entity that holds personal information can be liable for intrusion upon seclusion when they suffer a cyber attack if they have been reckless or acted in bad faith in their efforts to protect the data.

Pro Tax Tip

Our top Toronto Tax Lawyers suggest several measures taxpayers can take to enhance CRA related cyber security. The taxpayers who have online CRA accounts should add email notifications to their account as an “additional level of security” should they not have that option already. These notifications act as an early warning to Canadian taxpayers of potential breaches to their account. In addition to above, the taxpayers should use unique passwords for all online accounts and use two-factor authentication when available. Moreover, the taxpayers should monitor their online accounts for any suspicious activity.

You can read more on these guidelines here.

FAQs

 1. What is a “credential stuffing” scheme?

It is a type of a cyberattack that uses passwords and usernames from other websites to access accounts with another website, such as CRA in this case.

 2. What should the taxpayers who have been impacted by cyber attacks do?

The taxpayer should contact CRA immediately. The CRA will provide assistance and credit protection if necessary. In addition to this, the taxpayer can also hire an experienced Canadian tax lawyer to ensure that your rights are protected, and your case is presented in front of the concerned authorities in the best possible way.

Disclaimer:

“Only general information is provided in this article. Only as of the publishing date is it current. It hasn’t been updated; therefore, it might no longer be relevant. It cannot or ought not to be relied upon because it does not offer legal advice. Each tax circumstance is unique to its facts and will be different from the instances described in the articles. You should contact a lawyer if you have specific legal inquiries.”

Disclaimer:

"This article provides information of a general nature only. It is only current at the posting date. It is not updated and it may no longer be current. It does not provide legal advice nor can it or should it be relied upon. All tax situations are specific to their facts and will differ from the situations in the articles. If you have specific legal questions you should consult a lawyer."

Get your CRA tax issue solved


Address: Rotfleisch & Samulovitch P.C.
2822 Danforth Avenue Toronto, Ontario M4C 1M1