Executive Summary: Key Legal and Evidentiary Issues

• Certification of a national class action was sought following a significant data breach involving Mackenzie Financial Corporation and its subcontractor, Investorcom Holdings ULC.

• The main legal questions concern whether the defendants owed a duty of care to protect clients’ personal information and whether that duty was breached.

• Jurisdictional complexities arose due to parallel class actions in British Columbia and differing provincial privacy statutes.

• The court considered if statutory remedies under provincial privacy laws could be granted by an Ontario court, ultimately declining to certify claims for such statutory remedies.

• The adequacy of remedial measures taken by the defendants and the potential for aggregate or punitive damages were central to the common issues.

• Certification was granted for a national class, with the final class definition and common issues subject to further agreement or submissions by the parties.

Facts of the case

Mackenzie Financial Corporation, one of Canada’s largest investment management firms, holds sensitive financial and personal information for over a million clients. To facilitate client communications, Mackenzie subcontracted Investorcom Holdings ULC (ICOM), a company specializing in compliance and customer communications for wealth and investment firms. In early 2023, ICOM’s systems were compromised by cybercriminals exploiting a vulnerability in the “GoAnywhere” file transfer software. This breach led to unauthorized access to files containing personally identifying information (PII), including social insurance numbers, of Mackenzie’s clients.

The breach became public when ICOM received a ransomware demand in March 2023, threatening to release the stolen information on the dark web. Mackenzie notified its clients in April 2023, about two months after the vulnerability was discovered and a month after the ransom demand. Although there is evidence that hackers accessed ICOM’s systems and copied certain files, it remains unclear whether the PII was actually exfiltrated or misused. Mackenzie responded by offering complimentary credit monitoring to affected clients.

Policy terms and contractual obligations

Plaintiffs argued that Mackenzie’s contractual commitments included promises to protect client privacy and ensure that any third-party service providers, such as ICOM, would safeguard information to the same standard. The plaintiffs claimed that both Mackenzie and ICOM failed to take adequate security measures, leading to the breach. They further alleged that the defendants’ failure to protect the data constituted negligence and breach of contract, and that ICOM, by accepting the data under these terms, also owed a duty of care to Mackenzie’s clients.

Discussion of privacy legislation and jurisdictional issues

The plaintiffs relied on privacy statutes from several provinces, including British Columbia, Manitoba, Newfoundland and Labrador, and Quebec, which provide for tortious liability for willful invasions of privacy. However, the court found that Ontario courts lack jurisdiction to grant statutory remedies under these provincial laws, as such statutes confer exclusive jurisdiction to the courts of the respective provinces. The court also noted that recklessness or negligence in data protection does not equate to the willful invasion of privacy required by these statutes.

The existence of a parallel class action in British Columbia added complexity, as the intervenor (plaintiff in the B.C. action) argued for a carve-out of class members more appropriately litigated in B.C. The Ontario court declined to exclude such members at this stage, reasoning that it was premature to do so before certification decisions in other provinces were finalized.

Certification and common issues

Justice MacLeod found that the plaintiffs had adequately pleaded causes of action in negligence and contract, and possibly fiduciary duty, against both Mackenzie and ICOM. The court held that the action met the requirements for certification under Ontario’s Class Proceedings Act, including the existence of an identifiable class, common issues, and a preferable procedure for resolving those issues. The court identified key common issues, such as the nature and extent of the duty of care, whether it was breached, the adequacy of remedial measures, and the potential for aggregate or punitive damages.

Ruling and outcome

The Ontario Superior Court of Justice certified the proceeding as a national class action, encompassing all persons in Canada whose personal information held by Mackenzie was exposed in the January 2023 breach. The court declined to certify claims for statutory remedies under provincial privacy legislation but allowed reference to such statutes as material facts or policy arguments. The final class definition and list of common issues remain subject to further agreement or submissions by the parties. No specific monetary award was determined at this preliminary stage, as the case was focused solely on certification and not on the merits or quantum of damages. The successful party at this stage was the plaintiffs, who obtained certification of their proposed class action.