Class-action suit alleges Vancouver trust company exposed customers to risk of identity theft
A judge has certified a class-action lawsuit that alleges a Vancouver financial institution exposed its customers to the risk of identity theft after an online database was hacked.
The plaintiff in the case claims that Peoples Trust Company, a federally regulated trust with a head office in Vancouver, did not adequately secure personal information, putting customers at risk of identity theft and cybercrime.
Court heard that in September 2013, cybercriminals from China gained unauthorized access to the company's computer database, and unsolicited text messages were sent to users of the company's website purportedly from the company, asking them to call a telephone number in Utah.
These were attempts at "phishing" — soliciting money or information from people by individuals pretending to be from the company.
The trust company became aware of the possible breach of security during the week of Oct. 7, 2013 and initiated a forensic investigation that confirmed the database had been compromised.
The company notified Vancouver police, the RCMP and affected customers, and reported the matter to the federal privacy commissioner.
A letter was sent to customers, believed to number between 11,000 and 13,000, of steps the company had taken to mitigate the risk of fraud and theft.
The letter advised that the company had arranged to have flags placed on the customers' credit files to alert companies that their data may have been compromised, with the flags to stay on the files for six years.
The privacy commissioner investigated the matter and issued a report in April 2015 that found the company had not implemented sufficiently strong safeguards in developing its online application web portal to protect sensitive information.
In addition, the report found that when the security breach occurred, the company lacked a comprehensive information security policy. The report added that the company was very cooperative and demonstrated a timely and comprehensive response to the breach.
In certifying the lawsuit, B.C. Supreme Court Justice David Masuhara found that it was not plain and obvious that there was no cause of action for breach of contract or for a negligence claim.
"The plaintiff has pleaded sufficient facts capable of establishing that harm was reasonably foreseeable," said the judge in his ruling. "The information collected by Peoples Trust was sensitive and collected in the course of online applications for financial services."
Ravi Hira, a lawyer for the company, said that nobody involved suffered any losses because the firm took immediate steps to address the problem. He pointed out that the RCMP and privacy commissioner were contacted.
"Nobody suffered any monetary loss or identity theft," said Hira.
The Vancouver lawyer said that what was certified by the judge was the issue of "nominal" damages, which he said has sometimes been referred to as "moral" damages.
He said that the company is carefully considering whether to appeal the class-action certification.
In addition to an office in Vancouver, the company has offices in Toronto and Calgary and provides financial products and services, including savings accounts, mortgages and credit cards.