Cyber security litigation is becoming as common as cyber attacks

Meet Agromart, a small company with 30 employees located in Thorndale, Ontario. They supply crop nutrients, crop protection products, and seed to Ontario and Maritime farms.¹

Agromart has been in business for almost 50 years, and over that time, they’ve continuously invested in improving their physical infrastructure. Their IT infrastructure? Not so much. But they’ve never had a problem in that domain, so it wasn’t a priority.

When the COVID-19 pandemic first gripped the world in March 2020, farmers continued to take care of their crops and Agromart was there to help. However, someone else decided to help themselves to Agromart’s systems using valid administrator credentials. Throughout March and April 2020, it moved through their system like a snake, exfiltrating the personal information of more than 800 customers, including social insurance numbers, banking and credit card information, and electronic signatures.

In May 2020, the threat actor deployed ransomware to Agromart’s IT systems, encrypting and locking them. In response, Agromart retained third-party security experts and began an investigation. They refused to pay the ransom. To teach them a lesson, the threat actor initiated an auction of the breached data before publishing the dataset on the dark web in June 2020.

As a result of the breach, an Ontario farmer filed a proposed class action lawsuit claiming Agromart failed to protect her and thousands of Canadian consumers’ personal and sensitive information. The court approved a settlement of $500,000 in May 2024.

Unfortunately, Agromart’s story is not unique. If you scan the news, there’s regular reporting of large data breaches involving organizations across all industries.

Johanne Desloges, Vice President of GCS Claims at Aviva Canada, shared this cautionary tale to an audience of risk management professionals at the RIMS Canada conference. She followed up with a wealth of information and risk mitigation considerations when it comes to cyber security.

Cyber security litigation is becoming as common as cyber attacks

Cyber security is top-of-mind for organizations the world over. IBM’s 2024 data breach report found that Canadian organizations pay an average of $4.66 million USD per data breach. US organizations pay an average of $9.36 million USD.²

In a Norton Rose Fulbright survey, 40% of respondents said their businesses saw an increase in cyber and data protection dispute exposure over the previous 12 months.

“The two most common exposures in this space are where personal information is inadvertently disclosed to third parties, and where a company intentionally discloses personal information to third parties,” said Desloges.

These types of suits can become costly to defend and introduce copycat class actions in multiple jurisdictions, attacking an organization from multiple fronts.

Businesses also need to be wary of deliberate attacks from within. For example, an Insurance Corporation of British Columbia (ICBC) employee improperly accessed and sold the personal information of 79 ICBC customers. The information was then used to target 13 individuals in arson and shooting attacks. Following a summary trial, the court found that the employee’s conduct violated the BC Privacy Act and that ICBC was vicariously liable. ICBC’s appeal was dismissed.³

“The positive news is that certification of a class action is not guaranteed. The most common barrier is lack of evidence that the personal information was misused or there was compensable harm arising from the access. Several courts in Canada have held that general anxiety or distress from having one’s personal information accessed is not reason enough for certification.”

How to mitigate cyber security litigation risks

Desloges offers 7 protections to minimize risk in any Canadian business.

1. Map your regulatory obligations

“Understand which country, provincial, and federal regulatory authorities you are subject to in the event of a security incident. Prepare workflows and incident response planning and management based on those requirements.”

2. Play defense

“The best offense is defense. Actively monitor your information security program to build a defense to a data breach class action suit.”

3. Revisit incident response planning

“An incident response plan is only as good as it is understood by appropriate stakeholders. Plan, manage, and ensure holistic organizational coordination and implementation.”

4. Create and review work-product workflows

“Examine existing contractual relationships and consider dual-track investigations, where appropriate. Get your legal department to participate early in the incident response planning process.”

5. Ensure regulatory compliance

“Be aware of the regulatory frameworks of all jurisdictions in which you operate. This includes understanding local laws on data protection, employment and environmental standards.”

6. Be aware of jurisdictional risks

“Some regions may have more stringent regulations or a higher propensity for litigation. Know what the atmosphere is and the risks you may face wherever you do business.”

7. Have robust compliance programs

“Develop and maintain comprehensive compliance programs that address all relevant legal and regulatory requirements. Regular audits and updates are essential to ensure ongoing compliance.”

 

Looking to protect your business against new and evolving risks?

Aviva’s Global Corporate & Specialty team offers a prevention-first approach that combines technological innovation with risk management. If your large corporate business requires protection, with expert claims management and dedicated support, our team can help.





¹ https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2023/pipeda-2023-002 

² Cost of a Data Breach Report 2024, IBM: https://canada.newsroom.ibm.com/2024-07-30-IBM-Report-Escalating-Data-Breach-Disruption-Pushes-Cybersecurity-Costs-in-Canada 

³ Ari v. Insurance Corporation of British Columbia, 2024 BCSC 964