What’s next for proposed class actions arising from last year’s data breach?

By Michelle Schriver | March 5, 2024 | Last updated on March 5, 2024
4 min read
Cybersecutity concept, lock


  • Overlapping class actions originating in different jurisdictions are challenging to address, given that class actions are regulated provincially
  • A common way forward is for law firms to work together to advance an action
  • When multiple class actions are filed in a single province, the court may decide which class action will proceed
  • There may be limited scope of recovery in data-hacking cases

Clients affected by last year’s data hack involving financial services firms and file transfer service GoAnywhere may wonder what happens next, given that multiple proposed class actions have been filed across the country.

The short answer? It’s complicated.

Four class actions were filed against Mackenzie Investments in relation to the incident. Regtech firm InvestorCOM is a defendant in three of the four, and additional defendants are Edward Jones (two claims) and Franklin Templeton (one).

One claim was filed in B.C., two in Saskatchewan and one in Ontario, with the latest filed on Dec. 18 and announced in a news release on Feb. 22.

When class actions originate in different provinces, “no single provincial court has jurisdiction to make a determination with respect to which case goes forward,” said Garth Myers, partner with Kalloghlian Myers LLP in Toronto. (Myers, like the other lawyer interviewed for this story, was not commenting specifically about the hacking case.) “Commencement of overlapping national class actions in different courts across the country has posed one of the biggest problems for class actions in Canada.”

In contrast, “[the U.S.] federal court system has the power to solve this problem,” said Daniel Bach, partner, class actions, with Siskinds LLP in Toronto.

Law firms could agree to work cooperatively to advance an action. While that’s “a very frequent result,” Myers said, it “depends on the ability of the lawyers, or the plaintiff and the class members, to agree and work out some sort of arrangement.”

Alternatively, law firms could try to stop each other’s cases from going forward by bringing motions in other provinces, he said, but “that’s challenging, and there’s not a lot of great precedent for that.”

From a defendant’s perspective, being sued in different courts across the country by the same people is inefficient and costly. Because of that, a defendant could ask the court to pause the proceeding temporarily or permanently to permit one case (or cases) to go forward, Myers said. He added that provinces differ in how receptive they are to such motions, which are called stay motions.

“There’s no great blueprint in order to manage the interjurisdictional issues raised by the commencement of a multiplicity of class actions across Canada,” Myers said.

Bach said amendments to Ontario’s Class Proceedings Act made in 2020 help address overlapping cases. Specifically, when a case gets to the certification stage, the court may consider if a competing case was certified in another province and whether the claim in Ontario should be resolved in another proceeding. But a certification motion can happen years after a class action is filed, he added.

When multiple claims are filed in the same province and counsel don’t agree to work together, the court decides in a carriage motion which competing class action will proceed.

“The court applies a … multifactor test that basically boils down to which of these class actions is in the best interests of the class,” Bach said. Factors considered include such things as the theory of the case and counsel experience. (Quebec is the exception with its first-to-file rule.)

Hacker cases and intrusion on seclusion

Another development is that the Ontario Court of Appeal, in a series of decisions, has “limited the scope of recovery” in data-hacker cases, Myers said.

A couple of the claims against the financial services firms cite liability for “intrusion on seclusion.”  But the Appeal Court has effectively said that a “database defendant” — one that holds personal data and is hacked by a third party — isn’t liable for intrusion on seclusion, Myers said.

“Liability can only attach to a party who is an active participant in the wrongful access of private information of another,” writes Ellen Snow, a partner in Clyde & Co.’s Toronto commercial litigation group, in an article explaining the court’s view.

As a result of the Appeal Court rulings, “I think we’ve seen a significant decrease in the number of privacy cases filed in Canada,” Myers said, describing the court’s approach as “regressive” when it comes to personal information.

“For now, that’s the reality that we’re dealing with,” he said. “You don’t have an automatic claim for breach of privacy against a database defendant, who’s holding private information, every time they’re hacked.”

Other causes of action in the claims are negligence and breach of provincial privacy statutes.

Until the proposed class actions unfold, affected clients will be resigned to a wait-and-see approach.

In the management’s discussion and analysis posted with its fourth-quarter results, Mackenzie parent IGM Financial Inc. said it doesn’t expect these legal actions to have a “material adverse effect” on the company’s consolidated financial position.

Subscribe to our newsletters

Michelle Schriver headshot

Michelle Schriver

Michelle is Advisor.ca’s managing editor. She has worked with the team since 2015 and been recognized by the National Magazine Awards and SABEW for her reporting. Email her at michelle@newcom.ca.