- »Casino Rama Court Decision Sets Precedent
Casino Rama Court Decision Sets Precedent
In May, the Ontario Superior Court of Justice ruled for Casino Rama Services regarding a class action lawsuit against the gaming company. It was the result of a cyberattack, wherein the hacker was able to obtain personal information about customers.
The plaintiffs tried to come together to file a class action lawsuit against Casino Rama. Allegations included crimes like a breach of privacy, breach of contract, and overall negligence. However, the judge refused to approve class action status. This set somewhat of a precedent in the Canadian courts.
The Casino Rama ServicesIncident
It all started in November 2016, just a few years after Casino Rama received a significant renovation under the operational eye of Gateway Casinos. The Chippewas of Rama First Nation and Ontario Lottery and Gaming (OLG) Corporation own the casino, hotel, and entertainment venue. Still, the day-to-day operations were – and continue to be – run by Gateway.
Casino Rama then experienced a cyberattack. A hacker or group of hackers gained access to the personal and financial information of up to 200,000 customers in the property’s database. The hacker demanded a ransom for the information, but Casino Rama refused to pay. The criminal(s) then posted the stolen data on the dark web.
Two of those customers then decided to sue Casino Rama Services, along with the OLC and others. Leonid Kaplan and Cheryle Jane Mizzi alleged negligence and breaches of contract and confidence that allowed the cyberattack to happen.
Meanwhile, Casino Rama immediately notified the proper authorities and helped with the ensuing investigation. All parties were ultimately able to remove the stolen information from the internet. Victims were then offered free credit monitoring services and assistance if problems resulted from the attack.
May 2019 Ruling
The two original plaintiffs originally sued for $60 million. They claimed that the personal data leak negatively affected their lives. However, they were unable to prove that they experienced any actual negativity or financial loss from the incident. They could also not prove any actual fraudulent activity or serious psychological harm.
Nevertheless, the plaintiffs’ attorneys requested class action status for the case because of the number of people affected by the cyberattack.
On May 7, 2019, the Ontario Superior Court of Justice dismissed that motion for class action. One of the justices cited no provable losses. “Class counsel find themselves trying to force square (breach of privacy) pegs into round (tort and contract) holes,” wrote Justice Belobaba.
Dentons Data Analysis
One take on the case was that it was significant because it is normally challenging to defeat a motion to certify a class action lawsuit in data breach situations.
Also significant was the court awarding costs to the defendant. After all, most courts award costs to plaintiffs, if at all possible. This analysis said that courts in Ontario seem to be “growing impatient with the scattershot approach of some class counsel”. Justices are also looking for a stronger basis for such cases, and for counsel to be able to continue the defence of that basis throughout the case.
Some of the lawyers for the defendants – Catherine Beagan Flood, Nicole Henderson, Jessica Lam, and Christopher DiMatteo – posted their thoughts on the Blakes Business Class website about the outcome of the case.
They also compared the case to another in which some participated. It was a similar denial of class action case called Broutzas v. Rouge Valley Health System. This resulted in a very similar court decision denying a privacy class action, also featuring Justice Belobaba in the decision.
The attorneys wrote that the decisions seem to signal that courts are recognising that class action is not the appropriate measure for all seeking remedies in cases involving losses of privacy.
Per the court rulings, not all personal information stolen in cyber breaches is private or confidential. Instead, much varies from one individual case to another. This keeps class action from being appropriate, as individuals are affected by such breaches in different ways.
Further, in the Casino Rama Services case, the judge noted that Casino Rama and OLG responded appropriately to the hacking. This includes notifying authorities and cooperating fully, issuing takedown notices for sites that may have posted the stolen information, issuing notices to all patrons and employees who may have been affected, and offering the free credit monitoring services.
Per the attorneys, these steps are not only the proper actions but can reduce the potential and scope of any resulting litigation.