data breach and privacy litigation 


Although organizations may use their best efforts to develop and implement policies and procedures to comply with Canada's complex and rapidly evolving privacy and data protection regime, disputes regarding breach of privacy and mishandling of personal information are often unavoidable. Despite taking appropriate measures with respect to data security, organizations may be drawn into litigation through, for example, inadvertent disclosure of customer information, employee misconduct, or even external hacking of their information systems.

Canadian courts are seeing an increase in lawsuits regarding organizational data management practices launched by customers, employees and shareholders. Lawsuits are emerging regarding misuse of personal information, invasions of personal privacy, and data breaches caused by cyber attacks. Such claims often involve allegations of negligence, breach of contract, statutory breaches, and privacy torts such as "intrusion upon seclusion" or "publicity given to private life." In some jurisdictions, corporations have also been named in shareholder derivative actions alleging failure of directors and officers to maintain adequate data security measures. Privacy and data security litigation is expected to increase further when the private right of action in Canada's Anti-Spam Law comes into force on July 1, 2017.

Responding to privacy and data breaches requires swift and strategic action. For instance, in the event of a data breach organizations must quickly assess whether statutory notification requirements apply, and if not, whether notification of affected individuals is prudent due to the potential for tort claims. The importance of an immediate and effective response is underscored by the recent wave of reported class actions relating to privacy and data breaches, many of which allege that the organization did not promptly notify individuals who were at risk of harm.

McMillan's Privacy Group is experienced at resolving disputes in a client-focused way. We pair specialized privacy expertise with McMillan's renowned Litigation Group to provide a comprehensive team that can advise and represent clients in all types of privacy litigation.

McMillan professionals help clients lead by:

  • Advising on essential breach response actions
  • Assessing exposure to liability under privacy, data protection and other laws
  • Representing clients in regulatory complaints and investigations involving federal and provincial Privacy Commissioners
  • Assisting clients to respond to employee complaints regarding misuse of personal information
  • Representing and advocating for clients in civil actions involving alleged mishandling of personal information
  • Representing and advocating for clients in shareholder disputes involving allegations of inadequate security measures
  • Representing and advocating for clients, including financial institutions, in actions against other organizations that have breached legal or contractual obligations
  • Providing expertise in defending against and resolving class action lawsuits
December 2020

Cybersecurity Bulletin

November 2020

Advocacy and Employment Law Bulletin

May 2020

Privacy Law Bulletin, Business Law Bulletin

March 2020

Privacy Law Bulletin

January 2019

Privacy Bulletin

May 2018

Privacy Bulletin

April 2018

Privacy and Data Security Bulletin

March 2018

Litigation Bulletin

November 2017

Cybersecurity Bulletin

October 2017
August 2017

 (McMillan Internal)

June 2017

Litigation, Business Law and Technology Bulletin

December 2016
Privacy Practice Note for LexisNexis Practice Advisor Canada