Court approves data breach settlements with BMO, CIBC | Investment Executive

Court approves data breach settlements with BMO, CIBC
Cyberattacks in 2018 exposed the data of thousands of bank clients

By: James Langton April 21, 202113:15
SHARE
gavel
123RF
An Ontario court has approved proposed class action settlements with Bank of Montreal (BMO) and CIBC over cybersecurity breaches involving thousands of clients.

The Superior Court of Justice endorsed settlements and distribution plans designed to resolve lawsuits against the banks stemming from a data theft that affected more than 10,000 clients of CIBC’s Simplii Financial unit and more than 113,000 BMO clients in 2018.


The parties reached agreements last fall to settle the action against BMO for $21.2 million, and against CIBC for $1.8 million.

Now, the court has approved the settlements and the plan for distributing the funds.

Want more immediate, memorable insights? Listen to this Soundbites episode, featuring John Yanchus, tax and estate planning consultant with Canada Life.
The proposed settlements categorize affected clients into groups based on the extent of the personal information exposed in the breach, with differing levels of compensation for different groups.

“In both settlements, larger amounts are proposed for persons who had their SIN and date of birth information compromised, compared to class members who did not,” the court noted.

Both banks had already compensated clients for fraudulent transfers out of their accounts, which cost BMO $6.85 million and CIBC $1.8 million, the court said.


They also provided affected customers with free credit monitoring and identity theft insurance, along with other compensation.

The court said some of the affected customers expressed concerns that their personal information could be posted online in the future.

“This risk remains a possibility, but it is mitigated because the police have made arrests… in Canada regarding these data breaches,” it said, noting that the vast majority didn’t object to the proposed settlements.

The court also noted that the proposed settlements “compare favourably” with a similar case involving a breach at Home Depot that included the theft of e-mail addresses and possibly credit card numbers.

Ultimately, the court ruled it was “satisfied that the proposed settlement agreement is fair, reasonable and in the best interest of the class.”