The Ontario Superior Court of Justice has certified a class-action lawsuit related to the 2017 Nissan privacy data breach to proceed.
According to the October 29th certification document, which was obtained by MobileSyrup, Justice Edward Belobaba indicated that the “requirements” for the case to be considered a class-action “have been satisfied.”
Toronto-based law firms Landy Marr Kats, McKenzie Lake, & Du Vernet, Stewart filed a statement of claim to certify a nearly $5 billion CAD class-action lawsuit against Nissan Canada in 2018. That claim will proceed for approximately 700,000 people Canada wide, excluding Quebec, Lawyer Vadim Kats said in an interview with MobileSyrup.
In 2017, Nissan Canada said it was the victim of a data breach that exposed the personal financial information of about 1.13 million customers. On December 11th, the company was made aware that an unknown employee gained access through one of the Nissan’s two financing arms, Nissan Canada Finance and INFINITI Financial Services Canada.
According to publicly available court filings, the unknown individual stole information that included the following: names, addresses, vehicle make and model, vehicle identification number (VIN), credit scores, loan amount, annual income, employment information list of assets, demographics, information pertaining to home and auto ownership and monthly payments.
The unknown employee demanded Nissan Canada to pay a ransom, but Nissan refused to pay. It also offered affected customers a year of free credit monitoring.
Kats explained that the most sensitive information taken included credit scores.
“Credit scores are an aggregation and analysis of an individual’s financial circumstances. Such scores are calculated using an algorithm, the contents of which are derived from a lot of highly personal information such as income, payment history, level of debt, and structure of debt,” the plaintiff’s factum read, which is publicly available.
Kats explained that if someone has a high credit score it could tell the hacker if the person is wealthy or not.
Certification of case is a big deal: Kats
He went on to say that now that the case has been certified it is a big deal because “the court has recognized that an employer can potentially be liable for actions of its employee even though the employee is unknown.”
“Now we are allowed to get into a lot of the evidence, we are allowed to find out exactly what security measures [Nissan Canada] had put in place and why were they weak,” Kats explained. “[We will know] who is the employee…we can now get into a lot of the evidence that we do not have.”
Kats said that now the team will proceed with requesting for more evidence for the case, and Nissan will do the same to support its case.
Nissan Canda’s publicly available factum indicates that its security incident response team responded to the issue “promptly and thoroughly investigated the incident and the scope of customer impact if any.”
Its factum indicated that “no customers were the victim of fraud or identity theft.” It also noted that it has “undertaken ongoing monitoring of the dark web…[and that] there is no evidence that [information] has been released to the dark web.”
“Nor has Nissan received any confirmed reports that, as a result of the extortion attempt, any customer information has been made public or any customer has suffered fraud or identity theft,” its document reads. Nissan indicates that a class-action lawsuit is not necessary and “would not work” for the case for various reasons.
Kats noted that because the case is still ongoing, if anyone did get a letter from the company, or if they leased or financed a car from Nissan or Infinity before the date of the breach (December 11th, 2017) then they would be eligible to join the class action by clicking here.