Date: 20220825  
Docket: T-982-20  
Citation: 2022 FC 1228  
Ottawa, Ontario, August 25, 2022  
PRESENT: The Honourable Mr. Justice Southcott  
CERTIFIED CLASS ACTION  
BETWEEN:  
TODD SWEET  
Plaintiff  
and  
HER MAJESTY THE QUEEN  
Defendant  
ORDER AND REASONS  
I.  
Overview  
[1]  
This decision relates to a motion by the Plaintiff dated December 2, 2021, seeking an  
order certifying this action as a class proceeding under Rule 334.16 of the Federal Courts Rules,  
SOR/98-106 [the Rules] and granting an order under Rule 334.17. This action relates to data  
Page: 2  
breaches in which hacker(s) gained access to the personal, financial and other information of  
what appears to be thousands of Canadians through Government of Canada websites.  
[2]  
As explained in greater detail below, the Plaintiff’s motion is granted, because I have  
found that the Plaintiff has satisfied the requirements of Rule 334.16.  
II.  
Procedural Background  
[3]  
The Plaintiff, Todd Sweet, is the proposed class representative for the proposed class  
proceeding. He is a resident of Clinton, British Columbia. The Defendant, Her Majesty the  
Queen, is named as representative of the Government of Canada [the Government] including the  
Minister of National Revenue of Canada (the Minister responsible for the Canada Revenue  
Agency [CRA]) and the Minister of Families, Children, and Social Development (the Minister  
responsible for Employment and Social Development Canada [ESDC]).  
[4]  
The Plaintiff asserts that, on July 2, 2020, he logged in to his CRA online account after  
receiving emails notifying him that his email address had been removed from his account. He  
discovered that his direct deposit information had been changed and that, on June 29, 2020, using  
his account, an unknown and unauthorized individual had made four applications for the Canada  
Emergency Response Benefit [CERB], a program initiated by the Government to provide  
financial assistance to qualifying Canadians during the COVID-19 pandemic.  
[5]  
The Plaintiff is one of a potential class of what appears to be thousands of people whose  
online Government accounts (including CRA accounts [styled for users as My Accounts], My  
Page: 3  
Service Canada Accounts for which ESDC is responsible, and other online accounts accessed via  
the Government of Canada Branded Credential Service Key [GCKey]) were vulnerable to  
hackers from approximately June to August of 2020, due to what the Plaintiff alleges were  
operational failures by the Defendant to properly secure the portals providing access to these  
accounts. The Plaintiff further alleges that, by obtaining unauthorized access to those accounts,  
hacker(s) were able to commit identity theft and CERB fraud and access sensitive and personal  
information including, e.g., Social Insurance Numbers [SINs], direct deposit banking  
information, tax information, dates of birth, records of employment, information regarding  
employment insurance, and other benefits information.  
[6]  
On August 24, 2020, the law firm Murphy Battista LLP [Murphy Battista] commenced  
this action in the Federal Court on behalf of proposed class representatives who alleged that their  
online Government accounts had been accessed by hackers. However, in early April 2021, that  
firm experienced its own data breach, in which unauthorized parties were able to gain access to  
the firm’s networks. The Defendant subsequently brought a motion to stay this action, because  
the Federal Court lacks the jurisdiction to hear a third party claim that the Defendant intended to  
pursue against the law firm, seeking contribution and indemnity in relation to any liability of the  
Defendant to members of the proposed class who may have had their information compromised  
in both the Government data breaches and the law firm data breach.  
[7]  
Present Plaintiff’s counsel, Rice Harbut Elliott LLP [Rice Harbut], subsequently replaced  
Murphy Battista and, in opposing the Defendant’s stay motion, prepared pleading amendments  
intended to narrow the proposed class and the scope of its claim (to exclude persons who  
Page: 4  
contacted Murphy Battista about this class action) such that the Defendant would no longer have  
a basis to assert its claim for contribution and indemnity. Those amendments culminated with a  
draft Third Amended Statement of Claim [Third SOC], which would also replace the previously  
proposed class representatives with Mr. Sweet as Plaintiff.  
[8]  
This proceeding is being case managed by the undersigned and Associate Justice Ring.  
By Order and Reasons dated December 20, 2021, I dismissed the Defendant’s stay motion and,  
by Order dated January 20, 2022, I approved the filing of the Third SOC and the substitution of  
Mr. Sweet as the proposed representative Plaintiff for the class.  
[9]  
The parties subsequently completed the service and filing of their records for the  
certification motion, which they argued orally in Vancouver on May 11-13, 2022. The Plaintiff’s  
filings culminated with a Reply Memorandum of Fact and Law, which attached a draft Fourth  
Further Amended Statement of Claim [Fourth SOC] that the Plaintiff seeks leave to file (opposed  
by the Defendant) in the event the amendments therein are necessary to respond to certain of the  
Defendant’s arguments. The Plaintiff seeks certification of a class defined as follows (with the  
underlined portion representing the only change from the Third SOC to the Fourth SOC):  
All persons whose personal or financial information in their  
Government of Canada Online Account was disclosed to a third  
party without authorization on or after March 1, 2020, excluding  
Excluded Persons.  
“Government of Canada Online Account” means:  
a) Canada Revenue Agency account;  
b) My Service Canada account; or  
Page: 5  
c) another Government of Canada online account, where that  
account is accessed using the Government of Canada  
Branded Credential Service (GCKey).  
“Excluded Persons” means all persons who contacted Murphy  
Battista LLP about the CRA privacy breach class action, with  
Federal Court file number T-982-20 prior to June 24, 2021.  
(Collectively “Class” or “Class Members”)  
[10] The Plaintiff advances causes of action against the Defendant based on the torts of  
systemic negligence, breach of confidence, and intrusion upon seclusion, as well as invoking the  
vicarious liability provisions of the Crown Liability and Proceedings Act, RSC 1985, c C-50. He  
pleads that he and the other class members have suffered damages including: costs incurred in  
preventing identity theft; identity theft; increased risk of future identity theft; damage to credit  
reputation; mental distress and comparable effects; monies withdrawn from their bank accounts  
without their consent; loans applied for in their names without their consent; credit card fraud;  
inability to access benefits and payments they were entitled to and other losses resulting  
therefrom; out-of-pocket expenses; time lost in communication with the CRA, ESDC and other  
Crown agencies to address the data breaches; and time lost in precautionary communications  
with third parties such as credit agencies to inform them of the potential that personal and  
financial information may have been compromised.  
[11] The present motion seeks an order certifying this action as a class action and granting an  
order under Rule 334.17 in connection with such certification. This includes certifying the  
following proposed common questions:  
Page: 6  
Systemic Negligence  
A. Did the Defendant owe the Class a duty of care?  
B. If so, what was the applicable standard of care?  
C. Did the Defendant breach the applicable standard of care?  
D. Did the Defendant’s breach of duty cause damage to the Class?  
Breach of Confidence  
A. Is the Defendant liable for the tort of breach of confidence vis-à-vis Class  
Members?  
Intrusion Upon Seclusion  
A. Is the Defendant liable for the tort of intrusion upon seclusion vis-à-vis Class  
Members?  
Damages  
A. Can the Court make an aggregate assessment of all or part of the damages suffered by  
Class Members and, if so, in what amount?  
B. Does the conduct of the Defendant merit an award of punitive damages and, if so, in  
what amount?  
Page: 7  
[12] The Defendant takes the position that the request for certification should be denied,  
arguing that none of the requirements for certification are met. The Defendant has also filed  
motions, asking that the Court strike an affidavit of one of the Plaintiff’s factual witnesses  
(Elizabeth Emery) and strike certain paragraphs of the report of one of the Plaintiff’s experts (Dr.  
Douglas Allen) or alternatively ascribe little weight to such evidence. These motions were  
argued at the commencement of the hearing of the certification motion and are addressed in these  
Reasons.  
III.  
Issues  
[13] Based on the parties’ written and oral submissions, the issues for the Court’s  
determination are as follows:  
A. Should the Court strike certain paragraphs of Dr. Allen’s expert report?  
B. Should the Court strike the affidavit of Elizabeth Emery?  
C. Has the Plaintiff satisfied the criteria of Rule 334.16, such that this proceeding should  
be certified?  
[14] I note that the Plaintiff’s Memorandum of Fact and Law raised as additional issues  
whether Rice Harbut should be appointed as class counsel and whether the Defendant should be  
required to disclose to Rice Harbut and the notice provider the names, mailing addresses, and  
email addresses of all class members, where that information is within the knowledge of the  
Defendant. However, the appointment of Rice Harbut has already been confirmed in my Order  
dated January 20, 2022, and at the hearing of the present motion, the Plaintiff’s counsel advised  
Page: 8  
that he was advancing no particular submissions on the disclosure issue at this juncture. Counsel  
proposed that, if the proceeding is certified, this issue can be addressed subsequently through the  
case management process. This Judgment and Reasons therefore do not address that issue.  
IV.  
Analysis  
A. General Principles  
[15] Before turning to analysis of the issues, it is useful to set out some general principles that  
apply to the certification of class proceedings. As I understand it, none of these principles are in  
dispute between the parties. This motion is governed principally by Rules 334.16(1) and (2),  
which provide as follows:  
Certification  
Conditions  
Autorisation  
Conditions  
334.16 (1) Subject to  
334.16 (1) Sous réserve du  
subsection (3), a judge shall,  
paragraphe (3), le juge  
by order, certify a proceeding autorise une instance comme  
as a class proceeding if  
recours collectif si les  
conditions suivantes sont  
réunies :  
(a) the pleadings  
disclose a reasonable  
cause of action;  
a) les actes de  
procédure révèlent une  
cause d’action valable;  
(b) there is an identifiable  
class of two or more  
persons;  
b) il existe un groupe  
identifiable formé d’au  
moins deux personnes;  
(c) the claims of the class  
members raise common  
questions of law or fact,  
whether or not those  
common questions  
c) les réclamations des  
membres du groupe  
soulèvent des points de  
droit ou de fait communs,  
que ceux-ci prédominent  
predominate over  
Page: 9  
questions affecting only  
individual members;  
ou non sur ceux qui ne  
concernent qu’un membre;  
(d) a class proceeding is  
the preferable procedure  
for the just and efficient  
resolution of the  
common questions of  
law or fact; and  
d) le recours collectif est  
le meilleur moyen de  
régler, de façon juste et  
efficace, les points de  
droit ou de fait  
communs;  
(e) there is a  
e) il existe un représentant  
representative plaintiff  
or applicant who  
demandeur qui:  
(i) would fairly and  
adequately represent  
the interests of the  
class,  
(i) représenterait de  
façon équitable et  
adéquate les intérêts  
du groupe,  
(ii) has prepared a  
plan for the  
(ii) a élaboré un plan  
qui propose une  
proceeding that sets  
out a workable  
méthode efficace pour  
poursuivre l’instance  
au nom du groupe et  
tenir les membres du  
groupe informés de  
son déroulement,  
method of advancing  
the proceeding on  
behalf of the class  
and of notifying class  
members as to how  
the proceeding is  
progressing,  
(iii) does not have,  
on the common  
(iii) n’a pas de conflit  
d’intérêts avec  
questions of law or  
fact, an interest that  
is in conflict with the  
interests of other  
d’autres membres du  
groupe en ce qui  
concerne les points de  
droit ou de fait  
class members, and  
communs,  
(iv) provides a  
summary of any  
agreements  
respecting fees and  
disbursements  
between the  
(iv) communique un  
sommaire des  
conventions relatives  
aux honoraires et  
débours qui sont  
intervenues entre lui  
representative  
plaintiff or applicant  
Page: 10  
and the solicitor of  
record.  
et l’avocat inscrit au  
dossier.  
Matters to be considered  
Facteurs pris en compte  
(2) All relevant matters shall  
be considered in a  
determination of whether a  
class proceeding is the  
(2) Pour décider si le recours  
collectif est le meilleur moyen  
de régler les points de droit ou  
de fait communs de façon  
juste et efficace, tous les  
preferable procedure for the  
just and efficient resolution of facteurs pertinents sont pris en  
the common questions of law compte, notamment les  
or fact, including whether  
suivants :  
(a) the questions of law  
or fact common to the  
class members  
predominate over any  
questions affecting only  
individual members;  
a) la prédominance des  
points de droit ou de fait  
communs sur ceux qui  
ne concernent que  
certains membres;  
(b) a significant number  
of the members of the  
class have a valid  
interest in individually  
controlling the  
b) la proportion de  
membres du groupe qui  
ont un intérêt légitime à  
poursuivre des instances  
séparées;  
prosecution of separate  
proceedings;  
(c) the class proceeding  
would involve claims  
that are or have been the  
subject of any other  
proceeding;  
c) le fait que le recours  
collectif porte ou non sur  
des réclamations qui ont  
fait ou qui font l’objet  
d’autres instances;  
(d) other means of  
resolving the claims are  
less practical or less  
efficient; and  
d) l’aspect pratique ou  
l’efficacité moindres des  
autres moyens de régler  
les réclamations;  
(e) the administration of  
the class proceeding  
would create greater  
difficulties than those  
likely to be experienced  
if relief were sought by  
other means.  
e) les difficultés accrues  
engendrées par la gestion  
du recours collectif par  
rapport à celles associées à  
la gestion d’autres mesures  
de redressement.  
Page: 11  
[16] As a general statement of the objectives of class action legislation, Chief Justice  
McLachlin provided the following explanation in Hollick v Toronto (City) 2001 SCC 68 at para  
15:  
15 The Act reflects an increasing recognition of the important  
advantages that the class action offers as a procedural tool. As I  
discussed at some length in Western Canadian Shopping Centres  
(at paras. 27-29), class actions provide three important advantages  
over a multiplicity of individual suits. First, by aggregating similar  
individual actions, class actions serve judicial economy by  
avoiding unnecessary duplication in fact-finding and legal analysis.  
Second, by distributing fixed litigation costs amongst a large  
number of class members, class actions improve access to justice  
by making economical the prosecution of claims that any one class  
member would find too costly to prosecute on his or her own.  
Third, class actions serve efficiency and justice by ensuring that  
actual and potential wrongdoers modify their behaviour to take full  
account of the harm they are causing, or might cause, to the public.  
[17] Other than the first requirement of Rule 334.16(1)that the pleadings disclosing a  
reasonable cause of action, the test for which will be explained later in these Reasonsthe  
threshold for meeting the requirements for certification is the establishment of “some basis in  
fact” to support the certification order. The law is clear that the “some basis in fact” threshold  
does not require that the party seeking certification establish the certification requirements on a  
balance of probabilities. Indeed, this standard does not require that the Court resolve conflicting  
facts and evidence at the certification stage. Rather, it reflects the fact that, at the certification  
stage, the Court is ill-equipped to resolve conflicts in the evidence or to engage in finely  
calibrated assessments of evidentiary weight (see Pro-Sys Consultants Ltd v Microsoft  
Corporation, 2013 SCC 57 [Pro-Sys] at paras 101-102).  
Page: 12  
B. Should the Court strike certain paragraphs of Dr. Allen’s expert report?  
[18] The Plaintiff’s certification motion record includes a report dated December 11, 2020, by  
Dr. Douglas Allen, an economist with Delta Economic Group Inc. As identified in his report,  
Dr. Allen was instructed to address two questions:  
A. What would an economist consider is the scope of costs associated with identity  
theft?  
B. What methodologies exist to estimate an average cost of this particular identity theft?  
[19] The Plaintiff relies on Dr. Allen’s evidence as relevant to the following proposed  
common issue that he seeks to certify:  
Can the Court make an aggregate assessment of all or part of the  
damages suffered by Class Members and, if so, in what amount?  
[20] In response to Dr. Allen’s report, the Defendant’s motion record includes a report dated  
July 13, 2021, by Chris Polson and Jake Dwhytie of PricewaterhouseCoopers LLP [the PWC  
Report]. The Plaintiff in turn served a reply report by Dr. Allen dated July 22, 2021. The  
Defendant subsequently cross-examined Dr. Allen on both his reports.  
[21] The Defendant’s motion relates to the first of Dr. Allen’s report [the Allen Report] and  
seeks:  
Page: 13  
A. to strike certain paragraphs on the basis that they violate a jurisprudential  
prohibition, applicable at the certification stage of a proceeding, against  
introducing evidence quantifying damages; and  
B. to strike certain other paragraphs on the basis that they violate a  
jurisprudential prohibition, applicable at the certification stage of a  
proceeding, against using a random sampling of actual class members to  
calculate damages.  
[22] Invoking the criteria prescribed by R v Mohan, [1994] 2 SCR 9, 114 DLR (4th) 419  
[Mohan] for the admissibility of expert evidence, the Defendant argues that these two sets of  
paragraphs of the Allen Report are inadmissible, because they are both irrelevant and  
unnecessary to assist the Court in deciding the certification motion.  
[23] First, the Defendant challenges paragraphs 12a, 14a, 21a (last sentence), 26-28, 31 and 38  
of the Allen Report. These paragraphs relate to the first of two methodologies the Allen Report  
proposes for estimating the average cost of the identify theft that is the subject of this action.  
That methodology involves using information that is publicly available from a random sampling  
survey on identity theft. Dr. Allen explains how such information could be employed in that  
quantification methodology, including arriving at what he refers to as a base or floor estimate of  
the average cost per person.  
[24] The Defendant recognizes that the Court can consider at the certification stage whether  
aggregate damages can be considered a common issue, but it emphasizes that the quantification  
Page: 14  
of damages is not a matter to be considered at this stage. The Defendant relies, inter alia, on Pro-  
Sys at paras 113-115, which noted that, during a certification proceeding, a court may  
contemplate whether loss to the class members can be established on a class-wide basis and that  
this process may require the use of expert evidence. However, the Supreme Court explained that  
it is not necessary at the certification stage that the methodology establish the actual loss to the  
class, only that that there is a methodology capable of doing so.  
[25] Against this jurisprudential backdrop, I do not find the first set of impugned paragraphs  
of the Allen Report problematic. The Plaintiff offers that evidence not for the purpose of  
quantifying his damages or those of the proposed class members but rather to support his  
position that there is an available methodology for quantifying the class members’ damages on  
an aggregate basis. This is a purpose expressly contemplated by Pro-Sys as relevant to the  
certification stage of a proceeding. As explained by the Court of Appeal for Ontario in Fulawka  
v Bank of Nova Scotia, 2012 ONCA 443 [Fulawka] at para 81 (cited by the Federal Court in  
McCrea v Canada (Attorney General), 2015 FC 592 [McCrea] at para 351), a plaintiff is  
required to adduce supporting evidence to demonstrate that there is a workable methodology for  
determining issues of causation or damages, if proposed, on a class-wide basis.  
[26] Next, the Defendant argues that paragraphs 14b, 32-36, and 39 of the Allen Report are  
inadmissible for violating a certification stage prohibition against using a random sampling of  
actual class members to calculate damages. As previously noted, Dr. Allen proposes two  
methodologies for calculating damages. The second methodology involves conducting a survey  
Page: 15  
of a random sample of class members. The Defendant submits that such a methodology is  
prohibited by law, because it requires proof by individual class members.  
[27] In support of this position, the Defendant relies on the decision of the Court of Appeal for  
Ontario in Fulawka at paragraph 137, which rejected an expert’s random sampling methodology  
because it impermissibly required proof from individual class members in order to arrive at an  
aggregate damages figure. The Court reasoned that this methodology was antithetical to the  
requirement in s 24(1)(c) of the Ontario Class Proceedings Act, 1992, SO 1992, c 6 [the Ontario  
Act], which authorizes acommon issues trial judge to assess damages on an aggregate basis where  
the aggregate amount of the defendant’s liability can reasonably be determined without proof by  
individual class members.  
[28] In response, the Plaintiff identifies other authorities from courts in Ontario and British  
Columbia that he argues support his position that Fulawka is a jurisprudential outlier on the point  
on which the Defendant relies. These authorities include a recent decision of the Ontario  
Superior Court of Justice in Fresco v Canadian Imperial Bank of Commerce, 2020 ONSC 4288  
at paras 20-22, in which Justice Belobaba described the decision on this point in Fulawka as an  
outlier, inconsistent with other jurisprudence of the Court of Appeal for Ontario and the language  
of the Ontario Act. Justice Belobaba invited the Court of Appeal to revisit this point.  
[29] However, in the appeal from Justice Belobaba’s decision, the Court of Appeal for Ontario  
declined this invitation, neither affirming nor departing from Fulawka (see Fresco v Canadian  
Imperial Bank of Commerce, 2022 ONCA 115 at paras 89-90). The Court concluded that any  
Page: 16  
ruling on the disputed point would have to wait until the completion of the plaintiff's proposed  
damages report, when it would be known whether statistical sampling would be used to fill any  
evidentiary gaps.  
[30] While these cases upon which the Plaintiff relies may suggest that the law in Ontario on  
this point is somewhat unsettled, it remains the case that Fulawka represents the most recent  
pronouncement on the law in Ontario by its Court of Appeal. However, I find compelling the  
Plaintiff’s argument that Fulawka is based on a provision of the Ontario Act that does not appear  
in the Rules of the Federal Court that apply to the present proceeding. The Defendant  
acknowledges that the Rules do not contain a provision similar to s 24(1)(c) but argues that, in  
McCrea at para 351, the Federal Court explicitly reviewed and adopted the principles of  
certification set out in Fulawka.  
[31] In my view, McCrea does not assist the Defendant, who relies on Justice Kane’s  
summary at paragraphs 350-352 of a list of principles set out at paragraph 81 of Fulawka  
regarding the establishment of a common issue. McCrea does not refer to, and I do not read it as  
necessarily endorsing, the analysis at paragraph 137 of Fulawka, based on s 24(1)(c) of the  
Ontario Act, upon which the Defendant’s argument relies.  
[32] The Plaintiff notes that Rule 348.28 addresses the Federal Court’s authority to make  
aggregate assessments in class proceedings as follows:  
334.28 (1) A judge  
334.28 (1) Le juge peut  
may make any order rendre toute ordonnance  
in respect of the  
assessment of  
relativement à  
l’évaluation d’une  
Page: 17  
monetary relief,  
including aggregate  
assessments, that is  
due to the class or  
subclass.  
réparation pécuniaire, y  
compris une évaluation  
globale, qui est due au  
groupe ou au sous-  
groupe.  
(3) For the purposes (3) Pour l’application de  
of this rule, a judge  
may order any  
special modes of  
proof.  
la présente règle, le juge  
peut ordonner le recours  
à des modes de preuve  
spéciaux.  
[33] I agree with the Plaintiff’s submission that these provisions do not include the restriction  
found in s 24(1)(c) of the Ontario Act. Indeed, Rule 334.28(3) expresses in broad terms the  
Court’s authority to order special modes of proof in connection with an aggregate assessment.  
[34] The Plaintiff also notes that, in Cuzzetto v Business in Motion International Corporation,  
2014 FC 17 [Cuzzetto] at paras 102-103, Justice Rennie (then of the Federal Court) cited Rule  
334.28 and stated that aggregate damages awards are available even if identifying class members  
who would be entitled to an award would be impractical or would require a case-by-case  
analysis. This statement appears inconsistent with the principle from Fulawka upon which the  
Defendant relies. Moreover, Justice Rennie explained in Cuzzetto that some guidance as to the  
appropriate amount of an aggregate award could be derived from an analysis which included data  
provided by class members in response to a survey conducted by counsel (at paras 99, 100, and  
106).  
[35] The Defendant also advances an argument that the prohibition against random sampling  
described in Fulawka should apply to this proposed class proceeding, because there is no  
Page: 18  
commonality among the proposed class members in relation to any damages to which they might  
be entitled as a result of the data breaches. Therefore, says the Defendant, a methodology  
employing a random sampling of the losses of actual class members would not assist the Court in  
accurately calculating aggregate damages.  
[36] In my view, this argument does not speak to the admissibility of Dr. Allen’s evidence. It  
is available to the Defendant to take the position on the main certification motion that the test for  
identification of common issues, including the application of that test to the proposed aggregate  
damages issue in particular, is not met. However, I do not see how this argument supports a  
conclusion that the impugned paragraphs of the Allen Report are inadmissible pursuant to a  
prohibition that is absent from the Rules.  
[37] In relation to both sets of impugned paragraphs, I find that the evidence in the Allen  
Report is relevant to the Court’s task of determining whether to certify the proposed common  
issue surrounding aggregate damages. I also accept the Plaintiff’s submissions that economic  
models for assessing the cost of identity theft are beyond the ordinary understanding of a Court. I  
therefore consider the impugned evidence to satisfy both the relevance and necessity criteria of  
Mohan.  
[38] The Defendant notes that Dr. Allen acknowledged in cross-examination that his report is  
based on certain assumptions, including that all losses suffered by the proposed class members  
resulted from the data breaches at issue, that the harm suffered was common throughout the  
class, that the Court has already found that the Defendant had a common duty to the class, and  
Page: 19  
that the Court has ruled in the Plaintiff’s favour concerning causation and the applicable standard  
of care. The Defendant argues that such assumptions are prejudicial, because they depend on a  
finding of liability not yet made. The Defendant also submits that is it prejudicial for the Allen  
Report to be presenting a quantification figure.  
[39] I find no merit to these arguments. It is not uncommon for an expert to make assumptions  
about the resolution of factual or legal issues upon which the expert is not personally opining.  
Obviously, if the assumptions turn out to be inaccurate, that may undermine the value of the  
opinion on the issue on which the expert is opining or indeed may eliminate that issue. However,  
I disagree with the Defendant’s position that the fact the assumptions underlying the opinion are  
favourable to one party serves to prejudice the other party and thereby render the opinion  
inadmissible. The Court is capable of recognizing assumptions for what they are.  
[40] Similarly, the fact that the Allen Report arrives at a floor or base quantification figure in  
demonstrating one of its proposed methodologies does not detract from the Court’s ability to  
consider the methodological evidence, as distinct from its possible result, for the purpose that is  
relevant to the certification motion.  
[41] I find the impugned paragraphs of the Allen Report admissible in the certification motion.  
The Defendant also relies on the evidence in the PWC Report in support of an argument that, if  
the impugned paragraphs are admitted, the Allen Report should be afforded little weight. I will  
return to that argument later in these Reasons, when analysing whether the Plaintiff has satisfied  
the criteria of Rule 334.16 such that this proceeding should be certified.  
Page: 20  
C. Should the Court strike the affidavit of Elizabeth Emery?  
[42] The Defendant seeks to strike the second Affidavit of Elizabeth Emery, affirmed on July  
23, 2021 [the Second Emery Affidavit], contained in the Plaintiff’s reply motion record for  
certification on the basis that it fails to identify the source of the affiant’s information and belief,  
is irrelevant to the certification criteria, contains unreliable opinion evidence, and constitutes  
improper reply.  
[43] To place the Second Emery Affidavit in context, it is useful to explain briefly the  
evidentiary record before the Court in the certification motion. In its original motion record, the  
Plaintiff filed a number of affidavits from proposed class members (or those who would have  
been members of the proposed class before the change in the proposed definition explained  
above), a first affidavit from Ms. Emery (then an articled clerk and now a lawyer at Murphy  
Battista, the law firm representing the previous plaintiffs in this matter), and two expert reports  
(including the Allen Report referenced earlier in these Reasons). The Defendant’s response  
includes affidavits from various government officials and expert reports of  
PricewaterhouseCoopers LLP (including the PWC Report referenced earlier in these Reasons).  
The Plaintiff’s reply evidence contains additional affidavits including the Second Emery  
Affidavit.  
[44] The Second Emery Affidavit appends various newspaper articles reporting on the wait  
times for the CRA helpline, the precautionary suspension of My Accounts by CRA in February  
and March of 2021, and the impact of CERB fraud on taxpayers’ income tax. Ms. Emery also  
Page: 21  
appends a news release indicating that the Taxpayers’ Ombudsperson will conduct a review of  
the communications CRA provided to taxpayers when it locked users out of their My Accounts  
in February 2021, as well as a statement from CRA regarding its decision to lock users’ My  
Accounts to prevent unauthorized access.  
[45] Ms. Emery states that her affidavit is affirmed in reply to the Defendant’s responding  
motion record and specifically the PWC Report (which, as previously explained, responds to the  
Allen Report’s opinion on methodologies for quantifying damages) and the affidavits of two  
government officials, Brian Rae and Mahmoud Gad.  
[46] Mr. Rae is the Director, Digital Operations Division, in the Digital Services Directorate,  
Assessment, Benefit and Service Branch of CRA. His affidavit, affirmed June 8, 2021 [the Rae  
Affidavit] explains the CRA My Accounts; different ways to register for and log in to My Accounts;  
links between CRA and ESDC; My Accountssecurity measures during the summer 2020 data  
breaches; CRA’s disabling of online access and notification letters to affected individuals; CRA’s  
timeframes for sending notification letters and follow-up letters; CRA’s security check letters; its  
disabling of online access to My Accounts in February 2021; and the revocation of individual  
credentials in March 2021.  
[47] Mr. Gad is a Senior Technical Advisor in the Information Technology Branch of CRA. In his  
affidavit affirmed June 30, 2021 [the Gad Affidavit], he addresses CRA’s multi-layered security  
approach to the defence of its networks, systems, and portal applications against infiltration by hostile  
actors; login methods for CRA portal services; actions taken by CRA in response to the data breaches  
Page: 22  
(also described as cyber security incidents); details regarding the credential stuffing attack (explained  
later in these Reasons as the type of cyber security incidents involved in this matter); the impact of the  
cyber security incidents; the CRA information technology security analysis of whether individual  
affiant accounts were affected by the cyber security incidents; and the payment of CERB to  
individuals who qualified but did not receive it as a result of actions of bad actors. (I note that, in  
their evidence and submissions, the parties use the terms “hacker”, “bad actor” and “threat actor”  
relatively interchangeably to refer to the person or persons who perpetrated the relevant data  
breaches.)  
[48] In challenging the admissibility of the Second Emery Affidavit, the Defendant first  
argues that it consists entirely of hearsay evidence that is outside Ms. Emery’s personal  
knowledge and is therefore inadmissible because it offends the requirements of Rule 81(1) by  
failing to identify the deponent’s source of information and belief. Ms. Emery states in her  
affidavit that she has personal knowledge of the facts and matters deposed to therein. She also  
states that, where facts are not within her personal knowledge, she has stated the source of the  
information and believes that information to be true. However, the Defendant argues that these  
boilerplate statements do not satisfy Rule 81(1), which requires an explanation of the basis for a  
deponent’s belief sufficient to demonstrate the reliability thereof (see, e.g., Kish v Facebook  
Canada Ltd, 2021 SKQB 198 at para 17; Williams v Canon Canada Inc, 2011 ONSC 6571 at  
para 102; Thorpe v Honda Canada, Inc, 2010 SKQB 39 at para 27).  
[49] The Plaintiff’s counsel admits that the boilerplate statements in the Second Emery  
Affidavit are inelegant but argue that this does not affect the admissibility of the evidence,  
Page: 23  
because it is not being relied upon for a hearsay purpose, i.e., to establish the truth of its contents.  
Therefore, Rule 81(1) does not apply. The Plaintiff relies on authority that, on a certification  
motion where the moving party need only establish that there is some basis in fact for the  
certification criteria, evidence can be admitted, even though it would not be admissible for the  
truth of its contents, in order to support, along with other evidence, that there is some basis in  
fact for those criteria (see, e.g., Canada v Greenwood, 2021 FCA 186 at para 96; Johnson v  
Ontario, 2016 ONSC 5314 [Johnson] at paras 54-67). As I summarized the conclusions in  
Johnson in Tippett v Canada, 2019 FC 869 [Tippett] at para 24:  
24. The Plaintiff relies on the decision in Johnson v Ontario, 2016  
ONSC 5314 at paras 54-67, which explained that, while a  
certification motion is not to be treated as an “evidentiary free for  
all,” the procedural nature and purpose of the motion must be kept  
in mind. The Court held that, while the evidence contained in  
inquest material and newspaper articles, as well as an ombudsman  
report referenced therein, was not admissible for the truth of its  
contents, it could be considered and assessed, along with the  
frailties it may contain, to determine whether the moving party has  
met the onus of establishing some basis in fact for the certification  
requirements.  
[50] Relying on these principles, I do not find the Second Emery Affidavit inadmissible based  
on the Defendant’s hearsay arguments. For the same reasons, I reject the Defendant’s arguments  
that the evidence is inadmissible because it includes unreliable opinions. To the extent the news  
articles attached as exhibits to the Second Emery Affidavit include statements of opinions, they  
are not at this stage of the proceeding being introduced for the truth of their contents, and their  
reliability is not presently at issue.  
Page: 24  
[51] The Defendant also submits that the Second Emery Affidavit should be struck because it  
is irrelevant to the issues in the certification motion and is not proper reply evidence. The  
Defendant asserts this argument first in relation to the evidence in the Second Emery Affidavit  
said to be offered in reply to paragraphs 66 to 71 of the Rae Affidavit, in which Mr. Rae explains  
that CRA disabled online accounts in February 2021 and revoked potentially compromised  
credentials in March 2021. The Defendant notes Mr. Rae’s evidence that these measures related  
to accounts that were not compromised in the 2020 breaches. The Defendant therefore submits  
that the articles attached to the Second Emery Affidavit, reporting on taxpayers’ reactions to  
these measures, are unrelated to the allegations in this proceeding. The Plaintiff responds that the  
Defendant cannot be certain that the risks to which CRA was responding in 2021 were unrelated  
to the 2020 breaches. I accept this submission, as the disputed articles include a Times Colonist  
report on the concerns of a taxpayer, reacting to being locked out of his account in February  
2021, after having also been affected by CRA’s data breach in August 2020.  
[52] As to whether this evidence, related to taxpayers’ reactions to the measures taken by  
CRA in February and March 2021, is proper reply, I am guided by the explanation in Angelcare  
Development Inc v Munchkin, Inc, 2020 FC 1185 at para 10 (quoting from Halford v Seed Hawk  
Inc, 2003 FCT 141):  
10.  
From the principle against case splitting, Justice Pelletier  
in Halford draws a general rule on the scope of reply evidence,  
stating at paragraph 14 that:  
14.  
evidence which simply confirms or repeats evidence given  
in chief is not to be allowed as reply evidence. It must add  
something new. But since the plaintiff is not allowed to split its  
case, that something new must be evidence which was not part of  
its case in chief. That can only leave evidence relating to matters  
Page: 25  
arising in defence which were not raised in the plaintiff's case in  
chief. …  
[Emphasis in original.]  
[53] The Defendant’s materials responding to the certification motion describe the February  
and March 2021 measures as demonstrating proactive steps taken by CRA to contain and  
eradicate the cyber security incident. This evidence therefore relates to a matter arising in  
defence, and it is appropriate for the Plaintiff to reply with evidence on what he would  
characterize as adverse effects of those measures and potentially linking those measures to the  
2020 data breaches. I therefore find that the paragraphs of the Second Emery Affidavit and  
related exhibits, offered in reply to paragraphs 66 to 71 of the Rae Affidavit, are admissible.  
[54] However, I have reached the opposite conclusion on the evidence offered in reply to  
paragraphs 47 and 48 of the Rae Affidavit. In those paragraphs, Mr. Rae explains how CRA  
provided notification to some of the My Account holders affected by the 2020 data breaches,  
including security protocols to be employed when they contacted the CRA call centre in response  
to such notification. The Second Emery Affidavit references (at paragraph 2) and attaches (at  
Exhibits B and C) articles on lengthy wait times and resulting frustration experienced by callers.  
However, the Defendant points out that several of the proposed class member affiants provided  
evidence on their own similar experiences. The new evidence relates to a matter that was raised  
in the Plaintiff’s evidence in its case in chief, and it is not appropriate to introduce more evidence  
on the same matter in reply. My Order will therefore strike paragraph 2 of the Second Emery  
Affidavit and the related Exhibits B and C.  
Page: 26  
[55] Finally, the Second Emery Affidavit seeks to introduce news articles about CERB fraud  
experienced by taxpayers who were affected by the data breach, including adverse tax  
consequences resulting from CERB payments being attributed to them as income. Ms. Emery  
says that this evidence is offered in reply to section 2.4 of the PWC Report and paragraphs 8 and  
26 of the Gad Affidavit.  
[56] I am satisfied that this new evidence is appropriate reply to paragraph 26 of the Gad  
Affidavit, which asserts that CRA has made whole and is continuing to make whole those who  
did not receive COVID-related benefits because payments had been made to bad actors through  
their accounts. While the Defendant points out that the proposed class member affiants provided  
evidence of concern about the effects upon them of CERB-related fraud, I read the new evidence  
as intended to cast doubt upon the Defendant’s subsequent evidence to the effect that those  
affected were being made whole.  
[57] To the extent the Defendant advances arguments in support of a position that, if the  
Second Emery Affidavit is admitted it should be afforded little weight, such arguments would be  
best addressed, if necessary, when analysing whether the Plaintiff has satisfied the criteria of  
Rule 334.16 such that this proceeding should be certified.  
D. Has the Plaintiff satisfied the criteria of Rule 334.16, such that this  
proceeding should be certified?  
(1) Factual Background  
(a) CRA’s My Accounts  
Page: 27  
[58] Before turning to the individual requirements for certification, it is helpful to canvass in  
more detail the factual background to the Plaintiff’s action. As explained earlier in these  
Reasons, the effect of the “some basis in fact” threshold is that the Court is not required on a  
certification motion to weigh the evidence and make findings of fact. However, much of the  
factual background to this action appears to be undisputed. Indeed, both parties rely significantly  
on the evidence of the Defendant’s affiants, including expert evidence, in explaining the nature  
of the online Government accounts, and the breaches thereof, underlying his action. The  
following summary is derived from the parties’ explanations of the background in their  
respective Memoranda of Fact and Law. I will identify any factual components of this summary  
that I understand to be in dispute.  
[59] As previously noted, CRA maintains an online portal, styled as My Account, that allows  
individual Canadian taxpayers to access CRA’s services online and manage their tax affairs.  
Taxpayers can register for, and subsequently access, My Account, in three different ways: (a)  
through CRA’s own Credential Management System [CMS]; (b) through a sign-in partner such  
as using a bankcard; or (c) through a BC Services Card. As will be explained in more detail  
below, only the first of these methods, using CRA’s CMS, was affected by the data breaches that  
are the subject of this action. Registering for My Account using CRA’s CMS involves an  
individual taxpayer creating a CRA user ID and password, as well as selecting five security  
questions and creating answers to those questions, following which CRA provides the taxpayer  
with a security code to be used to complete the registration process.  
Page: 28  
[60] When accessing My Account, the individual must enter the user ID and password and  
answer one of the security questions, which is randomly generated from among the five  
questions the individual selected during registration. The taxpayer can then view detailed tax  
information, including the status of tax returns, notices of assessment and reassessment, RRSP  
deduction limits, TFSA contribution room, and tax information slips, as well as personal  
information including addresses, telephone numbers, direct deposit banking information, marital  
status, and children in the taxpayer’s care. The taxpayer can also apply for CERB and other  
benefits through My Account.  
(b) GCKey and ESDC’s My Service Canada Accounts  
[61] Somewhat similarly, ESDC also maintains an online portal, styled as My Service Canada  
Accounts [MSCA], which individuals can use to access several ESDC programs, including  
Employment Insurance [EI], Canada Pension Plan [CPP] and Old Age Security [OAS] programs.  
Users can register for and subsequently access their MSCA through three methods: (a) using a  
GCKey credential; (b) using a sign-in partner; or (c) using a provincial digital identification in  
Alberta or British Columbia. Only the first of these methods, using GCKey, was affected by the  
data breaches that are the subject of this action.  
[62] GCKey is a credential management service provided to the Government by a third party  
vendor named 2Keys Corporation [2Keys] and is intended to provide a single method of online  
access to many Government online services [Enabled Services]. GCKey assists over 30  
Government departments, including ESDC; Parks Canada; Immigration, Refugees and  
Page: 29  
Citizenship Canada; Natural Resources Canada; and the Royal Canadian Mounted Police, in  
controlling access to over 100 Enabled Services. CRA does not use GCKey.  
[63] To register for GCKey, a user chooses a username and password and requests a personal  
access code, which is used to complete the registration process. Subsequently, users can access  
GCKey through the username and password, described in the Defendant’s Memorandum of Fact  
and Law as “single factor authentication”. Unlike with CRA’s My Accounts, there is no second  
step of answering a security question in order to access GCKey or to use GCKey to access  
MSCA. However, individual Government departments can implement additional security  
controls based on their specific Enabled Services.  
[64] Once a user accesses MSCA through GCKey, the user can view tax information  
including tax slips, records of employment, information regarding EI applications, CPP, OAS,  
and other personal information including mailing addresses, telephone numbers, direct deposit  
banking information, names, SINs, and dates of birth. Significant to some of the data breaches  
underlying this action, at times material to the action a user accessing MSCA could also view  
and access all personal information contained in the user’s CRA My Account, through an e-  
linking service between MSCA and My Account, without having to re-authenticate. In other  
words, a CRA My Account could be accessed using GCKey via MSCA, without having to  
answer the security question that would be required to access My Account directly.  
[65] Like CRA’s My Account, ESDC’s MSCA represented a means by which users could  
apply for the CERB.  
Page: 30  
(c) The Data Breaches  
[66] In the summer of 2020, GCKey and CRA’s My Account were the subject of what the  
cybersecurity industry describes as a “credential stuffing attack” by a threat actor, predominantly  
targeting CRA and ESDC as a means of fraudulently applying for COVID relief benefits (CERB  
and the Canada Emergency Student Benefit [CESB]) that had been introduced by the  
Government in the spring of 2020). Credential stuffing is a form of cyber attack that relies on the  
use of stolen credentials (username and password) from one system to attack another system and  
gain unauthorized access to an account. This type of attack relies on the reuse of the same  
username and password combinations by people over several services. Threat actors sell lists of  
credentials on the Dark Web. Credential stuffing usually refers to the attempt to gain access to  
many accounts through a web portal using an automated bot system rather than manually  
entering the credentials. On dates in July 2020, CRA’s My Account experienced large numbers  
of failed logins, which have since been identified as a precursor to, or otherwise part of, a  
credential stuffing attack against that service.  
[67] A threat actor attempting to access a particular My Account through credential stuffing  
would typically have encountered the requirement to successfully answer one of the five security  
questions selected by the user. However, during the attack that occurred in the summer of 2020,  
the threat actor(s) were able to bypass the security questions, and access My Account, because of  
a misconfiguration in CRA’s credential management software. CRA learned of this method to  
bypass the security questions on August 6, 2020, when it received a tip from a law enforcement  
partner that such a method was being sold on the Dark Web. Among other steps taken to respond  
Page: 31  
to the data breach, CRA subsequently identified the relevant misconfiguration in its software,  
which it remedied on or about August 10, 2020.  
[68] In the meantime, at least 48,110 My Accounts were impacted by the unauthorized use of  
credentials, meaning that the threat actor was able to enter a valid CRA user ID and password.  
Of those 48,110 My Accounts, 21,860 involved no progress by the threat actor beyond entering  
the ID and password, such that the threat actor did not access the accounts. This is potentially  
understood as a stage of the attack in which the threat actor was ensuring that the credentials  
worked. The threat actor(s) actually logged in to 26,250 My Accounts. In 13,550 of the My  
Accounts, although the security question bypass was used, the threat actor only viewed the  
homepage, meaning that some personal information was accessed, but no application was  
submitted for CERB. In 12,700 of the My Accounts, the threat actor changed the relevant  
taxpayer’s direct deposit banking information and fraudulently applied for CERB.  
[69] The Defendant’s expert evidence explains that post-incident analysis revealed that the  
credential stuffing attack against CRA’s CMS system occurred between July 27 and August 10,  
2020. I understand that, at least at this stage of the proceeding, the Plaintiff does not necessarily  
accept these temporal limits on the duration of the attack.  
[70] CRA initially treated as potentially compromised any My Account where a valid set of  
credentials was used, even if the account was not actually accessed, and sent notification letters  
to the account holders, including offering enhanced protection services for a period at no cost.  
Page: 32  
[71] Turning to the attack on GCKey, the evidence is that on June 18, 2020, and on various  
dates in July 2020, it experienced large numbers of failed logins, which have since been  
identified as a precursor to, or otherwise part of, a credential stuffing attack against the GCKey  
service. 2Keys advised the Government on August 4, 2020 that they had noticed some login  
anomalies in the previous days, and August 5, 2020, 2Keys determined that the suspicious login  
activity was a large-scale credential stuffing attack on the GCKey service.  
[72] ESDC is the Government department that suffered the greatest impact from the attack on  
GCKey. ESDC has identified 5,957 accounts across several Enabled Services that were  
potentially impacted by the attack, of which 3,439 accounts were accessed by someone  
(including potentially the rightful owner) between July 15 and August 5, 2020, including access  
for purposes of changing banking information or addresses. Subsequent analysis concluded that  
the remaining 2,518 of the 5,957 accounts showed no access. 3,200 compromised MSCAs were  
used to access CRA My Accounts via the link between MSCA and CRA, and 1,200 of those  
accounts were used to apply for CERB or other COVID-related benefits.  
[73] Among other steps taken to respond to the data breach, the Defendant’s evidence is that,  
as of August 14, 2020, 2Keys was able to block all botnet traffic on the GCKey service and  
block the credential stuffing attack from occurring further. On August 14, 2020, ESDC also  
disabled the link between the MSCA and CRA My Account. Again, I understand that the  
Plaintiff does not necessarily accept this temporal limit on the duration of the attack.  
Page: 33  
[74] Between August 1, 2020, and August 25, 2020, ESDC sent notification letters to all  
affected ESDC account holders that use the GCKey service, informing them that their accounts  
may have been accessed as a result of the credential stuffing attack. ESDC offered two years of  
credit monitoring with Equifax to anyone whose information may have been accessed as a result  
of the attack.  
(2) Disclosure of a Reasonable Cause of Action  
[75] The first requirement for certification is that prescribed by Rule 334.16(1)(a), that the  
pleadings disclose a reasonable cause of action. The test applied to this requirement is the same  
as on a motion to strike, i.e. whether it is plain and obvious that the pleading discloses no  
reasonable cause of action. This analysis is not to be conducted based on evidence submitted by  
the parties, but rather based on the assumption that the facts as pleaded are true (see, e.g.,  
Condon v Canada, 2015 FCA 159 [Condon FCA] at paras 11-13).  
[76] The Plaintiff advances causes of action in systemic negligence, breach of confidence, and  
intrusion upon seclusion. The Defendant argues that the Plaintiff’s pleadings do not disclose a  
reasonable cause of action in any of these torts. I will consider each proposed cause of action  
individually.  
(a) Systemic Negligence  
(i) The Parties’ Positions  
Page: 34  
[77] Both the Third SOC and the Fourth SOC are materially identical in their framing of the  
Plaintiff’s allegations of systemic negligence. They allege that the Defendant owed a common  
law and non-delegable duty to the Plaintiff and other Class Members to use reasonable care in  
the collection, storage, and retention of their personal and financial information and a duty to  
ensure that this personal and financial information was safe, kept private, and protected and that  
it would not be subject to unauthorized disclosure to a third party.  
[78] The Plaintiff pleads s 8(1) of the Privacy Act, RSC 1985, c P-21, pursuant to which  
personal information under the control of the Defendant cannot, without the consent of the  
individual to whom the information relates, be disclosed by the Defendant, and asserts that the  
Defendant’s breach of the Privacy Act is evidence that its conduct fell below the applicable  
standard of care.  
[79] The pleadings articulate a number of alleged systemic breaches of the Defendant’s duty  
by, among other things, failing to create or adhere to Government policies relevant to the  
collection, storage, retention and disclosure of personal and financial information; failing to take  
reasonable steps to protect such information; failing to offer a non-vulnerable security question  
mechanism for users of the GCKey, My Account, and MSCA systems; failing to follow industry  
norms regarding two factor authentication for these accounts; and failing to take reasonable  
steps, including freezing the online systems, when they knew or ought to have known of the data  
breaches.  
Page: 35  
[80] The pleadings assert that measures taken by the Defendant in the latter part of 2020 to  
protect its databases, systems and other relevant online accounts should have been taken prior to  
the unauthorized data breaches. They further assert that the Defendant’s breaches caused the  
Plaintiff and other Class Members harm and ongoing damages, including distress, anxiety,  
mental anguish, lost time, lost opportunities, and out-of-pocket expenses.  
[81] The Defendant raises a number of arguments in support of its position that the Plaintiff’s  
pleadings do not disclose a reasonable cause of action in systemic negligence. The Defendant  
submits that the Plaintiff has failed to plead any facts to support a relationship of proximity  
necessary to establish a prima facie duty of care; that the negligence claim cannot succeed  
because it challenges a core policy decision that is immune from liability; and that the claim  
should fail because it seeks to impose a duty of care in circumstances that would result in  
indeterminate liability to an indeterminate class.  
[82] The parties agree that the principles governing whether a duty of care will be recognized  
in a given case alleging liability of a public authority are those derived from Anns v Merton  
London Borough Council, [1978] AC 728 (HL) [Anns], as applied in Cooper v Hobart, 2001  
SCC 79 [Cooper], and its companion case, Edwards v Law Society of Upper Canada, 2001 SCC  
80 [Edwards]. As summarized in Edwards at paras 8-10:  
8. The companion case of Cooper outlines the approach in  
assessing whether a duty of care will be recognized in a given case.  
Specifically, Cooper revisits the Anns test and clarifies the express  
policy components to be considered at each stage.  
9. At the first stage of the Anns test, the question is whether the  
circumstances disclose reasonably foreseeable harm and proximity  
sufficient to establish a prima facie duty of care. The focus at this  
Page: 36  
stage is on factors arising from the relationship between the  
plaintiff and the defendant, including broad considerations of  
policy. The starting point for this analysis is to determine whether  
there are analogous categories of cases in which proximity has  
previously been recognized. If no such cases exist, the question  
then becomes whether a new duty of care should be recognized in  
the circumstances. Mere foreseeability is not enough to establish a  
prima facie duty of care. The plaintiff must also show proximity  
that the defendant was in a close and direct relationship to him  
or her such that it is just to impose a duty of care in the  
circumstances. Factors giving rise to proximity must be grounded  
in the governing statute when there is one, as in the present case.  
10. If the plaintiff is successful at the first stage of Anns such that  
a prima facie duty of care has been established (despite the fact  
that the proposed duty does not fall within an already recognized  
category of recovery), the second stage of the Anns test must be  
addressed. That question is whether there exist residual policy  
considerations which justify denying liability. Residual policy  
considerations include, among other things, the effect of  
recognizing that duty of care on other legal obligations, its impact  
on the legal system and, in a less precise but important  
consideration, the effect of imposing liability on society in general.  
(ii) Foreseeability  
[83] Beginning with the first stage of the Anns/Cooper test, which considers both  
foreseeability and proximity, the Defendant relies on Del Giudice v Thompson, 2021 ONSC  
5379 [Del Giudice], in support of its position that the harm to the Plaintiff and the proposed  
Class Members in the case at hand was not reasonably foreseeable. Del Giudice addressed a  
certification motion arising from the defendant Thompson’s hacking of the database of personal  
information collected by the defendant banks and financial institutions and held on the servers of  
the defendant Amazon Web. As a consequence of this data breach, personal and confidential  
information of 106 million applicants for Capital One credit cards was exposed or became  
vulnerable to exposure to the public. Among their claims, the plaintiffs sought to certify causes  
Page: 37  
of action against Amazon Web in negligence and breach of a duty to warn of the risk of the data  
breach perpetrated by Thompson.  
[84] In addressing the foreseeability of the harm suffered by the proposed class members, the  
Court relied on Rankin (Rankin’s Ranch & Sales) v JJ, 2018 SCC 19 [Rankin], in which the  
Supreme Court considered the foreseeability of personal injury resulting from an unlicensed and  
inebriated minor operating a motor vehicle after stealing it from the defendant’s garage. The  
Supreme Court accepted that the evidence could establish, as the jury found, that the defendant  
ought to have known of the risk of theft. However, the Court concluded that it did not  
automatically flow from evidence of the risk of theft in general that the garage owner should  
have considered the risk of physical injury. Rather, physical injury was foreseeable only if there  
was something in the facts to suggest not only a risk of theft, but that the stolen vehicle might be  
operated in a dangerous manner (at para 34).  
[85] Del Giudice drew a parallel between the personal injury claim in Rankin and the claim  
against Amazon Web, concluding that, while Amazon Web could have foreseen the possibility  
of data it was storing being stolen and misused, that did not make the resulting harm a reasonably  
foreseeable consequence of its alleged carelessness (at para 241). In arriving at that conclusion,  
the Court reasoned that the wrong suffered by the class members was the data breach perpetrated  
by Thompson, which was not connected to a wrong perpetrated by Amazon Web.  
[86] In my view, the reasoning in Del Giudice is not particularly compelling. I appreciate that,  
in both Rankin and Del Giudice, there was another party (respectively, the car thief and  
Page: 38  
Thompson) who was the immediate cause of the harm. However, I have difficulty with the  
parallel that Del Giudice draws with Rankin. As the Supreme Court reasoned in Rankin, the theft  
of property does not automatically translate into anticipation that the stolen property will be  
operated in a dangerous manner so as to cause personal injury (at para 34). However, Del  
Giudice does not explain why, in the case of a data breach, the risk of unauthorized use of data  
by the bad actor who wrongfully accessed it, presumably for personal gain, and the attendant  
harm to its owner should be regarded as similarly unanticipated.  
[87] I agree with the Plaintiff’s submission that, considering the authorities that analyse  
foreseeability in the context of a data breach, the reasoning of the Supreme Court of British  
Columbia in Tucci v Peoples Trust Company, 2017 BCSC 1525, [Tucci] (upheld on this point in  
Tucci v Peoples Trust Company, 2020 BCCA 246 [Tucci BCCA]) is the more persuasive. Tucci  
addressed a certification motion in an action alleging that the defendant trust company did not  
adequately secure personal information collected on its online application portal and stored in  
online databases. The plaintiff asserted causes of action, including negligence, alleging that  
unauthorized persons were able to access the personal information, putting the proposed class  
members at risk of identity theft and other harms. In applying the first stage of the Anns/Cooper  
test, including the foreseeability element, the Supreme Court of British Columbia held as follows  
(at para 123):  
123  
In my view it is not plain and obvious that the first stage of  
the Anns/Cooper test is not met. The plaintiff has pleaded  
sufficient facts capable of establishing that harm was reasonably  
foreseeable. The information collected by Peoples Trust was  
sensitive and collected in the course of online applications for  
financial services. It is arguably reasonably foreseeable that harm  
such as identity theft could result if such information were  
disclosed or not securely stored, and it was again arguably  
Page: 39  
foreseeable to Peoples Trust given the various policies and  
contractual terms it developed. Further, the plaintiff has pleaded  
sufficient facts that could establish a close and direct relationship  
between Peoples Trust and individuals who applied to it for  
financial services.  
[88] Tucci BCCA upheld this component of the analysis, concluding that the allegations of  
negligence were arguably sufficient at law to create a relationship giving rise to a duty of care,  
such that it was not plain and obvious at the certification stage of the proceeding that a  
negligence claim cannot succeed (at para 51).  
[89] In the case at hand, the Plaintiff has pleaded that the online Government accounts of the  
proposed Class Members, which were the subject of the data breaches, contain detailed personal  
and financial information, including financial records, notices of assessment, banking  
information, information on income, disabilities, children, relationship status and investments,  
and information related to EI, immigration status, CPP and OAS. The Plaintiff also pleads that  
that the Defendant has policies and guidance on cybersecurity, which serve to impose  
responsibilities upon the Defendant and to which it failed to adhere. As in Tucci, I find that it is  
arguably reasonably foreseeable that that the proposed Class Members would suffer the  
categories of harm alleged by the Plaintiff as a result of the data breaches.  
(iii) Proximity  
[90] Still in connection with the first stage of the Anns/Cooper test, the Defendant also  
submits that the Plaintiff has not shown that proximity exists between the proposed Class  
Members and the Defendant such as would make it just to impose a duty of care in the  
Page: 40  
circumstances of this case. As noted above, Edwards explains at paragraph 9 that the starting  
point for this analysis is to determine whether there are analogous categories of cases in which  
proximity has previously been recognized. The Plaintiff argues that Tucci is such a case, as are  
John Doe v Canada, 2015 FC 916 [John Doe], Condon FCA, and Obodo v Trans Union of  
Canada, Inc, 2021 ONSC 7297 [Obodo]. The Defendant responds that these are all decisions on  
certification motions and therefore do not represent authority for the recognition of the requisite  
proximity and the resulting duty of care.  
[91] John Doe addressed a certification motion in which the plaintiffs pleaded that the  
defendant Government identified them as participants in the Marijuana Medical Access Program  
by sending letters to them through the mail that identified that Program as the return address. In  
concluding that the proceeding should be certified, Justice Phelan held that the plaintiffs had  
adequately pleaded the requisite elements of negligence, including the duty of care, and that  
these pleadings were sufficient for purposes of the motion (at paras 33-36). John Doe was upheld  
on this point in Canada v John Doe, 2016 FCA 191 [John Doe FCA].  
[92] Logically, I agree with the Plaintiff that, in order for the cause of action in negligence to  
have been certified in John Doe, the Court must have concluded that the requisite proximity  
existed. However, the decision contains no express analysis of this point, as it appears that the  
defendant was not arguing a lack of proximity. Moreover, John Doe is not a cybersecurity case,  
and its facts, in which it was the Government itself that was alleged to have disclosed personal  
information, without any involvement by a third-party bad actor, are sufficiently different from  
Page: 41  
those in the case at hand that I have difficulty treating it as an analogous case in which proximity  
has previously been recognized.  
[93] In Condon FCA¸ the Federal Court of Appeal allowed an appeal from Condon v Canada,  
2014 FC 250 [Condon], which had concluded that it was plain and obvious that a claim in  
negligence would fail. Condon involved a motion to certify a class proceeding against the  
Government resulting from its loss of an external hard drive on which it stored the personal  
information of participants in the Canada Student Loans Program. While the Federal Court  
certified the proceeding based on other causes of action, it accepted the defendant’s position that  
the plaintiffs had failed to raise sufficient arguments as to the existence of compensable damages  
and therefore concluded that it was plain and obvious that a proposed claim based on negligence  
would fail (at paras 68 and 79).  
[94] In Condon FCA, the Federal Court of Appeal held at paragraphs 15 to 18 that the Federal  
Court had erred by evaluating the evidence in concluding that the plaintiffs had not suffered any  
compensable damages and by failing to consider the pleaded claims for costs incurred in  
preventing identity theft and out-of-pocket expenses. As with John Doe, there is no express  
proximity analysis, as the defendant does not appear to have raised proximity as an impediment  
to certification, and the facts are sufficiently different from the present case that I would not  
regard Condon FCA as an analogous case in which proximity has previously been recognized.  
[95] Unlike John Doe and Condon, Obodo is a cybersecurity case, arising from a large-scale  
intrusion by unknown and unauthorized persons into the database of the defendant Trans Union.  
Page: 42  
The hackers accessed the credit profiles of 37,444 individuals whose financial information was  
held by Trans Union. However, while challenging certification of the plaintiff’s negligence claim  
on other bases related to the categories of damages claimed, Trans Union acknowledged that the  
claim disclosed facts sufficient to establish a breach of a duty of care (at paras 116-118). As  
such, Obodo does not provide any analysis of proximity.  
[96] However, as reflected in paragraph 123 of Tucci, the Plaintiff is correct that in that case  
the Supreme Court of British Columbia found the required proximity, in that sufficient facts had  
been pleaded to establish a close and direct relationship between Peoples Trust and individuals  
who applied to it for financial services. As previously noted, the Court of Appeal for British  
Columbia agreed with this conclusion. As I read Tucci, the Court based its conclusion on pleaded  
facts to the effect that individuals applied to Peoples Trust for financial services and, in doing so,  
provided it with their sensitive financial information.  
[97] In the case at hand, the Plaintiff similarly bases his proximity arguments on the fact that  
he and the proposed Class Members had applied or registered for the Government’s secure  
portals. The Plaintiff submits that the requisite proximity is found in the relationship between  
Government entities who have offered online access to data and individuals who have availed  
themselves of that access and created profiles in the expectation that their personal and financial  
information would be kept secure.  
[98] The Defendant acknowledges that one of the situations in which sufficient proximity may  
exist, for a government to owe a private law duty of care to an individual plaintiff, is where there  
Page: 43  
have been specific interactions between the government and the individual (see R v Imperial  
Tobacco Canada Limited, 2011 SCC 42 [Imperial Tobacco] at para 45). However, the Defendant  
argues that the Plaintiff has not pleaded facts that would support a finding of proximity on this  
basis.  
[99] In response to this argument, the Plaintiff submits that the Third SOC identifies that he  
had a CRA online account that was breached and expressly defines the proposed Class as  
persons whose personal or financial information in their online Government accounts was  
disclosed to a third party. The Plaintiff has also provided in draft a Fourth SOC, which he seeks  
leave to file in the event the amendments therein are necessary to respond to the Defendant’s  
argument. These amendments include a more express statement that the Plaintiff had an online  
account with CRA and that he signed up for and used the CRA My Account, to the mutual  
benefit of himself and the Defendant, the latter gaining benefit by automating functions that  
otherwise would require increased staffing and expense.  
[100] In my view, the pleaded facts in the Third SOC, as identified in the Plaintiff’s  
submission, sufficiently assert a basis for proximity consistent with that recognized in Tucci. I  
am conscious of the Defendant’s argument that, as Tucci is a certification decision, it does not  
represent authority for past recognition of the requisite proximity in an analogous case as  
contemplated by the Anns/Cooper test. The Defendant also submits that the certification of  
negligence as a common issue does not preclude a defendant from arguing at a common issues  
trial that it does not owe a duty of care, including that no proximity exists with class members or  
that a duty could be negated by policy considerations.  
Page: 44  
[101] I agree with the Defendant’s submission that these defence arguments would remain  
available to it at trial, notwithstanding success by the Plaintiff in certifying his action. Indeed, the  
Plaintiff does not disagree with the Defendant’s position on this point, which naturally follows  
from the fact that the Court’s conclusion on certification is only that it is not plain and obvious  
that the pleading discloses no reasonable cause of action. Tucci found that it was not plain and  
obvious that the first stage of the Anns/Cooper test was not met, and I consider that finding  
sufficient authority for a comparable finding in the case at hand.  
[102] In so concluding, I am also conscious of the fact that Tucci involved a claim against a  
private sector defendant, and I acknowledge the Defendant’s argument that, because of the  
breadth of public bodies’ involvement in the collection of personal and financial information,  
imposing a duty of care to protect against unintended disclosures through cyber security  
incidents raises policy concerns of indeterminate liability. However, I consider that argument to  
be best addressed in the second stage of the Anns/Cooper test, and will do so later in these  
Reasons.  
[103] Even if I were to conclude that Tucci is not sufficient authority for satisfaction of the first  
stage of the test, making it necessary for the Court to consider, without the benefit of previous  
authority, whether the Defendant was in a close and direct relationship to the Plaintiff and the  
proposed Class Members such that it is just to impose a novel duty of care in the circumstances, I  
would still find the first stage of the Anns/Cooper test to be met on the facts pleaded in this  
action. The Third SOC identifies the Plaintiff and the proposed Class as persons with online  
Government accounts containing personal and financial information. As previously noted, the  
Page: 45  
Plaintiff argues that the requisite proximity arises from the relationship between Government  
entities who have offered online access to data and individuals who have availed themselves of  
that access and created profiles in the expectation that their personal and financial information  
would be kept secure. In my view, this is a reasonably arguable position, such that it is not plain  
and obvious to me that the first stage of the Anns/Cooper test is not met.  
[104] Before finishing with the first stage of the test, I will briefly address the Plaintiff’s  
request for leave to file the Fourth SOC, which accompanied his Reply Memorandum of Fact  
and Law. I understand that request to be an alternative position, if necessary to respond to the  
Defendant’s argument that the Third SOC does not plead facts sufficient to establish the requisite  
proximity. As I have found the Third SOC sufficient, I need not consider whether leave should  
be granted to make the amendments proposed in the Fourth SOC.  
[105] Moreover, I am conscious of the Defendant’s argument in resisting the Plaintiff’s request  
for leave. By Order dated November 2, 2021 [Case Management Order], Associate Justice Ring  
ordered that a case management teleconference be requisitioned if the Plaintiff intended to make  
any further amendments to the Statement of Claim prior to the hearing of the certification  
motion. This was to ensure the proposed amendments and their impact on the litigation schedule  
could be discussed with the Court. The Defendant correctly asserts that the Plaintiff did not  
comply with the requirement in the Case Management Order. With the exception of an  
amendment to the proposed Class definition, which I will address later in these Reasons, I  
therefore decline to grant the Plaintiff leave to file its amendment. If, following the issuance of  
Page: 46  
this certification decision, the Plaintiff considers that a pleading amendment remains necessary,  
he can seek leave through the case management process.  
(iv) Policy Considerations  
[106] I therefore turn to the second stage of the Anns/Cooper test. In taking the position that  
there are applicable policy considerations that should serve to negate a duty of care, the  
Defendant first relies on the principle that a duty of care should not be found in connection with  
a core policy decision. As explained in Nelson (City) v Marchi, 2021 SCC 41 at paragraph 44,  
courts should not interfere with policy decisions, as this would represent second-guessing the  
decisions of democratically elected government officials. In Imperial Tobacco at paragraph 90,  
the Supreme Court concluded that core policy government decisions are decisions as to a course  
or principle of action that are based on public policy considerations, such as economic, social  
and political factors. These are protected from suit provided they are neither irrational nor taken  
in bad faith.  
[107] The Defendant submits that it is clear from the Plaintiff’s pleadings that his allegations  
essentially amount to a criticism of the Government’s core policy decision to use existing  
systems to roll out the CERB and other COVID relief benefits at the beginning of the pandemic.  
In support of this argument, the Defendant refers to the Plaintiff’s pleading as including the  
following:  
A. that the timing of the first data breach correlated with the Government’s introduction  
of the CERB program and the breaches continued through the period that COVID  
benefits were being offered;  
Page: 47  
B. that the online application system for CERB and CESB was implemented hastily and  
recklessly without taking necessary precautions to protect the Plaintiff’s and Class  
Members’ personal and financial information in their online Government accounts;  
C. that the Defendant ought to have known that its databases and online systems were  
vulnerable to unauthorized breaches and failed to take timely and reasonable  
protective measures both before and after launching the online CERB and CESB  
programs; and  
D. that CRA was aware of an increase in fraudulent activity at the beginning of each  
monthly CERB and CESB period and generally during the time at issue but did  
nothing to notify or warn the Plaintiff.  
[108] The Defendant submits that the Government’s decision to use existing systems to deliver  
COVID relief benefits achieved its intention of Canadians having broad accessibility to apply for  
and receive the benefits rapidly. The Defendant argues that this decision is therefore one of core  
policy, which is immune from liability.  
[109] In response, the Plaintiff submits that, far from criticizing this decision, he considers it an  
admirable goal on the part of the Government to quickly deliver benefits to those in need. The  
Plaintiff argues that his allegations focus not on this decision but on what he asserts were  
inadequate security protocols in place for those Canadians who had elected to register for online  
services with CRA and other government accounts, expecting that their personal or financial  
information would be secure.  
Page: 48  
[110] I do not find the Defendant’s argument particularly compelling. While the decision to  
employ existing systems to deliver COVID relief benefits could potentially be characterized as a  
policy decision, I have difficulty with the Defendant’s position that the Plaintiff’s allegations  
focus upon this decision. I accept that the Third SOC alleges a relationship between the  
introduction of the COVID benefits in the spring of 2020 and the subsequent cyber security  
incidents, both in terms of timing and the objectives of the threat actors. However, I find  
reasonably arguable the Plaintiff’s position that his assertions of actionable errors or omissions  
on the part of the Defendant focus upon allegedly inadequate online security measures. As it will  
remain available to the Defendant to raise its policy argument at a common issues trial, I will not  
analyse this issue further other than that to conclude that it is not plain and obvious to me that  
this argument will negate the existence of a duty of care.  
[111] I also note that, in Ari v Insurance Corporation of British Columbia, 2015 BCCA 468  
[Ari], the Court of Appeal for British Columbia found that a duty of care should not be  
recognized for several public policy reasons. In Ari, at the core of the negligence claim as  
pleaded was the adequacy of security measures that the defendant undertook as a matter of  
policy pursuant to its statutory obligations to protect personal information in its custody (at para  
52). The Court noted that the policy decisions of public bodies are not actionable in negligence.  
This case is distinguishable in that the Plaintiff’s pleadings include allegations that the Defendant  
breached his duty by failing to adhere to its policies to ensure protection of his and the other  
Class Memberspersonal financial information. Tucci distinguished Ari on a similar basis (at  
para 131).  
Page: 49  
[112] Next, the Defendant submits that there are policy reasons negating a duty of care in that  
such a duty would raise the spectre of indeterminate liability on the part of the Government. As  
explained in Alberta v Elder Advocates of Alberta, 2011 SCC 24 at paragraph 74, the possibility  
of unlimited government liability to an unlimited class may tax public resources and chill  
governmental intervention. Cooper (at para 54) and Imperial Tobacco (at para 99) raise this  
concern in circumstances where a government has no control over the number of potential  
claimants.  
[113] The Defendant relies on Ari, which addressed a motion to strike a claim arising from a  
breach of privacy by an Insurance Corporation of British Columbia [ICBC] employee. The claim  
alleged that ICBC breached its alleged duty by failing to have an adequate system in place to  
prevent unauthorized access to personal information. As previous noted, the Court of Appeal for  
British Columbia concluded that no duty of care could be recognized because of several policy  
concerns. These concerns included that recognizing a duty of care would raise the spectre of  
indeterminate liability (at para 50).  
[114] In my view, the indeterminate liability argument is among the strongest of the  
Defendant’s submissions in opposing the Plaintiff’s certification motion. In Tucci, the Court  
identified the policy concerns raised by the defendant as a difficult issue and considered the  
analysis in Ari that supported the defendant’s position. However, it concluded that the  
indeterminate liability concerns that arose in Ari did not apply because the same duty is not  
legislated for all private entities (at para 132). The indeterminate liability concern is arguably  
greater in the case at hand, in that the duty of care that the Plaintiff seeks to impose could  
Page: 50  
potentially apply to any public entity storing personal or confidential information through an  
online portal.  
[115] In Ari and other authorities upon which the Defendant relies, courts have been prepared  
to conclude at the pleadings or certification stage of a proceeding that, based on policy  
considerations, including concerns of indeterminate liability, no duty of care exists. Ari expressly  
stated that this determination did not require consideration at trial of the factual matrix beyond  
that disclosed in the pleadings (at para 63). However, Ari is distinguishable on this point,  
because the indeterminate liability concern resulted from the fact that the source of the duty  
alleged by the plaintiff arose solely out of ISBC’s statutory obligation under the Freedom of  
Information and Protection of Privacy Act, RSBC 1996, c 165, to make reasonable security  
arrangements to protect personal information in its custody. The Court reasoned that every public  
body collecting personal information could be subject to the same private law duty of care that  
the plaintiff sought to impose based on the statutory obligation (at para 50).  
[116] In contrast, in the case at hand, the Plaintiff emphasizes that he is proposing a Class  
composed of only those persons who established a relationship with the Government by  
registering for online portals that store personal and financial information, giving rise to what he  
argues is a duty by the Government to secure those portals reasonably. The factual matrix  
available on the pleadings does not allow the Court to assess the breadth of the Government’s  
practice of employing such portals. While it remains available to the Defendant to advance its  
public policy arguments at trial based on an evidentiary record, I am not presently able to  
Page: 51  
conclude, based on the Defendant’s indeterminate liability argument, that it is plain and obvious  
that the Plaintiff has not disclosed a viable cause of action in systemic negligence.  
(b) Breach of Confidence  
[117] To succeed in a claim for breach of confidence, a plaintiff must prove: (a) that the  
plaintiff conveyed confidential information to the defendant; (b) that the information was  
conveyed in confidence; and (c) that the defendant then misused the information to the plaintiff’s  
detriment (see Lac Minerals Ltd v International Corona Resources Ltd, [1989] 2 SCR 574). The  
Defendant submits that the Plaintiff’s pleadings fail to disclose a reasonable cause of action for  
breach of confidence, both because they do not set out material facts necessary to establish the  
requirement of misuse and because the Defendant’s failure to prevent the relevant cyber attacks  
does not represent misuse within the meaning of this tort. The Defendant therefore argues that  
the breach of confidence claim is doomed to fail.  
[118] The Third SOC contains only one paragraph under the “Breach of Confidence” heading,  
which alleges that the personal financial information in the online Government accounts of the  
Plaintiff and other Class Members was confidential, was communicated to the Defendant in  
confidence, and was misused by the Defendant. I agree with the Defendant’s submission that, in  
relation to the requirement of misuse, this paragraph represents bald assertions and does not  
allege material facts necessary to support a cause of action (see Jensen v Samsung Electronics  
Co Ltd, 2021 FC 1185 [Jensen] at para 77).  
Page: 52  
[119] However, performing the required review of the pleading as a whole (see Mancuso v.  
Canada (National Health and Welfare), 2015 FCA 227 at para 18) reveals more detail of the  
Plaintiff’s allegation of misuse underlying the breach of confidence claim, which relies on  
essentially the same factual basis as his claim in systemic negligence. In the “Background”  
section of the Third SOC, the Plaintiff alleges that the Defendant knew or ought to have known  
that its databases and online systems were vulnerable to data breaches; that it failed to take  
timely, reasonable and adequate measures to protect the information in its databases; that it failed  
to follow its own cybersecurity guidance regarding passwords; that it should have offered a non-  
vulnerable security question mechanism; and that it should have followed industry norms  
regarding two factor authentication.  
[120] In my view, the Plaintiff’s pleading is sufficient to perform its role of identifying the  
issues for the Defendant (see Jensen at para 77). However, turning to the Defendant’s second  
argument, that its failure to prevent the cyber attacks does not represent misuse within the  
meaning of the breach of confidence tort, in my view, there is jurisprudential support for the  
Defendant’s position.  
[121] In the Del Giudice hacking case described earlier in these Reasons, the Ontario Superior  
Court of Justice found no basis for a breach of confidence claim based on the material facts  
pleaded, both because most of the information was not confidential and because, in the view of  
the Court, the defendants did not make an unauthorized use of the information such as would  
constitute its misuse (at para 197). Similarly, in Kaplan v Casino Rama Services Inc, 2019  
ONSC 2025 [Kaplan], the Ontario Superior Court of Justice reasoned that, unless the word  
Page: 53  
“misuse” was distorted out of all shape and meaning, the defendants’ failure to prevent the cyber  
attack at issue in that case was not a misuse of confidential information within the meaning of  
the breach of confidence tort (at para 31).  
[122] In response to this argument, the Plaintiff relies on Condon FCA and John Doe FCA,  
both of which allowed the certification of breach of confidence claims in circumstances where  
the Government failed to adequately safeguard confidential information. In Tucci BCCA, upon  
which I have previously relied in these Reasons, the Court of Appeal for British Columbia  
considered Condon FCA, as well as the Federal Court decision in John Doe, as authorities  
identified by the plaintiffs in which breach of confidence claims had been allowed to proceed in  
circumstances similar to the online data breach it was considering. The Court of Appeal noted  
that neither of these authorities of the Federal Courts specifically addressed the issue of whether  
the tort of breach of confidence requires intentional misuse of confidential information (at para  
112). While the certification of proceedings in those two cases appeared inconsistent with a view  
that misuse must be intentional, the Court of Appeal for British Columbia nevertheless  
concluded that breach of confidence is an intentional tort (at paras 112-113).  
[123] As such, Tucci BCCA represents another authority supporting the Defendant’s position  
that the tort of breach of confidence does not apply to the circumstances of the case at hand.  
Nevertheless, I am conscious of the principle adopted by Justice Martineau in Arsenault v  
Canada, 2008 FC 299 [Arsenault] at para 27, that, in order to meet the test on a motion to strike  
(which is the same test that applies under Rule 334.16(1)(a)), there must be a decided case  
Page: 54  
directly on point, from the same jurisdiction, demonstrating that the very issue has been squarely  
dealt with and rejected.  
[124] Consistent with the observation in Tucci BCCA, neither Condon FCA nor John Doe FCA  
dealt expressly with the issue presently before the Court, i.e. whether the requirement of misuse  
in the tort of breach of confidence that can be met in the absence of intention on the part of the  
alleged tortfeasor. Indeed, as the Defendant submits, the case at hand is somewhat  
distinguishable even from Condon FCA and John Doe FCA, as neither of those cases involved a  
third party actor. However, I understand the Plaintiff’s reliance on these authorities, as both  
involved the Government failing in some manner to properly safeguard confidential information.  
Given that level of similarity, the fact that certification was granted in both cases, and the fact  
that they represent decisions of the Federal Court of Appeal, and taking into account the  
principle in Arsenault, I am unable to conclude that the Plaintiff’s cause of action in breach of  
confidence is doomed to fail.  
(c)  
Intrusion upon Seclusion  
[125] The tort of intrusion upon seclusion, as recognized by the Court of Appeal for Ontario in  
Jones v Tsige, 2012 ONCA 32 [Tsige], involves the following elements: (a) the defendant’s  
conduct must be intentional or reckless; (b) the defendant must have invaded, without lawful  
justification, the plaintiff’s private affairs or concerns; and (c) the invasion must be such that a  
reasonable person would regard it as highly offensive, causing distress, humiliation or anguish  
(at para 71). As with the breach confidence tort, the Defendant argues that there is no viable  
cause of action for intrusion arising from a database breach, where the bad actor is a third party,  
Page: 55  
not the defendant that maintained the database. Essentially, the Defendant’s position is that this  
tort can be advanced only against an intruder and, in the case at hand, it is the threat actor and not  
the Defendant, which is the intruder.  
[126] Again, there is jurisprudential support for the Defendant’s position, found in recent  
authorities from the Ontario Superior Court of Justice. In Owsianik v Equifax Canada Co, 2021  
ONSC 4112 [Owsianik], the Divisional Court held that the tort of intrusion upon seclusion has  
nothing to do with a database defendant. The Court held that to extend liability under this tort to  
a person who does not intrude, but rather fails to prevent the intrusion of another, would  
represent more than an incremental change to the common law (at para 54).  
[127] Owsianik has been followed in other Ontario decisions. For instance, in Del Giudice, the  
Court declined to certify a claim for intrusion upon seclusion. It explained that Ms. Thompson  
was the intruder and that, while Capital One and Amazon Web were alleged to have increased  
the risk of data breach or to have failed to prevent the breach, a failure to prevent intrusion, even  
if reckless, was not intrusion (at para 136). This recent Ontario jurisprudence is very much on  
point in favouring the Defendant’s position.  
[128] However, the Plaintiff emphasizes that there are also authorities that diverge from that  
position. In Kaplan, the Ontario Superior Court of Justice reasoned that intrusion upon seclusion  
is a new tort that is still evolving and could conceivably support a claim against defendants  
whose alleged recklessness in the design and operation of their computer system facilitated a  
hacker’s invasion. As such, the Court was not prepared to say that the intrusion claim was plainly  
Page: 56  
and obviously doomed to fail (at para 29). Kaplan relied in part on Tucci, in which the Supreme  
Court of British Columbia held that, while it was a stretch to say that the defendant invaded the  
plaintiff’s private affairs, as that was done by a third party, it was not plain and obvious that  
being sufficiently reckless may not result in that conduct being attributed to the defendant. The  
Court concluded that intrusion upon seclusion was a relatively new tort and should be allowed to  
develop through full decisions (at para 152).  
[129] Ultimately, Tucci declined to certify this tort under British Columbia common law  
because of binding authority based on the fact that British Columbia already has an intentional  
privacy tort in its provincial legislation. While Tucci certified the tort under federal common law,  
the Court of Appeal for British Columbia concluded that it was an error to conceive of federal  
and provincial common law being separate bodies of legal principles (see Tucci BCCA at paras  
69-90). However, the Plaintiff notes that Tucci BCCA also observed that it was unfortunate that  
no appeal had been taken from the decision not to certify the tort under provincial law and  
expressed the view that the time may well have come for the Court to revisit its jurisprudence on  
the tort of breach of privacy (at para 55).  
[130] It is difficult to read much into this observation in Tucci BCCA. However, I take the  
Plaintiff’s point that a reasonable argument can be made that the jurisprudence on the potential  
scope of the tort of intrusion upon seclusion is not entirely settled. It is also useful again to  
consider the approach of the Federal Courts in Condon and John Doe and the related appeal  
decisions. In Condon, the Federal Court found that it was not plain and obvious that an action  
based on the tort of intrusion upon seclusion would fail (at para 64), rejecting the argument that  
Page: 57  
the plaintiffs did not allege that the defendant invaded their private affairs without justification.  
The Court held that the plaintiffs had sufficiently responded to this argument by pleading that  
their personal information was disclosed in an unlawful way (at para 54-58). While Condon FCA  
did not interfere with this conclusion, it does not appear that this issue was raised on appeal.  
[131] In John Doe, the Federal Court held that the pleading of this tort was sufficient, that the  
area of privacy rights was developing rapidly, and that this tort’s development or limitation  
should not be decided at the certification stage of the litigation (at paras 39-40). However, the  
Federal Court of Appeal disagreed, finding that it was plain and obvious that this cause of action  
could not possibly succeed. It reasoned that, at best, the pleadings supported that an isolated  
administrative error was made and concluded that there were no material facts pleaded to support  
an allegation of bad faith or recklessness (John Doe FCA at para 58).  
[132] I find the present case distinguishable from John Doe FCA, on the basis that the Plaintiff  
has expressly pleaded recklessness on the part of the Defendant in ignoring reports by Class  
Members and service providers such as accounting and investment firms of unauthorized data  
breaches of Class Members’ online Government accounts. For purposes of the present analysis, I  
must assume these factual allegations to be true and would find they are sufficient to disclose a  
reasonable cause of action in intrusion by seclusion, if recklessness in failing to prevent a data  
breach by a third party is legally sufficient to support this tort. Whether such recklessness is  
indeed legally sufficient is the question which remains unsettled and, given that there is some  
potential support for the Plaintiff’s position in the jurisprudence of the Federal Courts, I am  
unable to conclude that the Plaintiff’s cause of action in intrusion by seclusion is bound to fail.  
Page: 58  
(3) Identifiable Class of Two or More Persons  
[133] Rule 334.16(1)(b) requires the Court to consider whether there is some basis in fact to  
conclude there is an identifiable class of two or more persons. As previously noted, the evidence  
in this motion indicates that 48,110 CRA My Accounts were impacted by the unauthorized use  
of credentials, with 12,700 of those accounts showing evidence of being used for fraud.  
Similarly, the evidence indicates that 5,957 accounts across several Enabled Services of ESDC  
were potentially impacted by the data breach, including 3,200 compromised MSCAs that were  
used to access CRA My Accounts via the link between MSCA and CRA, 1,200 of which were  
used to apply for CERB or other COVID-related benefits. As such, there is clearly a basis in fact  
to conclude that the potential Class extends to two or more persons.  
[134] The Rule 334.16(1)(b) requirement also entails identifying an appropriate definition for  
the proposed class. As explained by the Supreme Court in Sun‑Rype Products Ltd v Archer  
Daniels Midland Company, 2013 SCC 58 at paragraph 57:  
57. I agree with the courts that have found that the purpose of the  
class definition is to (i) identify those persons who have a potential  
claim for relief against the defendants; (ii) define the parameters of  
the lawsuit so as to identify those persons who are bound by its  
result; (iii) describe who is entitled to notice of the action (Lau v.  
Bayview Landmark Inc. (1999), 40 C.P.C. (4th) 301 (Ont. S.C.J.),  
at paras. 26 and 30; Bywater v. Toronto Transit  
Commission (1998), 27 C.P.C. (4th) 172 (Ont. Ct. J. (Gen. Div.)),  
at para. 10; Eizenga et al., at § 3.31). Dutton states that “[i]t is  
necessary . . . that any particular person’s claim to membership in  
the class be determinable by stated, objective criteria” (para. 38).  
According to Eizenga et al., “[t]he general principle is that the  
class must simply be defined in a way that will allow for a later  
determination of class membership” (§ 3.33).  
Page: 59  
[135] The class definition proposed by the Plaintiff is set out earlier in these Reasons. Leaving  
aside the definitions for the terms used therein, the substance of the definition reads as follows  
(with the underlined portion representing a change from the Third SOC to the Fourth SOC):  
All persons whose personal or financial information in their  
Government of Canada Online Account was disclosed to a third  
party without authorization on or after March 1, 2020, excluding  
Excluded Persons.  
[136] The Defendant takes issue with the proposed definition on several bases. First, the  
Defendant submits that the definition is overly broad, and unrelated to the proposed common  
issues (which will be identified and addressed in more detail later in these Reasons), because it  
includes persons who had information in their accounts disclosed to a third party for any reason,  
even if unrelated to the conduct of the Defendant. This criticism is fair, particularly if one  
considers the definition set out in the Third SOC, in which the words “without authorization” are  
missing. As the Defendant submits, that definition would include disclosure to third parties that a  
Class Member had authorized, such as an accounting firm or other authorized representatives.  
[137] However, it is clearly not the Plaintiff’s intent to propose a Class that includes persons  
whose information was the subject of only authorized disclosure. This clarification is achieved  
through the inclusion of the words “without authorization” in the definition as set out in the draft  
Fourth SOC. Significantly, in my view, while the Fourth SOC was prepared as part of the  
Plaintiff’s Reply Memorandum of Fact and Law filed on April 13, 2022, the Plaintiff’s original  
Memorandum of Fact in Law dated December 10, 2021, also included these words.  
Notwithstanding the discrepancy between the definition proposed in the Memorandum of Fact  
Page: 60  
and Law and that contained in the Third SOC, in my view, the Plaintiff’s intent is and has been  
clear from the definition included in his original Memorandum and from his overall submissions.  
[138] In Lin v Airbnb Inc, 2019 FC 1563, Justice Gascon agreed with the defendant’s objection  
to a proposed class definition, arguing that it was too broad, and was prepared to allow  
certification on condition that the class definition be amended (at paras 90-91). Although  
narrowing the class definition will require a pleading amendment, and notwithstanding the effect  
of the Case Management Order, I am satisfied that such an amendment is appropriate, and my  
Order will grant leave for that amendment.  
[139] However, the amendment does not fully address the Defendant’s position, which argues  
that the proposed Class definition would still capture persons whose information was disclosed  
without authorization as a result of a data breach not attributable to any conduct by the  
Defendant. For instance, as will be canvassed in more detail later these reasons, the Defendant  
takes the position that the Plaintiff himself was the victim of identity theft unrelated to the  
Defendant’s conduct.  
[140] While I accept the logic of the Defendant’s submission, in my view it does not make the  
proposed Class definition inappropriate. As the Plaintiff argues, the definition is intended to be  
objective rather than merits-based, notwithstanding that this may result in it being over-inclusive  
(see, e.g. Tiboni v Merck Frosst Canada Ltd, 2008 37911 (ONSC) at para 64-82). The  
objective nature of the definition results from the Class Members being able to identify as having  
Page: 61  
been subject to data breaches within the relevant temporal limits, based on the notices sent by the  
Government or their own observations of unauthorized activity in their online accounts.  
[141] The Defendant also takes issue with the temporal limits, or lack thereof, of the Plaintiff’s  
proposed definition. The Plaintiff submits that the definition should capture unauthorized  
disclosures beginning as of March 1, 2020. He has not proposed any end date for the definition.  
In support of these positions, the Plaintiff argues that, while the evidence is that the bulk of the  
cyber incidents occurred between June and August 2020, the timing of commencement of the  
data breaches is not yet known. As I understand the Plaintiff’s reasoning behind the proposed  
commencement date, it is intended to shortly precede the first of the CERB application periods,  
which commenced on March 15, 2020. Given the evidence that the cyber incidents were  
motivated by interest on the part of the threat actors in exploiting CERB and other COVID-  
related benefits, I accept that there is some basis in fact for the March 1, 2020 commencement  
date in the definition proposed by the Plaintiff.  
[142] However, I agree with the Defendant’s position that it is appropriate that the definition  
include an end date, selected by reference to evidence as to when the deficiencies in the  
Defendant’s system as alleged by the Plaintiff were addressed. The Defendant suggests a date in  
August 2020. The Plaintiff argues that this is too early, as some of the Defendant’s remedies  
were not implemented until later in 2020.  
[143] While I appreciate the evidence that the Defendant’s first interventions in response to the  
data breach occurred in August 2020, I also note the evidence in the Defendant’s expert report of  
Page: 62  
Christopher McDonald that CRA began to add multifactor authentication to My Accounts in  
September and October 2020 and that ESDC added this protection in December 2020. I rely on  
this evidence as a basis in fact to conclude that the Proposed Class definition should include an  
end date of December 31, 2020.  
(4) Common Questions of Law or Fact  
[144] The next requirement, prescribed by Rule 334.16(1)(c), is that the Plaintiff demonstrate  
some basis in fact for the claims of the class members raising common questions of law or fact,  
regardless of whether those common questions predominate over questions affecting only  
individual members. I have listed earlier in these Reasons the common questions proposed by the  
Plaintiff and will now address the parties’ respective submissions on whether the Plaintiff has  
demonstrated some basis in fact for these questions.  
(a) Systemic Negligence  
[145] The Plaintiff submits that the evidence establishes a basis in fact to conclude that the  
Class Members’ claims raise common questions surrounding the elements of a cause of action in  
systemic negligence, i.e. whether the Defendant owed the Class a duty of care, identification of  
the applicable standard of care, whether the Defendant breached that duty, and whether that  
breach caused damages to the Class.  
[146] In relation to all these questions, the Defendant takes the position that their answers  
would turn on Class Members’ individual circumstances and are therefore ill-suited for  
Page: 63  
determination on a class-wide basis. In relation to the duty and standard of care, the Defendant  
submits that both will depend on the particular nature of the information that exists in a particular  
online Government account, as well as the reason that information has been collected, which will  
vary significantly among different types of accounts. By way of example, the Defendant argues  
that the standard of care applicable to CRA collecting taxpayer information cannot be the same  
as for Parks Canada collecting a name and address for a campsite reservation.  
[147] The Defendant refers the Court to Kaplan, in which an anonymous hacker accessed a  
casino’s computer system, stole personal information relating to customers, employees and  
suppliers, and posted it online. The Court refused to certify the duty and standard of care  
questions, because the type and amount of personal information accessed by the hacker in that  
case varied widely between individuals (at para 64). It accepted that, if an issue can be resolved  
only by asking it of each class member, it is not a common issue (at para 55).  
[148] In support of its position that this reasoning applies to the case at hand, the Defendant  
submits that the GCKey service is used by over 30 government departments and agencies to  
access multiple governmental online Enabled Services that collect only mundane information.  
The Defendant also relies on the evidence that, in the case of some of the online Government  
accounts that were impacted by the cyber incidents, the level of intrusion was minimal, such as  
accessing only the CRA My Account homepage. The Defendant contrasts these circumstances  
with those in Condon and John Doe, in which the information collected, stored and allegedly  
disclosed was the of the same nature for each class member.  
Page: 64  
[149] The Defendant advances similar arguments in relation to the proposed common question  
as to whether the Defendant’s alleged breach of duty caused damage to the Class. The Defendant  
notes that there is difficulty in working backward from alleged fraud experienced by an  
individual and attributing it to a specific data breach, because fraud and cyber attacks are  
common in today’s online world. Therefore, the Defendant submits that causation cannot be  
assessed without an examination of the specific circumstances of each individual Class Member,  
including consideration of whether contributory negligence may be attributed to a particular  
Class Member, for instance as a result of the imprudent reuse of credentials.  
[150] I accept that not all online Government accounts that were accessed in the data breaches  
would necessarily have contained sensitive information, and I accept that some Class Members’  
accounts suffered a higher level of intrusion than others. The points raised by the Defendant that  
may require consideration in connection with causation, including contributory negligence, are  
also valid. However, I agree with the Plaintiff’s position that these potential differences among  
Class Members’ claims are not necessarily an impediment to certification. As the Supreme Court  
explained in Vivendi Canada Inc v Dell’Aniello, 2014 SCC 1 [Vivendi] at paragraphs 44 to 46:  
44. In Rumley v. British Columbia, 2001 SCC 69, [2001] 3 S.C.R.  
184, this Court confirmed the principles from Dutton. In the case  
of the commonality requirement, the purpose of the analysis is to  
determine “whether allowing the suit to proceed as a representative  
one will avoid duplication of fact‑finding or legal analysis”: para.  
29, quoting Dutton, at para. 39. The Court also stated that a  
question can remain common even though the answer to the  
question could be nuanced to reflect individual claims: para. 32.  
45. Having regard to the clarifications provided in Rumley, it  
should be noted that the common success requirement identified in  
Dutton must not be applied inflexibly. A common question can  
exist even if the answer given to the question might vary from one  
member of the class to another. Thus, for a question to be  
Page: 65  
common, success for one member of the class does not necessarily  
have to lead to success for all the members. However, success for  
one member must not result in failure for another.  
46. Dutton and Rumley therefore establish the principle that a  
question will be considered common if it can serve to advance the  
resolution of every class member’s claim. As a result, the common  
question may require nuanced and varied answers based on the  
situations of individual members. The commonality requirement  
does not mean that an identical answer is necessary for all the  
members of the class, or even that the answer must benefit each of  
them to the same extent. It is enough that the answer to the  
question does not give rise to conflicting interests among the  
members.  
[151] To similar effect, in Campbell v Flexwatt Corp, 1997 4111 at paragraph 53, the  
British Columbia Court of Appeal observed that common issues do not have to be issues, which  
are determinative of liability. They need only be issues of fact or law that move the litigation  
forward. In class proceedings in the Federal Court, Rule 334.26 provides for procedural  
mechanisms for the determination of any individual issues that remain following a judgment on  
common questions of law or fact.  
[152] The Defendant responds to these submissions by arguing that Vivendi was not a systemic  
negligence case. I am not persuaded by that argument, as I read the principles from Vivendi upon  
which the Plaintiff relies to be of general application. Applying those principles, I find  
compelling the Plaintiff’s submission that the variation in the types of accounts and information  
that were breached is dwarfed by the commonality, in the sense that all persons whose accounts  
were breached registered for online accounts, and there is commonality in the alleged flaws that  
the Plaintiff says permitted the breaches: including requiring insufficiently robust passwords,  
misconfiguration of the security question protocol, and a lack of two factor authentication.  
Page: 66  
[153] Moreover, I do not regard this as a case akin to Kaplan, in which it can be concluded that  
each Class Member’s claim must be analysed individually in order to answer the questions  
surrounding duty and standard of care or causation. By way of example only, if it were to be  
assumed that there are variations in the level of sensitivity of the information maintained in the  
online portals of the over 30 Government departments that the evidence indicates rely upon the  
GCKey service (as well as further variations over different Enabled Services), these variations  
might result in a significant number of nuanced responses to the common questions. However,  
this process would still serve to move the litigation forward. Moreover, to the extent particular  
Class Members’ claims may raise unique issues individual to them, including contributory  
negligence, the Court is equipped to address these at the individual stage of the litigation.  
[154] The Defendant also argues that the Plaintiff has presented no basis in fact for the  
certification of Class Members’ damages as a common issue. The Defendant submits that the  
damages will need to be determined on an individual basis. It notes that the unauthorized  
disclosure of any individual Class Member’s information may not actually lead to anxiety, future  
identity theft, or any of the other claimed heads of damages, particularly in the case of those who  
had only mundane information disclosed. In response to these arguments, the Plaintiff repeats its  
submissions above on the application of the principles derived from Vivendi. For the reasons  
explained above, I find those submissions compelling.  
[155] However, the Defendant also takes the position that some Class Members may have no  
basis to claim damages at all, as applicable jurisprudence explains that damages for stress and  
anxiety may be compensated only when they are serious and prolonged and rise above life’s  
Page: 67  
ordinary annoyances, anxieties and fears (see Saadati v Moorhead, 2017 SCC 28 [Saadati] at  
para 37; Mustapha v Culligan of Canada Ltd, 2008 SCC 27 [Mustapha] at para 9).  
[156] Moreover, the Defendant argues that, with the exception of the claim for anxiety, each of  
the claimed heads of damages constitutes a pure economic loss claim, which is not compensable  
in negligence except in limited circumstances that do not apply. The Defendant refers the Court  
to Del Giudice, which concluded that the majority of the class members’ anxiety claims would  
not rise to the level of compensable harm and that the remaining claims were for non-  
compensable pure economic loss (at paras 223-228).  
[157] In response, the Plaintiff argues that Saadati has advanced the jurisprudence surrounding  
claims for mental injury in a manner that favours his position. While the Plaintiff accepts that  
Class Members would be required to demonstrate mental disturbance that is serious and  
prolonged and rises above the ordinary annoyances, anxieties and fears that come with living in a  
civil society, he emphasizes the Supreme Court’s recognition that claimants need not  
demonstrate that their mental injury is classified as a recognized psychiatric illness (at para 37).  
This development was explained in Reddock v Canada (Attorney General), 2019 ONSC 5053  
(appeal allowed 2020 ONCA 184 on other grounds), which also identified that it is therefore not  
necessary to rely on expert opinion in order to establish a compensable mental injury (at paras  
387-390).  
[158] The Plaintiff also refers to the Court to other post-Saadati cases (including Condon FCA  
and John Doe FCA) that have certified claims relating to mental distress and inconvenience in  
Page: 68  
the breach of privacy context. In particular, in Condon FCA, the Federal Court of Appeal  
overturned the Federal Court’s decision not to certify causes of action in negligence and breach  
of confidence because of a lack of compensable damages.  
[159] In Condon, the Federal Court identified that the plaintiffs’ negligence and breach of  
confidence claims sought damages for wasted time, inconvenience, frustration, anxiety and  
increased risk of future identity theft, resulting from the data loss (at para 66). However, the  
Court found, based on the evidence adduced, that the plaintiffs had not suffered any compensable  
damages, as they had not been victims of fraud or identity theft, had spent minimal time seeking  
status updates from the relevant Minister, and did not avail themselves of any credit monitoring  
or other services offered by the defendant (at para 68). Relying in part on Mustapha, the Court  
concluded that damages are rarely awarded for mild disruption alone and held that it was plain  
and obvious that the claims based on negligence and breach of confidence would fail for lack of  
compensable damages (at paras 73-79).  
[160] On appeal, Condon FCA held that this evaluation of the evidence represented an error, as  
the Federal Court should have determined whether the plaintiffs had a reasonable cause of action  
based on the facts as pled (including costs incurred in preventing id