Mackenzie is an investment management firm. InvestorCOM provides regulatory compliance and investor communications services and had been hired to produce and deliver notices Mackenzie is required to send investors. To do that work, Mackenzie handed investor records to InvestorCOM – records that, in many cases, contained social insurance numbers buried in an undifferentiated string of digits that InvestorCOM says it did not know it held.
The lead plaintiff, an investor who received Mackenzie’s breach notice, sought to certify a national class action raising claims in negligence, breach of contract, and breach of provincial privacy statutes. He alleges the data was not only copied but stolen. Mackenzie and InvestorCOM deny any Mackenzie data was taken, noting it did not appear when Cl0p later published files after a ransom demand went unpaid. Those allegations have not been tested at trial.
Ramsay certified the British Columbia case only on the privacy-statute claims, which are available in BC, Manitoba, Saskatchewan, and Newfoundland and Labrador. She found that a parallel class action already certified in Ontario was the better venue for the negligence and contract claims and ordered the remaining claims to proceed there. Certification is a procedural step, not a ruling on the merits.
Because the Ontario certification is under appeal, the order was made without prejudice to further applications once that appeal is resolved. No costs were awarded.
For wealth firms, the value sits in the vendor question. Mackenzie argued it could not be liable for a breach of InvestorCOM’s server, but the court found it at least arguable that a firm that collects client data and passes it to a service provider still owes a duty of care. The court also found it at least arguable that the out-of-pocket cost some investors paid for credit monitoring could be recovered.
