In July 2015, Walmart Canada gave notice that the Walmart Canada Photo Centre website, operated by Vancouver-based service provider PNI Digital Media (“PNI”), had been the victim of a cyber-attack that installed malware on PNI’s data centre servers to collect customers’ credit card data and other personal information.

Representative plaintiffs brought class action lawsuits in Ontario and Saskatchewan courts. The lawsuits were settled in May 2017. The settlement requires Walmart Canada and PNI to:

(a)  pay the costs of a one-year credit and identity theft monitoring service for affected customers, to a maximum cumulative total of $350,000 for all affected customers;

(b)  reimburse affected customers for their out-of-pocket losses/charges and time spent remedying issues traceable to the data security incident, to a maximum of $5,000 for any one customer and a maximum cumulative total of $450,000 for all affected customers;

(c)  pay up to $250,000 for the costs of administering the settlement; and

(d)  pay $500,000 as legal fees for the plaintiffs’ lawyers.

The lawsuits and settlement provide useful lessons for Canadian organizations that collect and process sensitive customer information, including:

1.  An organization should establish a documented, comprehensive information security governance framework.

2.  An organization’s cyber risk management program should include risks presented by suppliers and service providers.

3.  An organization should have a comprehensive and suitable data security incident response plan and a trained incident response team.

4.  An organization should give timely notice of data security incidents to affected individuals and organizations, regulators and law enforcement.

5.  An organization should carefully consider whether to voluntarily offer reasonable remedies to customers affected by a data security incident in order to reduce the incentives for costly class action lawsuits.

Read more here.