Lawyer explains why his suit alleges harm despite no evidence that lost information was misused
CIRO now faces a proposed class action lawsuit over a phishing attack it succumbed to in August of 2025. The attack affected 750,000 registrants and individuals. Information about individuals and registrants was taken, including investors’ dates of birth, phone numbers, annual incomes, social insurance numbers, ID numbers, investment account numbers and account statements. A press release announcing the class action suit also notes the alleged loss of key registrant data including their names, addresses, banking details, civil and criminal disclosure records, investigation notes, and employment and licensing information. The proposed class action now asserts that CIRO owed a duty to safeguard that personal information and are seeking redress.
Justin Giovanetti, lawyer with Slater Vecchio, explained why his firm has launched this proposed class action now. He explained how recent rulings in British Columbia have allowed for greater legal recourse around breaches in privacy, even when no evidence of immediate misuse of the lost information can be found.
“It is our view that private corporations or regulatory bodies like Canadian Investment Regulatory Organization have a duty to safeguard personal information, especially when it's mandatory that they collect it,” Giovanetti says.
For the B.C.-based lawyer, some relatively recent rulings from the B.C. Court of Appeal hold particular weight in this proposed class action. Before these rulings in the summer of 2024, Giovanetti says that privacy class actions were largely being dismissed by lower courts, which said there wasn’t much harm to be found. In G.D and South Coast. British Columbia Transportation Authority 2024 BCCA 252, however, the Court found that failure to protect personal information could constitute a violation of privacy under the Privacy Act. The defense in that case argued that if liability was found it would open the floodgates to a slew of lawsuits. Giovanetti cites the court’s ruling to address that argument and, in part, to justify the allegation that harm could be done here.
“I will add these observations. I recognize the legitimate fears of defendants that they could be routinely subject to large claims for damages for violations of privacy pursuant to the Privacy Act in cases where a data breach is innocuous and due to an organization’s innocent mistake. But I see the floodgates argument differently, and that is as a flood of unprotected personal information flowing out of the control of the persons whose information it is, and into the hands of bad actors, unless the law responds adequately,” the judgement reads.
That landmark ruling, Giovanetti argues, shows that large organizations need to go above and beyond to protect personal data, which is why his firm is now bringing this case against CIRO. The decision to file this case now, he says, emerges from the relatively recent revelation of the scale of this breach and the kind of information that was accessed. He says that once SIN numbers were found to have been compromised, there could be real harm found here. That motivated the decision to file this case now.
CIRO, for their part, have told WP that they cannot directly comment on the proposed class action as it is a pending legal matter. They stressed, however, that they are improving their cybersecurity infrastructure.
“As part of restoring services at the time of the incident, we took immediate steps to ensure system integrity and help prevent such an attack in the future,” a CIRO statement emailed to WP reads. “We continue to invest in strengthening our resilience and cybersecurity practices as the threat landscape evolves—further enhancing safeguards around sensitive data and improving our systems—while working closely with firms and other partners to reinforce cybersecurity infrastructure and advance best practices across the investment industry.”
Cybersecurity remains an incredibly rapidly evolving area for organizations to address. The pace of technology is unceasing and staying ahead of scammers could prove very difficult even if an organization is meeting best practices. Giovanetti notes that the question of whether CIRO met industry best practice here aught to be litigated. He asks another question, too: whether best practices are actually good enough. In certain cases, he says, adhering to government regulation can still fall short of the legal standard of care. He believes a question around whether best practices and regulatory standards meet that test should also be litigated.
In its disclosure around the data breach, CIRO has provided two years of credit monitoring and identity theft protection to all impacted individuals. Giovanetti says, though, that this may not be enough and that the scammers can just ‘set a calendar for two years out.’ In the statement sent to WP, a CIRO spokesperson said that the two years of protection aligns with industry best practices for incidents of this nature. The package also includes dark web monitoring.
The proposed class action also comes down to a question of harm, and whether harm was done to the impacted individuals despite no current evidence that the stolen information has been misused. Giovanetti argues that there could be harm done, noting that this lost information could still be used to nefarious ends. Moreover, impacted individuals and registrants could have lost time and money seeking to redress this data breach and adjust their now-compromised personal information, which could constitute harm. Giovanetti notes, as well, that under the Provincial Privacy Act in B.C., impacted individuals can seek moral damages over a breach in privacy for psychological harm such as distress, embarrassment, stress, and reduced trust.
Giovanetti says he hopes that the proposed class action, if it’s certified and allowed to proceed, would allow impacted individuals access to justice for what he alleges is harm.
“There are two aspects to it. One, we want to get compensation for these people. And two, we want to make sure that corporations safeguard data to the highest extent possible because tthey are the safeguards of it,” Giovanetti says. “Some may say, with technology [data breaches] are a lot easier to conduct. Organizations ought to respond not just to the bare minimum, but to the extend that they do what they have to do in order to protect information.”
