Protecting the Victims of the Casino Rama Resort Breach

Posted by Mark Greisiger

A Q&A with Ted Charney of Charney Lawyers

In November, 2016, Canadian Casino Rama Resort announced it had been hacked, with both employee and vendor data stolen. Shortly after, Toronto-based Ted Charney of Charney Lawyers filed a $50 million class action suit.

Preventing unauthorized access to data has to be a priority for any organization because if you experience this kind of breach it can significantly impact your finances, your reputation and your operations going forward.

Can you give us a summary of the key facts and alleged liability theory in this case?
Rama announced that a cyber attack had taken place at its casino. At the time it was not clear how much data was compromised. It is now under investigation with police and the privacy commissioner and we still don’t know the exact number of people affected. Almost immediately, the thieves or hackers started to release data online in bits and pieces to demonstrate that they were in possession of it. That data included sensitive personal information about current and former employees, customers, high rollers with lines of credit and self excluders who are registered with the gaming corporation and can’t gain access to the casino.

We are filing a class action. To date, we have over 3000 registrations in the database. The theory of liability is that the security measures were inadequate to prevent any kind of cyber attack, much less this one. Insiders have said that security was lacking. The hackers have promised to release additional data. They may not be interested in monetary gain but simply revenge against the company.

It was reported that the hacker got access to personal info going back many years. Do you know how long it took the casino to detect the breach? And how long did it take to report the event to the victims?
The data goes back to the inception of the casino, which was 20 years ago. Because under investigation with the police we don’t have access to when the breach first came to attention of the casino but we know they have said they reported it four or five days later. But, given information we have received, we are not sure that number is accurate.

Do actual damages need to be established in order to bring the class action in Canada?
If there has been a breach of contract then the finding of a breach is sufficient for the court to award at least nominal damages—there’s no requirement of proof of actual damages in contract claims. The question is whether the damages are nominal or more significant. But given the sensitivity of the information—discipline records of employees, health data, gambling habits and financial information, lawsuits and demands for not paying debts, etc.—we know that people’s privacy has been significantly affected.

Any other important security or privacy risk exposure lessons for a risk manager of a Canadian or global company with a presence in Canada? 
Companies that collect sensitive information must stay up to date with  state of the art security measures because it is simply not good enough to continue using technology and practices that you used five years ago. Preventing unauthorized access to data has to be a priority for any organization because if you experience this kind of breach it can significantly impact your finances, your reputation and your operations going forward.

In summary…
We want to thank Mr. Charney for his excellent insights into this cyber liability/privacy case, and for illuminating the resulting issues surrounding it. Many of our Canadian insurance company partners—and their corporate risk manager clients—are especially interested in Rama’s alleged negligence and failure to safeguard private data and other facts pertaining to this case since they offer cyber liability insurance intended to cover this type of exposure.

You can also see Mr. Charney speak at our upcoming NetDiligence® Cyber Risk Summit conference in Toronto on February 16, 2017. See info here.