The Superior Court of Quebec has approved a $200.9 million settlement of a class action lawsuit filed against financial services cooperative Desjardins Group over the massive data breach it suffered years ago, which affected as many as 4.2 million of its members.
News of the settlement first broke in December. It was announced then by law firms Siskinds Desmeules and Kugler Kandestin that the settlement agreement offered compensation for loss of time and identity theft related to the breach.
The law firms also confirmed that everyone affected by the breach – regardless of where they live – will be eligible to claim. Class members who have not already registered for Equifax’s credit monitoring service will also be able to do so for a period of five years, and all paid for by Desjardins. All class members are also entitled to any other additional protective measures implemented by Desjardins for at least five years.
The Canadian Press reported that class members do not need to take any steps at this stage. They will receive notices with instructions for making claims over the coming months starting July 21.
Desjardins was rocked by a major data theft incident in 2018, when a disgruntled employee leaked the data of millions of cooperative members. The leaked data included members’ names, addresses, birth dates, social insurance numbers, email addresses, and even data on their transaction habits. It was initially reported that only 2.9 million members were affected, but Desjardins later updated its findings when it found that 4.2 million members were potentially leaked.
In 2020, the federal privacy commissioner ruled that several technological and administrative gaps caused the data breach. The OPC ruled that Desjardins was inadequate in the areas of organizational policies; employee training; access controls and data segregation; as well as oversight and monitoring.
