Executive Summary: Key Legal and Evidentiary Issues

• Plaintiffs, retired TransLink employees, sought class action certification after a 2020 ransomware attack compromised sensitive personal information of approximately 38,958 unique individuals.

• The BC Court of Appeal previously reversed the initial dismissal, finding the pleadings disclosed causes of action in negligence and under s. 1 of the Privacy Act, and the Supreme Court of Canada denied leave to appeal.

• Central to the dispute was whether "access" to personal information requires proof that cybercriminals actually viewed or copied the data, or merely that files were exposed to unauthorized parties.

• Expert evidence from a cybersecurity specialist identified foundational deficiencies in TransLink's security framework, including inadequate encryption, access controls, and executive oversight.

• Claims for vicarious liability and restitutionary damages were rejected for lacking evidentiary basis, while general, nominal, punitive, and consequential damages were found certifiable on a class-wide basis.

• The Court ultimately granted certification, approving the class definition, most common issues, the representative plaintiffs, and the litigation plan.

The 2020 TransLink ransomware attack and its aftermath

South Coast British Columbia Transportation Authority, commonly known as TransLink, is a statutory entity responsible for providing a regional transportation system in Metro Vancouver that moves people and goods. Its transit services include bus, community shuttle, ferries (SeaBus), rapid transit (SkyTrain), commuter rail (West Coast Express), and custom transit services for persons with disabilities (Access Transit Program), delivered through its operating subsidiaries: Coast Mountain Bus Company Ltd., British Columbia Rapid Transit Company Ltd., and West Coast Express Ltd. On December 1, 2020, TransLink's information technology team, Business Technology Services, discovered ransomware on its IT network. By December 3, 2020, TransLink confirmed that part of its IT infrastructure had been the target of a ransomware attack. Despite TransLink's cybersecurity program, cybercriminals were able to gain unauthorized access into TransLink's network security and insert the ransomware following a successful phishing attempt on one of TransLink's operating subsidiaries' employees. TransLink responded by isolating and shutting down certain IT infrastructure and systems, notifying law enforcement, and launching an investigation.

Scope of the data breach and affected individuals

TransLink's investigation continued through to June 2021. TransLink was able to confirm that various files and folders within the breached network drive were accessed by cybercriminals. These files and folders contained a variety of information, including personal information related to payroll administration for TransLink, CMBC, and Transit Police employees; sensitive personal information of some BCRTC and WCE employees; sensitive personal information of some former and retired enterprise employees and a limited number of their spouses and beneficiaries; sensitive personal information about certain third parties, including HandyDART operators, former BC Transit employees, and third parties involved in incidents involving TransLink vehicles; and scanned images of personal cheques written for the purpose of purchasing TaxiSaver coupons or for the repayment of expenses. The investigation also confirmed that data was exfiltrated from, or copied out of, TransLink's systems, though TransLink's records do not confirm what data in particular was exfiltrated. In all, approximately 57,820 notification letters were sent out to 38,958 unique individuals, each letter specifying which categories of sensitive information — such as social insurance numbers, bank account numbers, WorkSafe reports/summaries, home addresses, dates of birth, and salary/wage rate with tax withholding and/or deductions — had been in the accessed folders. TransLink also offered a complimentary two-year credit monitoring and fraud protection service to all then-current enterprise employees, former and retired enterprise employees, TaxiSaver cheque payors, and affected third parties, created a dedicated public webpage, offered live online information sessions, and set up a dedicated call centre for affected individuals.

Procedural history across multiple court decisions

The plaintiffs — G.D., Allan Smith, Christopher Holt, James Thom, and Brent Johnston, all previous employees who have since retired from their employment with TransLink — sought certification of a class proceeding under BC's Class Proceedings Act. On June 5, 2023, Madam Justice Wilkinson rendered a decision dismissing the certification application on the basis that the claims did not satisfy the requirements under s. 4(1)(a) of the CPA, because the claims were bound to fail. That decision did not address the remaining requirements for certification. On July 4, 2024, the BC Court of Appeal allowed the appeal, holding that the plaintiffs' pleadings disclose causes of action in negligence and under s. 1 of the Privacy Act, R.S.B.C. 1996, c. 373. On March 6, 2025, the Supreme Court of Canada denied leave to appeal. The Court of Appeal remitted the matter back to the BC Supreme Court to consider the remaining certification criteria. The plaintiffs subsequently amended their claim to pursue only the cause of action under section 1 of the Privacy Act.

The cause of action and rejected claims

The plaintiffs pleaded that TransLink violated its obligation to safeguard the putative class members' sensitive personal information under two provincial privacy statutes. They asserted a statutory right of action for breaches of s. 1 of the Privacy Act and further pleaded that TransLink is subject to ss. 30 and 30.4 of the Freedom of Information and Protection of Privacy Act, R.S.B.C. 1996, c. 165 (FIPPA). They argued that TransLink violated the putative class members' privacy wilfully or recklessly and without a claim of right. The Court confirmed that the CPA s. 4(1)(a) criterion had been satisfied only with respect to the cause of action for the claim under the Privacy Act and no other cause of action was advanced. The plaintiffs' plea for an "accounting" and disgorgement of "all revenues or profits" generated by TransLink was found to have no basis for that remedy on the cause of action relied upon. Similarly, the vicarious liability claim — alleging TransLink was vicariously liable for the acts and omissions of its operating companies, subsidiaries, partners, and their respective directors, officers, employees, and agents — was rejected. The Court noted that TransLink is a statutory body corporate separate and apart from its operating subsidiaries and that, by statute, TransLink must not be treated as one employer with any person, including its subsidiaries. The claim did not set out material facts relating to employment, agency, or another recognized category that could support a claim in vicarious liability.

Class definition and common issues

The Court approved an alternative class definition proposed by the plaintiffs: all persons who were notified by the defendant that their sensitive personal information may have been compromised in the TransLink Data Breach, excluding the defendant's employees who are members of MoveUp. On the pivotal common issue of whether class members' sensitive personal information was "accessed" by unauthorized parties, the Court found that "access" to information in the context of data privacy laws is not synonymous with examining the information, nor is it synonymous with obtaining a copy of the personal information. TransLink itself made that distinction in the breach notification it sent to the putative class members, which stated that individuals' sensitive personal information was "identified as having been accessed by the cyberattackers" while acknowledging "there is no way to know for certain what information the attackers copied." The Court also approved common issues relating to whether the unauthorized access resulted from TransLink violating its statutory duties under s. 30 of FIPPA, and whether TransLink violated the privacy of the class members wilfully and without a claim of right.

Expert evidence on cybersecurity deficiencies

Mr. Vogel, a cybersecurity expert, opined that certain of the apparent deficiencies in TransLink's computer security measures existed in basic foundational areas, including: cyber security framework; cyber security awareness; access control; data encryption; cyber security threat monitoring; endpoint protection; user authentication; vulnerability assessment and penetration testing; and executive oversight. The plaintiff provided evidence showing some basis in fact not only that the defendant's violations were merely reckless, but also that they may satisfy other definitions of "wilful" based on greater intentionality. Mr. Vogel's evidence also provided some basis in fact that TransLink's cybersecurity controls and system were deficient in foundational areas — for example, the defendant continued to retain the personal information while it no longer needed it, and failed to encrypt the personal information, despite being on notice of the heightened risk of cyberattacks.

Damages analysis

The Court found that general and nominal damages may be awarded for the breach of the Privacy Act, without proof of damages or losses, and on an aggregated basis. There was some basis in fact for punitive damages, supported by Mr. Vogel's expert evidence of foundational cybersecurity deficiencies. Consequential damages — such as the time spent to change bank account information or credit card information as a result of the compromise — were found to be arguably proximate and foreseeable; some basis in fact for this was found in the remedial credit monitoring and insurance offered to the putative class members by the defendant. However, restitutionary damages were not certifiable because the plaintiffs provided no basis in fact that TransLink benefitted from any alleged wrongdoing, the value of that benefit, or that corresponding loss was suffered on a class-wide basis. There was no basis in fact to support a possible finding of serious and prolonged stress and anxiety, as none of the plaintiffs deposed that they had suffered psychological harm, although some deposed they believe their sensitive information or identity is at risk or they feel insecure as a result of the Data Breach. The Court agreed that a process similar to the one in Ari BCSC 2022 would be appropriate, where all class members are entitled to an award of non-pecuniary damages arising from the mere fact that their privacy was violated on a class-wide basis, while individual class members who claim additional non-pecuniary damages could advance that claim in a future process.

Preferability and the ruling

The Court found that a class proceeding was the preferable procedure for a fair and efficient resolution of the common issues. The determination of the proposed common issues, save for proposed common issue 7, required no individual inquiries, and common questions overwhelmingly dominated over individual inquiries. There was no indication that a significant number of class members had a valid interest in individually controlling separate actions, and similar privacy class proceedings have been certified in British Columbia and elsewhere. TransLink argued that a class proceeding was not the preferable procedure because it had offered a two-year complimentary credit monitoring package with identity-theft protection up to $50,000 as part of its response to the Data Breach. However, the Court found that credit monitoring is not necessarily the same as nominal damages, and that an individual insurance claim process is not preferable to individual claims within a class proceeding. The evidence of Dr. Cavoukian also provided some basis in fact that recognizing and awarding remedies which address the harm to data breach victims would likely result in data custodians improving their overall security practices. Madam Justice Wilkinson ultimately granted certification of the plaintiffs' class action on April 29, 2026. Common issues 1-3 and 5, 6, and 8 were approved. Common issues 4 and 7 were approved excluding references to restitutionary and moral damages and other monetary relief or compensation. Common issue 9 was not approved. The claim in vicarious liability was not certified, nor was the claim in restitutionary damages. The representative plaintiffs and the litigation plan were both approved. No exact monetary amount was awarded at this stage, as the decision concerns certification rather than a final adjudication on the merits; the quantum of damages remains to be determined at the trial of the common issues.