Canadian subsidiaries of Volkswagen and Audi allegedly failed in their responsibility to notify Canadian customers who were victims of disclosures about the personal data of 3.3 million North American customers that was revealed last June, according to a claim through authorization in a class action recently filed with The Supreme Court of Quebec.
In a request filed in mid-June, it was said that Volkswagen Canada and Audi Canada – both registered properties of the Volkswagen Group – should have informed Canadian customers whose personal information had been disclosed earlier so that they could protect themselves from fraud. Possible identity theft.
The order redraws the chronology of events, noting that the German manufacturer would have reported the data leak to one of its suppliers as of March 10, 2021. In May, an internal investigation confirmed that personal information of potential customers and buyers was reportedly stolen between 2019 and 2021.
The data that was disclosed includes names, postal addresses, email addresses, phone numbers, driver’s license numbers and vehicle information. For some, more important information was revealed: dates of birth, bank account numbers, and even social insurance numbers.
“However, Audi and Volkswagen inexplicably waited at least 93 days, starting on March 10, 2021, before publicly announcing the data exposure on June 11, 2021,” the request said.
On June 11, the Volkswagen Group issued a press release confirming that a data breach had exposed the information of more than 3.3 million people in North America, including 163,000 people in Canada.
In the days following the announcement, the websites of Vice and Bleeping Computer’s Motherboard — a media outlet that deals with technology news — reported that personal information from the leak had been sold on a hacking forum.
“Our position is that everyone [susceptible de s’être fait voler des données] You need to be informed and everyone should have the opportunity to get coverage to ensure their credit is monitored,” he explains Task David Asor, attorney at the Lex Group responsible for legal proceedings.
During the announcement, Volkswagen backed plans to provide free protection against the use of its data for purchases or loans. However, the request asserts that the creator has not authorized companies in Canada such as TransUnion Canada or Equifax Canada to ensure victims are monitored, which could put them at a “greater risk of fraud”.
“At the moment, we are asking to move forward so that all Canadians can participate,” David Asor said, noting that it is up to the judge to decide the eligibility criteria if the class action is approved.
Who is responsible for protection?
Last week, a similar class action was filed in United States District Court in New Jersey. Like the approach taken in Quebec, the US request alleges that Volkswagen and Audi were negligent, failing in their responsibility to protect their customers’ data. In both cases, compensation is claimed, in addition to reimbursing what customers had to pay for credit monitoring services.
Like many other cases, the request to file a class action lawsuit in Quebec points to the current difficulty in figuring out who should be responsible for the theft of personal information, as Steve Waterhouse asserts: “Here’s the problem: We don’t know who is responsible in the event of a data leak or exposure.”
This kind of approach has nothing to surprise the specialist. “Prosecutions may be more frequent, as companies and governments are often overlooked in managing citizens’ information,” he adds.
In Canada, he says, the solution includes tightening the framework on the protection of personal data. He cites the example of the Bell 64 in Quebec, whose adoption, expected before the summer, has finally been delayed.
This bill aims, among other things, to “bring accountability to business leaders” during massive data theft, “which should make some people think about their cybersecurity plans,” says Steve Waterhouse.
Mr. Waterhouse notes that the federal and provincial governments, in this regard, can draw inspiration from the General Data Protection Regulation (GDPR) in force within the European Union since 2018. “In Europe, Audi and Volkswagen could not wait” that long to inform their customers without risking heavy fines. A provision of the GDPR – Article 33 – requires organizations to disclose any data breach within 72 hours.