December 21, 2022
Dolden Wallace Folick’s Class Action Newsletter – December 2022
Intrusion Upon Seclusion: The Ontario Court of Appeal Affirms the ‘Hacked’ are not ‘Hackers’
On November 25, 2022, the Ontario Court of Appeal released decisions in a trilogy of cases concerning the tort of intrusion upon seclusion and its application to owners of hacked databases. In its decisions in Owsianik v. Equifax Canada Co., Obodo v. Trans Union of Canada, Inc., and Winder v. Marriott International, Inc., the Court of Appeal held that the tort of intrusion upon seclusion did not apply.
The Cases at Issue
In each of the three cases, the defendants collected and stored the personal information of others, but failed to take adequate steps to protect this information from third-party hackers. They argued that
the intrusion upon seclusion claim should not be certified because it did not disclose a cause of action, furthering that inclusion upon seclusion only applied to persons who had actually invaded or intruded upon the privacy of a plaintiff. The defendants argued this tort could not reach them; while their inadequate security measures may have allowed others, who had no connection to the defendants, to access the private information of others, the defendants did not invade the privacy of others themselves.
The Decisions on Appeal
In Owsianik, the majority of the Divisional Court reversed the decision of the motion judge and held that the tort had no application to the defendant, Equifax, when the private information was accessed by a third-party hacker acting independently.
In Obodo, the plaintiffs unsuccessfully brought a motion for an order certifying a seclusion clause against the defendant, Trans Union. The motion judge certified other common issues; the appeal came from the refusal to certify the intrusion upon seclusion clause.
In Winder, the plaintiffs brought a Rule 21 motion for a determination of a question of law. The question was whether a legally viable cause of action was pleaded against the defendant, Marriott, for intrusion upon seclusion, for failing to take adequate steps to protect the plaintiffs’ private information. The judge determined that the claim did not disclose a viable cause of action for intrusion upon seclusion.
The Decision of the Court of Appeal
The Court of Appeal dismissed all three appeals, concluding that there were no pleaded facts providing a basis in law for the actions of the hackers to be attributed to the defendants. The defendants’ fault was in their failure to take the adequate steps to protect the plaintiffs from the intrusion upon their privacy; they could be liable for this failure in negligence, contract, and under various statutes.
Due to the similarity between the three cases, the Court focused its reasons on Owsianik, and answered the question of whether the tort of intrusion upon seclusion can apply to a defendant whose failure to protect private information allowed hackers to access it. The majority found that the facts pleaded could not amount in law to the required intrusion, meaning it was “plain and obvious” that the claim could not succeed and should be struck.
The Court of Appeal warned of allowing a claim to proceed while there is still the legal question of its viability, as is the case with this trilogy of claims. The claims had been allowed to progress on the basis that it was not “plain and obvious” that the claim could not succeed, not on the basis that an intrusion upon seclusion claim could actually be made against the defendants. The Court of Appeal pointed to the unfairness of allowing these claims to make it to trial, where the trial judge would be obligated to decide the exact same legal question that was before the motion judge, sometimes years earlier. As damages for intrusion upon seclusion do not require proof of any actual pecuniary loss, but are awarded on a “symbolic” or “moral” basis, they are well suited to an award on a class-wide basis. Thus, the plaintiffs would have a leg up in both the certification process and any settlement negotiations, despite the uncertainty of the legal validity of their claim.
Next, the Court outlined the elements of the tort of intrusion upon seclusion, which are as follows:
- The defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse (the conduct required);
- The conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly (the state of mind requirement); and
- A reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish (the consequence requirement).
In this case, the conduct component was at issue. The defendants stored the data, and accessed it for commercial purposes, but did not interfere with the plaintiffs’ privacy interests. As a result, there was no conduct capable of amounting to an intrusion or invasion of privacy, and the claim failed at a fundamental level.
The defendants must have either intended to have actually intruded upon the plaintiff’s privacy, or to have been reckless so that the conduct would have that effect. Their prohibited state of mind must therefore relate to the prohibited conduct; intention is established if the defendant meant to intrude on the privacy of the plaintiff or knew it was a substantially certain consequence of the act. Recklessness is also a subjective state of mind, and can be established if the defendants realized at the time the prohibited conduct was being done that there is a risk that the conduct would intrude on the privacy of the plaintiffs, yet continue to allow that conduct.
The Court of Appeal concluded that if liability were to be imposed onto the defendants for the tortious conduct of the unknown hackers, or for the defendants’ failure to prevent the hackers from accessing the information, it would create a new and broad basis for the finding of liability for intentional torts. Remedies for these types of alleged failures already exist in both tort and contract.
Lastly, the Court of Appeal dismissed the concerns expressed by the plaintiffs about the lack of an available remedy if intrusion upon seclusion were not certified as a common issue. This boiled down to the lack of damages under negligence and contract where pecuniary loss could not be substantiated. Put simply, this put the plaintiffs in the same position as any plaintiff advancing a similar claim.
The Court of Appeal’s decision in the trilogy reconfirms the appropriateness of deciding the viability of causes of action at the certification stage. The decision also brings a degree of clarity and stability to the tort of intrusion upon seclusion. It is clear hacked companies that maintain data will not be held liable for moral damages arising from the actions of hackers who steal this data. These companies may still be held liable in tort and contract for their failures, but plaintiffs will have to substantiate their losses.
The Court of Appeal also made clear that intrusion upon seclusion requires intentional conduct on the part of the defendant. Absent intentional harm caused by the defendant, liability for this tort and moral damages will not be available. Accordingly, while the door remains open for privacy class actions alleging intrusion upon seclusion, the threshold for entry will require allegations of intentional invasion of privacy on the part of the defendants.
|Tel: 647 798 0614|
Please contact the editor if you would like others in your organization to receive this publication.