June 25, 2021
Ontario Courts Limits Liability for Cyber Attack Victims – June 25, 2021
Ontario Court Limits Liability for Cyber Attack Victims:
Failure to Protect Personal Information Does Not Attract Liability for Intrusion Upon Seclusion
By Ben Flanagan
Organizations across Canada and the United States experience cyber-attacks on a daily basis. When personally identifiable information is exposed in an attack, the incident constitutes a privacy breach. Restoring business operations and complying with regulatory obligations will be an organization’s first concerns after an attack. After the crisis is over, an organization will also confront the possibility of civil liability for the breach. The usual thought process is “will we be sued? On what basis? But we were attacked!” A recent Ontario Court decision (Owsianik v. Equifax Canada Co. 2021 ONSC 4112) provides some answers.
Equifax was the victim of a cyber-attack in 2017. The breach exposed personal information of thousands of Canadians and is now the subject of a class action.
At the certification stage for the class action, the plaintiff sought to certify a claim for intrusion upon seclusion, the new privacy tort first recognized by the Ontario Court of Appeal in 2012. Equifax argued that the claim for intrusion upon seclusion could not succeed because it had not intruded upon the plaintiff’s privacy. Equifax argued that, at most, it “facilitated the invasion” perpetrated by the hackers by failing to implement proper security safeguards. The certification judge rejected Equifax’s position and allowed the claim for intrusion upon seclusion to proceed. Equifax appealed.
The sole issue on appeal was whether a claim for intrusion upon seclusion was doomed to fail against a data custodian such as Equifax, which allegedly was reckless in the storage of personal information on its network, in turn enabling hackers to gain access.
The majority of the Divisional Court held that intrusion upon seclusion does not “extend liability to a person who does not intrude, but who fails to prevent the intrusion of another”. The Court’s analysis was predicated on the notion that the act of intrusion is the central element of this claim. While the Court confirmed that an intrusion could be reckless, there must still be an intrusion to succeed with the claim. The Court went on to note that, as offensive or reckless Equifax’s alleged conduct may have been, it did not constitute an intrusion. On this analysis, data custodians who recklessly store personal information do not “intrude upon” individuals’ privacy. Only the hacker actually intruded on the plaintiff’s privacy.
So long as this decision is upheld, organizations in Ontario with deficient (or even recklessly deficient) network security practices will not be held liable for a claim of intrusion upon seclusion. With that said, such organizations may still be found liable under alternative causes of action, such as negligence.
This recent Equifax class action decision is significant because intrusion upon seclusion does not require a plaintiff to prove damages. Instead, damages for intrusion upon seclusion can be awarded without proof of injury or pecuniary loss. This is unlike a negligence claim, where the plaintiff must prove the amount of damages and that the damages were caused by the organization’s breach of duty. In privacy breach cases, particularly the cyber variety, it will often be difficult or impossible for a plaintiff to do.
For further information or if you have any questions about the above article, please contact the author: Ben Flanagan, Dolden Wallace Folick Toronto, Email: firstname.lastname@example.org
|Tel: 604 891 0366|
Please contact the editor if you would like others in your organization to receive this publication.