Court of Appeal for Ontario Limits Intrusion Upon Seclusion Claims in Cybersecurity Cases

On November 25, 2022, in Owsianik v. Equifax Canada Co., 2022 ONCA 813 (Owsianik), the Ontario Court of Appeal (Court) held that intrusion upon seclusion is not a viable cause of action against a defendant who has been the victim rather than the perpetrator of a cyberattack. Owsianik was the lead case in a trilogy of decisions released the same day that offer much-needed clarity on the scope of this tort, confirming that a defendant’s alleged failure to prevent a breach of privacy by an outside party will not give rise to a claim for intrusion upon seclusion.

The tort of intrusion upon seclusion was first recognized by the Court in Jones v Tsige (Jones) in 2012, allowing recovery of moral damages for invasion of privacy even absent pecuniary loss. Jones was a classic case of snooping, in which the defendant improperly accessed the plaintiff’s private financial records. In the decade since Jones, a number of privacy class actions have been commenced – and some certified – in circumstances bearing little similarity to Jones, including cases involving cyberattacks by third party criminals.

Owsianik and its two companion appeals (Obodo v. TransUnion of Canada, Inc., 2022 ONCA 814 and Winder v. Marriott International, Inc., 2022 ONCA 815) were proposed class actions arising out of cyberattacks in which hackers unlawfully accessed personal information collected and stored by the defendants. The issue before the Court in all three appeals was whether the defendants could be liable for intrusion upon seclusion when it was the hackers, rather than the defendants themselves, who had intruded on class members’ personal information.

In Owsianik, the Court unanimously upheld the majority decision of the Divisional Court, finding that it was “plain and obvious” that the intrusion upon seclusion claim could not succeed. First, the Court restated the elements of the tort as follows:

1. the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse (the “conduct requirement”);
2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly (the “state of mind requirement”); and
3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish (the “consequence requirement”).

The conduct requirement is made out only where the defendant commits an act that constitutes a deliberate invasion into the plaintiff’s privacy – that is, where the defendant is the “intruder.” In this regard, the Court clarified that the state of mind requirement must be established in relation to the conduct requirement. If the defendant does not commit an intrusion, its intention or recklessness with respect to some other conduct will not suffice. As a result, a defendant who is the victim of a third party cyberattack cannot be liable for intrusion upon seclusion, even if the defendant was allegedly reckless in failing to properly secure the plaintiff’s private information.

In reaching this conclusion, the Court rejected several arguments made by the plaintiffs in all three appeals. Among others, the Court dismissed an argument that class members were left without a remedy for invasion of their privacy. Plaintiffs whose personal information is affected by a cyberattack may have claims against the defendant in negligence or breach of contract depending on the factual circumstances, although those claims will generally require proof of pecuniary loss. Where a plaintiff is left without a claim in contract or negligence for lack of compensable harm, this does not mean that she has “no remedy”. The Court also considered that the plaintiffs’ practical inability to sue the hacker in the present case was not proper basis to impose liability on the defendants.

In Obodo, the Court also rejected the plaintiffs’ invitation to impose a form of vicarious liability on a defendant for “enabling” a cyberattack by failing to detect or prevent it. The policy considerations that justify the imposition of vicarious liability cannot exist absent an employer-employee relationship between the actual intruder and the defendant. That is consistent with the caution in Jones that the parameters of the intrusion tort should be kept tight and narrow.

The Court also emphasized the importance of disposing of unmeritorious claims at an early stage rather than allowing them to proceed to trial, underscoring that even novel questions of law can and should be resolved on certification motions or motions to strike. In this regard, the Court noted the unfairness visited on class action defendants when courts artificially delay determination of important legal issues, giving the plaintiffs an undue “leg up” in the certification process and any settlement negotiations.

This trilogy of cases gives much-awaited clarity on the scope of the intrusion upon seclusion tort. Further appeals are possible, but these cases signal that going forward, claims for intrusion upon seclusion should be limited to cases where the defendant itself has deliberately invaded the plaintiff’s privacy. However, depending on the factual circumstances, plaintiffs may still be able to bring loss-based claims such as negligence or breach of contract in response to cyberattacks. The Court also left for another day the scope of the statutory privacy torts that have been enacted in some provinces.

Owsianik also serves as a welcome affirmation of the courts’ vital role in screening out unviable claims at or before certification rather than simply deferring them to a common issues trial. This is encouraging for class action defendants looking to use preliminary motions to dispose of unmeritorious claims at an early stage.

Please see our Blakes Bulletin dated June 15, 2021, for a discussion of the Divisional Court decision in Owsianik.
 
For further information, please contact:

Nicole Henderson       +1-416-863-2399

or any other member of our Class Actions or Cybersecurity groups.