Liability for cyber attacks clarified by Ontario Court of Appeal

The Ontario Court of Appeal released a trilogy of decisions on November 25 on the availability of the “intrusion upon seclusion” tort in data breach class actions. At issue was whether the tort can be used against corporate defendants that had been hacked by unknown third parties.

What you need to know

• The Court held that intrusion upon seclusion cannot be used to impose liability on the companies that had been hacked.
• This result:
  • brings welcome confirmation of the scope of the tort;
  • avoids expanding the risk profile of data breaches perpetrated by third-party hackers;
  • prevents class action plaintiffs from leveraging this developing area of the law to secure larger settlements; and
  • has the potential to impact current legislative reform.

Background

On the decisions

The decisions in the trilogy are Owsianik v. Equifax Canada Co., 2022 ONCA 813, Obodo v. Trans Union of Canada, Inc., 2022 ONCA 814, and Winder v. Marriott International, Inc., 2022 ONCA 815. All three decisions involved proposed class actions where:

• the proposed class are individuals whose personal information was (or is alleged to have been) compromised in a data breach;
• the defendant is the company that handled and stored the personal information; and
• the data breach was perpetrated by unidentified third-party hackers.

In substance, the plaintiffs’ allegations were that the defendant companies failed to take appropriate steps to protect the plaintiffs’ personal information. These alleged facts were the foundation of a number of different legal claims against the defendants, including the intrusion upon seclusion tort.

For example, in the Equifax decision, it was alleged that the intrusion occurred when the defendant “failed to take appropriate steps to guard against unauthorized access to sensitive financial information involving the Class Members’ private affairs or concerns.” In each proposed class action, the allegation was that the defendants failed to prevent interference with the plaintiffs’ privacy interests, not that the defendants themselves directly interfered with those privacy interests.

On intrusion upon seclusion

There are three elements to the tort known as “intrusion upon seclusion”:

1. the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse (the “conduct requirement”);
2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly (the “state of mind requirement”); and
3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish (the “consequence requirement”).

Intrusion upon seclusion stands out from most other claims in data breach class actions because it can result in an award of “moral damages”. These damages do not require the plaintiff to prove they suffered any financial loss or diagnosed injury.

In Jones v. Tsige, the Court of Appeal said that moral damages of up to $20,000 could be awarded for the tort. In Jones, the Court awarded $10,000 to a plaintiff in that case whose personal banking information had been surreptitiously viewed by her ex-husband’s new partner 174 times without authorization. To date, most awards of moral damages have been made outside class actions and have involved invasions of privacy in the context of intimate personal relationships.

The result

The Court held that intrusion upon seclusion claims in the three proposed class actions cannot be certified against the defendant companies that had been hacked.

The Court’s rationale was based on a single key point: none of the defendants in these cases were alleged to have met the conduct requirement for intrusion upon seclusion—they were not alleged to have been the parties that actually “intruded upon the plaintiff’s private affairs or concerns, without lawful excuse”. Rather, the defendants are only alleged to have failed to protect the plaintiffs’ personal information from intrusion.

The Court also rejected the argument that the allegation that the defendant was reckless with respect to the protection of the plaintiffs’ personal information was sufficient to impose liability for the tort on the defendant. The Court held that that the state of mind of the company (element two of the tort) that suffered the data breach is irrelevant if the conduct requirement (element one) is not met.

The Court also refused to hold the defendant companies responsible for the actions of the third-party hackers on the basis of vicarious liability. The plaintiffs argued that imposing vicarious liability on the corporate defendants would be an appropriate, incremental development in the case law in light of various factors, including the absence of an effective remedy for persons whose information is hacked by an unknown third party. The Court rejected this argument for four reasons.

First, neither the defendants nor anyone acting on their behalf or in consort with them (the traditional bases of imposing vicarious liability) were alleged to have unlawfully accessed personal information.

Second, to impose liability on the company that had been hacked for this tort would create a new and very broad basis for imposing liability for intentional torts. The Court offered the example of “[t]he garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot.”

Third, there was no absence of available remedies. A negligence remedy is available against a corporate defendant that has been hacked if a plaintiff can show that: (a) the hacked company had a legal obligation to protect the plaintiffs’ information, (b) the company failed to meet this obligation, and (c) this failure resulted in compensable harm to the plaintiffs. The inability to identify the hackers to bring tort claims against them does not justify extending intrusion upon seclusion to corporate defendants who were victims of hacking.

Moreover, we note that there are data breaches where the company or law enforcement do identify the hackers, resulting in prosecution, disgorgement of funds gained from the attack, and providing an avenue for a civil tort claim. This further supports why corporate defendants should not be liable for intrusion on seclusion in cases where the perpetrator is an unrelated third party.

Fourth, to award “moral damages” against the hacked company instead of the hacker would run contrary to the purposes underlying the award for such damages. The Court said that “[m]oral damages are awarded to vindicate the rights infringed, and in recognition of the intentional harm caused by the defendant. These purposes are served only if the damages are awarded against the actual wrongdoer, that is the entity that invaded the privacy of the plaintiff.”

Impact and analysis

Subject to an appeal to the Supreme Court of Canada, the Court’s decisions in the trilogy could impact the four following areas.

Risk profile

Had the tort been expanded to cover companies who have suffered a breach, it would have dramatically increased the risk profile of almost any cyber incident where personal information is compromised. This is because for a claim of intrusion upon seclusion, moral damages are not based on provable harm. Recall that a single plaintiff in Jones was awarded $10,000 for the tort (albeit under very different circumstances than a cyberattack). However, if even a fraction of this amount were awarded on a per-class member basis, the potential liability for a company that suffered a cyberattack compromising the personal information of a large number of individuals would be staggering, even where no class member suffered any loss.

That said, litigation risk following a data breach involving compromised personal information still exists. As the Court points out, the law still imposes liability where plaintiffs can show the defendant “had an obligation at tort, under contract, or perhaps under statute, to protect the private information stored in its database from access by third-party hackers, and failed to do so, thereby causing economic harm to the plaintiffs.” Liability for compensable harm will therefore remain a key factor in assessing litigation risk following a breach.

Loss of advantage for class counsel

The Court highlighted that pleading intrusion on seclusion against corporate defendants was providing plaintiffs’ counsel with three cascading advantages:

1. Class actions were being certified with this claim because courts were reluctant to hold that it was “plain and obvious” the claim could not succeed;
2. Courts were more likely to certify aggregate damages awards for moral damages because damages that do not require individual proof of loss are well-suited to a class action proceeding; and
3. Class counsel could leverage the above and the risk of a moral damages award in settlement discussions.

Now that the Court of Appeal has confirmed that intrusion upon seclusion is not available against defendants that have suffered a data breach, there will be pressure on plaintiffs to only advance cases where they can plead compensable harm. This may help stem the tide of class actions following data breaches where the representative plaintiff cannot show compensable loss.

Vicarious liability in data breaches

While the Court refused to impose vicarious liability on the defendants for the actions of third-party hackers in these cases, the Court did not go so far as to refuse the possibility of vicarious liability in other circumstances. We expect the boundaries of vicarious liability in other cyber contexts, especially breaches involving malicious employee conduct, to continue to be contested.

Legal reforms

These decisions were released while Bill C-27 is in the midst of second reading in Parliament. If passed, Bill C-27 would, among other things, establish the Consumer Privacy Protection Act (CPPA). As currently drafted, the CPPA creates a statutory cause of action for breaches of a number of its substantive obligations, including the protection of personal information. However, consistent with the Court of Appeal’s decision in the trilogy, some form of compensable harm would still need to be established by a plaintiff.

Nevertheless, it is possible that after the release of these decisions, some advocates will point to the result as proof that statutory damages ought to be included in the CPPA.

You can read more on Bill C-27 and its proposed reforms in our earlier bulletin “Federal government introduces new privacy, cybersecurity and AI legislation”.

We also note that while Québec’s Bill 64 creates punitive damages for some statutory breaches, the law requires the breach to be intentional or due to “gross negligence”.