image credit to Pixabay

November 2022

You got hacked: Limits on Liability - AN UPDATE

Case Study of Owsianik v. Equifax Canada Co, and Intrusion of Seclusion

Theresa Hartley
Theresa Hartley,
Partner

Adam Ostermeier
Paul Jacoby,
Associate Lawyer

By Theresa Hartley and Paul Jacoby

This is an update further to the first publication in July 2021 of the same name.

Overview

The Ontario Court of Appeal recently held that the tort of intrusion upon seclusion cannot be used to recover damages from a "database defendant" if the information being stored is accessed by independent third-party hackers. A database defendant is one who, "for commercial purposes, collected and stored the personal information of others."1

Canadians with any form of online presence are at risk of being the victims of data breaches. This can leave their valuable personal information, such as credit card numbers, social insurance numbers and driver's license numbers, in the hands of unknown hackers. There's no doubt that a third-party hacker with access to that information can cause significant harm.

This decision may be interpreted as being helpful for database defendants, a position in which many Canadian corporations may find themselves, and hurtful to consumer rights; however, the Court makes clear that consumers may still recover damages for data breaches in negligence, contract and under various statutes.2

The Facts and Law

In this case, the appellants were attempting to rely on the tort of intrusion upon seclusion as a part of class action proceedings.3 Hackers gained access to information stored by the respondents, Equifax and related companies, containing social insurance numbers, names, dates of birth, addresses, driver's licence numbers, credit card numbers, email addresses, and passwords of an estimated 20,000 Canadians.4

Intrusion upon seclusion is "an intentional or reckless invasion of the private affairs of another, without lawful justification, in circumstances in which a reasonable person would regard the invasion as highly offensive and causing distress, humiliation or anguish, was actionable without proof of any pecuniary loss."5

Its components were outlined by the court as the following:

  1. the defendant must have invaded or intruded upon the plaintiff's private affairs or concerns, without lawful excuse [the conduct requirement];

  2. the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and

  3. a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation, or anguish [the consequence requirement].6

...the court focused on the state of mind component of intrusion upon seclusion..

In denying the certification of the appellants' class action, the court focused on the state of mind component of intrusion upon seclusion. It acknowledged that the database defendants did not take steps to prevent the unauthorized disclosure of the appellants' personal information, but also emphasized that the database defendants, themselves, did not intentionally interfere with the personal information.7

The court further stated, "Equifax's recklessness as to the consequences of its negligent storage cannot make Equifax liable for the intentional invasion of the plaintiffs' privacy committed by the independent third-party hacker."8 Recklessness, "a subjective state of mind, refers to the realization at the time the prohibited conduct is being done that there is a risk that the conduct will intrude upon the privacy of the plaintiffs, coupled with a determination to nonetheless proceed with that conduct."9

Implications on Privacy Law

The tort of inclusion upon seclusion will now be more difficult to prove against a database defendant; however, consumers still have causes of action as a result of privacy breaches through negligence, contract and under various statutes.10

Each database defendant will have unique data protection needs based on many factors, including the sensitivity of the personal information and the risk of harm to the individual. Accordingly, database defendants must ensure they are compliant with all relevant privacy statutes and cases by seeking legal advice, retaining IT companies, and training staff to develop and implement the necessary safeguards.


  1. Owsianik v. Equifax Canada Co., 2022 ONCA 813 at para. 2.
  2. Ibid., at para. 8.
  3. Owsianik supra note 1 at para. 4.
  4. Ibid. at paras. 15-16. - As proceedings were still in the certification stage, the court took the factual allegations as true to determine if a proper cause of action was plead.
  5. Jones v. Tsige, 2012 ONCA 32, 108 O.R. (3d) 241 at paras. 70-71.
  6. Ibid., at para. 54.
  7. Ibid.
  8. Ibid., at para. 61.
  9. Ibid., at para. 60.
  10. Ibid., at para. 8.


mccague borlack llp

TORONTO | OTTAWA | KITCHENER | BARRIE | LONDON

Copyright McCague Borlack LLP - Legal Notice | Follow us Twitter, Linkedin, Facebook

McCague Borlack LLP is a member of the Canadian Litigation Counsel, a nationwide affiliation of independent law firms. Through CLC's association with The Harmonie Group, our clients have access to legal excellence throughout North America, the U.K. and Europe.

mccagueborlack.com | clcnow.com | harmonie.org