In Owsianik v. Equifax Canada Co (Equifax), 2021 ONSC 4112, the Divisional Court was required to determine the scope of the court to intervene when Equifax's client stored data was hacked by an unknown third party. Specifically, the Court needed to determine whether the Court created tort known as intrusion upon seclusion would include the failure to protect people's private data against a third-party intrusion.
The tort intrusion upon seclusion is added to the legal landscape to protect against the unlawful invasion of privacy. This decision is particularly important in today's virtual world where mass amounts of sensitive and private information can be stored online.
The tort was first recognized in Jones. V. Tsige, 2012 ONCA 32. Sharpe J.A. set out the following elements for the tort of inclusion upon seclusion:
- The defendant's conduct must be intentional
- The defendant must have invaded, without lawful justification, the plaintiff's private affairs or concerns
- A reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish
The Divisional Court found that while the privacy of the plaintiff was breached, the tort requires the intrusion of privacy to have been committed by the defendant. In this case, it was a third-party intrusion meaning one of the elements of the tort were missing and the cause of action was doomed to fail.
Background
The Respondent sought the certification of a class action against Equifax relating to a security breach of their computer systems. The Appellant, Equifax, is part of a well-known credit-reporting agency that collects financial information of individuals and businesses across North America. In 2017, a hacker breached their computer systems, and the data of millions of consumers possessed by Equifax were accessed and exposed.
The Respondent alleged that Equifax was aware their security system was inadequately protected but did not take the necessary steps needed to protect against a data breach. They argued this constituted an intentional or reckless intrusion upon seclusion that would be highly offensive to a reasonable person.
...the intrusion was not committed by the defendant... |
Equifax argued that an element of intrusion upon seclusion was missing and so there was no cause of action. Specifically, the intrusion was not committed by the defendant, and to extend the scope of the tort to custodians of information would impose liability on a party who itself was a victim to the intrusion.
The certification judge hearing the matter decided to ignore the missing element of the defendant being the perpetrator and agreed to certify the class. The judge held that due to the tort being relatively novel it was not settled law that the cause of action would necessarily fail which is the test for certifying a class.
Held
The majority allowed the appeal and set aside the certification, determining that the cause of action for intrusion upon seclusion was doomed to fail. They relied on Atlantic Lottery Corp Inc. v. Babstock, 2020 SCC 19, where the Supreme Court of Canada established that even “novel claims that are doomed to fail should be disposed of at an early stage and that courts can do so even if this requires resolving complex questions of law and policy”.
The majority found that extending liability to those who do not intrude themselves, but rather fail to prevent the intrusion, would be more than an incremental change to the common law. Central to the tort of intrusion upon seclusion is that the defendant must have been the intruder. In this case, the intrusion was by a third party, not Equifax. For this reason, an element of the tort is missing and thus doomed to fail. Potential liability against recklessly storing data such that a third party may access it is already adequately controlled under the tort of negligence. This decision serves as a reminder that the law around cybersecurity is ever-evolving and providing remedies for those who fall victim to breaches of cybersecurity can be met through a variety of torts.
