Data breaches have been making headlines in Canada for a few years, and millions of people have had their data exposed to potential bad actors through breaches of various company databases, from medical labs to telecom companies. Lifelabs, a national lab that performs medical tests on patients across Canada, had its database breached in 2019. Once the hackers had access to the system, they demanded a ransom from the company in exchange for the data. Since then, class action suits have been filed against Lifelabs in B.C. and Ontario. However, plaintiffs are including a relatively new tort, for intrusion upon seclusion, in many of these class proceedings. The tort, created in 2012, was initially meant to address situations in which the defendant intentionally or recklessly breached the plaintiff’s data, causing humiliation or distress. Can this tort be applied in situations where the ‘bad actor’ is an unknown third party who breached the defendant company’s database? A recent Ontario case indicates that the tort will not be applied to a third-party breach.
What is Intrusion Upon Seclusion?
Privacy laws have been in place for decades in Canada, but in 2012, courts recognized a new tort applicable specifically to instances where a defendant unlawfully accesses a plaintiff’s private data, called intrusion upon seclusion. In Jones v. Tsige, the Ontario Court of Appeal found that a new cause of action was required to reflect modern privacy concerns after a bank employee was found to have accessed a colleague’s financial data without authorization nearly 200 times over four years. The plaintiff brought a claim for invasion of privacy which was originally dismissed because Ontario does not recognize invasion of privacy as a tort. However, the Court of Appeal found a need to create a new tort action to apply in similar situations, out of which intrusion upon seclusion was born.
To establish a cause of action for intrusion upon seclusion, a plaintiff must be able to demonstrate the following elements:
- the defendant’s behaviour was intentional or reckless;
- the defendant must have unlawfully accessed the plaintiff’s private information; and
- a reasonable person would be offended by the action, finding it would cause the plaintiff distress, humiliation or anguish.
Proving Intrusion Upon Seclusion by a Third Party
While the tort has been accepted in Canadian law, it is having limited success when used as the basis for a claim relating to a data breach by a third party. In Jones, the defendant was the person who had unlawfully accessed the plaintiff’s data. However, in many large-scale data breaches, the wrongdoer is an unidentifiable entity, leaving the business that was breached as the sole defendant for allowing the breach to occur.
In a recent decision, a split court determined that in cases of a third-party breach, the claim for instruction upon seclusion has no merit.
In Owsianik v. Equifax, a group of plaintiffs brought a claim against Equifax, an international credit monitoring company, after a data breach in 2017 exposed the financial information of millions of people across North America. A group of plaintiffs in Ontario initiated a class proceeding against Equifax, with one of the causes of action being intrusion upon seclusion. The certification judge approved the claim, saying that the tort was new and should be allowed to proceed, despite Equifax’s claim that the action was destined to fail, given the third-party nature of the breach. The judge felt that the plaintiffs should have an opportunity to argue the claim in court, as there had yet to be a case that had decided whether a defendant such as Equifax, “who recklessly permits a hacker attack to occur is liable for intrusion upon seclusion”. Equifax appealed this decision.
At the Ontario Divisional Court, the three-judge panel was split in its decision. The dissenting judge agreed with the findings of the certification judge and would have allowed the cause of action to proceed. However, the other two judges found that the tort does not apply to the case at hand, because intrusion upon seclusion is not relevant to a database breach by a third party, saying:
[T]o extend liability to a person who does not intrude, but who fails to prevent the intrusion of another…would, in my view, be more than an incremental change in the common law….
Equifax’s actions, if proven, amount to conduct that a reasonable person could find to be highly offensive. But no one says that Equifax intruded, and that is the central element of the tort. The intrusion need not be intentional; it can be reckless. But it still has to be an intrusion. It is the intrusion that has to be intentional or reckless and the intrusion that has to be highly offensive. Otherwise the tort assigns liability for a completely different category of conduct, a category that is adequately controlled by the tort of negligence.
Seek Advice From Experienced Litigation and Class Proceedings Counsel
Issues relating to litigation can become extremely complicated, and it is always best to ensure that you have representation who can provide you or your business with experienced and knowledgeable guidance through all aspects of the litigation process.
Contact Milosevic Fiske LLP in Toronto for unparalleled representation in even the most complex corporate and commercial disputes. Over the years, our team of exceptional litigators has seen it all and has successfully fought for our clients’ rights. Our impressive track record speaks for itself. Call us at 416-916-1387 or contact us online for a consultation.