By Esther Shainblum and Martin U. Wissmath

Negligent security of personal data does not ‘transform’ into invasion of privacy: court

An organization that fails to adequately protect the personal data entrusted to it may be liable for negligence, breach of contract or violation of a privacy law statute, according to the Ontario Court of Appeal, but that does not mean the organization itself is liable for an invasion of privacy when they are the victim of a cyberattack. The Ontario Court of Appeal heard three appeals, published on November 25, 2022, for certification of class action lawsuits seeking to claim the tort of intrusion upon seclusion against defendant organizations whose commercial databases were hacked for personal information of customers (the “Three Appeals”). The Court of Appeal found there was no cause of action and reasons for dismissing the Three Appeals were written in the decision for Owsianik v Equifax Canada Co., 2022 ONCA 813. More fact-specific additional reasons were included in Obodo v Trans Union of Canada, Inc., 2022 ONCA 814, and in Winder v Marriott International, Inc., 2022 ONCA 815. The court’s judgment is relevant to charities and not-for-profits that keep a database of personal information, such as for members or donors.

The privacy tort of intrusion upon seclusion was first recognized by the Ontario Court of Appeal in Jones v Tsige, 2012 ONCA 32 (Jones), where “the defendant repeatedly accessed the private banking records of the plaintiff, the former wife of the defendant’s common-law partner, without lawful justification.”  There are three requirements for the tort of intrusion upon seclusion:

•        the defendant must have invaded or intruded upon the plaintiff’s private affairs or concerns, without lawful excuse [the conduct requirement];

•        the conduct which constitutes the intrusion or invasion must have been done intentionally or recklessly [the state of mind requirement]; and

•        a reasonable person would regard the invasion of privacy as highly offensive, causing distress, humiliation or anguish [the consequence requirement].

In the Court of Appeal’s analysis for the Three Appeals, there was no viable cause of action for intrusion upon seclusion, as the alleged intrusions were committed by “unknown third-party hackers, acting independently from, and to the detriment of, the interests of the Database Defendants.”  According to the court, the claim already failed at the “fundamental level” of the conduct requirement, because it was not the Database Defendants’ conduct, but rather the conduct of independent hackers, that invaded the privacy of the plaintiffs. “Negligence cannot morph or be transformed into an intentional tort” the court stated, and the “inability to successfully sue the hacker is no reason to make a Database Defendant liable, not only for its own wrongdoing, but also for the invasion of privacy perpetrated by the hacker.”  As stated by the court in Owsianik:

Moral damages are awarded to vindicate the rights infringed, and in recognition of the intentional harm caused by the defendant. These purposes are served only if the damages are awarded against the actual wrongdoer, that is the entity that invaded the privacy of the plaintiff [paragraph 77].

The court noted that the plaintiffs had remedies available against the Database Defendants – namely claims for breach of contract, negligence, or breach of a statute.  If these are inadequate to encourage Database Defendants to take all reasonable steps to secure data in their control, it is, according to the court, for Parliament and provincial legislatures to expand protections under privacy law to create more effective remedies.

Although these cases suggest that charities and not-for-profits targeted by cybercriminals will not be found liable for the tort of intrusion upon seclusion, they should ensure that they diligently learn and apply industry best practice standards for securing personal information in databases under their control.  Charities and not-for-profits may still be held liable in negligence, breach of contract or breach of a statute, if they are the target of hackers who bypass insufficient security measures to access their data.

​Read the January 2023 Charity & NFP Law Update