OCA refuses to extend intrusion upon seclusion liability to hacked commercial database holders – Law Times

Craig Lockwood

Nov 30, 2022

The Ontario Court of Appeal’s (OCA) recent refusal to expand the tort of intrusion upon seclusion to defendants who fail to adequately protect personal information collected and stored for commercial purposes was principled and reasoned, Craig Lockwood, partner, Litigation, says in an interview with Law Times.

The class action originated when third parties hacked the personal information databases stored by credit bureaus Trans Union and Equifax, and Marriott’s Starwood hotels. The databases included addresses, information on debts owing, payment histories, social insurance numbers, names, birthdates, driver’s license information, credit card numbers, email addresses, passwords, phone numbers, passport numbers and account information.

The plaintiffs’ certification applications sought to apply the OCA’s landmark 2012 decision in Jones v. Tsige, which recognized the intentional tort of intrusion on seclusion. Proof of the tort required evidence that a defendant had intentionally or recklessly unlawfully invaded or intruded upon a plaintiff’s private affairs in a manner that a reasonable person would regard as highly offensive, causing distress, humiliation or anguish.

“Intrusion upon seclusion obviated the need to prove a quantifiable loss, whereas a negligence claim requires such proof,” says Craig. “That’s important because not every data loss translated into something a hacker can use to cause an actual loss.”

“The court took the position that even if the defendants were reckless in preventing a wrong, their recklessness did not amount to an intentional act of intrusion that Jones requires,” says Craig. He maintains that the OCA did not diminish Jones’ scope.

“The court did not water down the value of privacy interests, but the decisions stop the trend of trying to leverage a very discrete advancement in the law to a situation that the Jones decision did not contemplate. Applying Jones to the database defendants would have been a giant leap in the law’s development, and not the incremental development that it is the courts’ job to allow.”

“Effectively, what the court said is that if plaintiffs have a remedy, don’t look to the courts to create a new one just because the existing remedy may be more burdensome.”

Read the full article by author Julius Melnitzer posted by Law Times on November 30, 2022