The recent hack of the Ashley Madison website and the subsequent
release of personal information is already the subject of multiple
class actions. The risks associated with information technology are
not new. Any company which holds personal information or relies on
a computer network is potentially susceptible to cyber-liability
through hacks, network interruptions, programming errors, data
theft, and other cyber-risks. However, the exposure from a privacy
law class action is relatively novel and companies should take care
to examine their insurance policies and ensure there is no gap in
In Ontario, class actions like those based on the Ashley Madison
hack arise out of the new and evolving area of privacy law.
Invasion of privacy was first recognised as a distinct cause of
action by the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32.
In Jones v. Tsige, the privacy tort in issue was
intrusion upon seclusion. Importantly, the nature of this tort
presents a potential insurance issue as the cause of action is
complete without proof of harm to a recognized economic
interest.1 The three key features of intrusion upon
the conduct must be intentional, which includes
the defendant invaded the private affairs or concerns of an
individual without lawful justification; and
a reasonable person would regard the invasion as highly
offensive causing distress, humiliation or
The tort of intrusion upon seclusion is meant to arise only in
cases of deliberate and significant invasions of personal privacy.
Personal subject matter can include financial or health records,
sexual practises and orientation, employment, diary or private
correspondence – generally, information which when viewed on
the reasonable person standard, it would be highly offensive to
have had invaded.3
Although grounded in negligence, it bears repeating that in this
tort, damages can be awarded where no loss has been sustained.
While these damages are limited to a relatively modest range on an
individual basis,4 a class action ups the ante and
magnifies the exposure.
To date, privacy law class actions have encompassed the taking
of customers' personal information by an employee and provision
to a third party for fraudulent and improper purposes,5
the loss of an external hard drive that contained personal
information,6 and the incidental disclosure of a
person's involvement in a medical program by identification of
that program on the outside of an envelope,7 to name but
a few. None of these privacy law class actions have been determined
on their merits and so it is as yet unknown to what standard
corporations will be held. Nonetheless, there are enough privacy
class actions to identify a clearly growing trend.
Looking forward, managing cyber-risk will involve not only loss
prevention strategies but also, when the inevitable breach or
exposure occurs, loss transfer strategies. Many insurers are now
writing and offering cyber-risk assessment and cyber-risk coverage
both as stand-alone products and/or as part of pre-existing risks
policies and covers. Corporations would be well advised to check
their own policies for cyber-risk coverage and, in particular, for
coverage for the new evolving privacy torts.
When discussing cyber-risk insurance with their brokers,
corporations should ensure that they understand the current data
protection regulation in their relevant jurisdictions, examine and
understand the strengths and weaknesses of their information
technology systems, and that they have adequate policies and
procedures in place to guard against potential breaches as well as
cyber-risk coverage. Managing cyber-risk exposure should be top of
mind and will probably involve professional advice across a wide
range of areas, including information technology, human resources,
legal, and insurance.
1 Jones v. Tsige, 2012 ONCA 32 at para.
2 supra at para. 71
3 supra at para. 72
4 supra at para. 87
5 Evans v. Bank of Nova Scotia, 2014 ONSC
6 Condon v. Canada, 2014 FC 250; allowing
additional claims 2015 FCA 159
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).