On June 9, 2021, in Owsianik v Equifax Canada Co (Equifax), 2021 ONSC 4112, a majority of the Divisional Court overturned the certification of intrusion upon seclusion as a common issue in a class proceeding involving a cyberattack. The decision represents the first time an appellate court has considered the scope of the tort since the Ontario Court of Appeal first recognized it as a cause of action in Jones v Tsige (Jones).
In 2017, hackers accessed Equifax's computer network without authorization, allegedly exposing personal and financial information of consumers across North America to the hackers.
The plaintiffs commenced a class action alleging various causes of action, including the tort of intrusion upon seclusion. In the pleadings, the plaintiffs claimed that Equifax knew that its computer network was vulnerable to cyberattacks and chose to do nothing, and that those omissions constituted an intentional or reckless intrusion upon seclusion. This claim represented a novel application of the tort against a defendant who was the victim of a cyberattack perpetrated by a third party.
The tort of intrusion upon seclusion was first recognized in Jones in 2012. To make out a claim for intrusion upon seclusion, the plaintiff must show that:
- The defendant committed an intentional (or reckless) and unlawful intrusion into the plaintiff's affairs;
- The matter intruded upon was private;
- The intrusion would be highly offensive to the reasonable person; and
- The intrusion caused the plaintiff distress, humiliation, or anguish.
Since Jones, intrusion upon seclusion has been certified as a common issue in several privacy class actions, although some courts had expressed doubt that such a claim could succeed against a defendant who was not itself an "intruder." A central issue in Equifax was whether it was plain and obvious that the plaintiff's intrusion upon seclusion claim was doomed to fail, because the defendant was the victim rather than the perpetrator of the cyberattack.
The motion judge certified the plaintiff's claim for intrusion upon seclusion on the basis that it represented a novel application of the tort. He found that the question of whether a defendant who recklessly permits a cyberattack to occur is liable for intrusion upon seclusion had not yet been settled. For this reason, he concluded it was not plain and obvious that the claim would fail.
DIVISIONAL COURT DECISION
A majority of the Divisional Court held that the plaintiff's claim for intrusion upon seclusion did not disclose a reasonable cause of action and should not have been certified. Accepting the pleaded facts as true, the majority found that Equifax was not an intruder because it was the hackers that perpetrated the cyberattack. Considering that Jones requires the defendant to commit the intrusion, the plaintiffs' claim amounted to more than an incremental development in the law and was doomed to fail. The majority also emphasized that the tort of negligence adequately addressed the conduct alleged by the plaintiff, provided that class members could prove they suffered compensable damages.
The majority relied on recent guidance from the Supreme Court of Canada in Atlantic Lottery Corp Inc v Babstock (Babstock) (see Blakes Bulletin: SCC Waves Goodbye to Waiver of Tort) that claims – even novel claims that are doomed to fail should be disposed of at an early stage of the proceedings. Babstock underscored that such claims present "no legal justification for a protracted and expensive trial." The majority in Equifax found that the plaintiff's intrusion upon seclusion claim needed to be vetted at the pleadings stage.
The dissenting judge did not consider Babstock to be applicable to this case because the plaintiff alleged a novel application of a recognized tort rather than an entirely new cause of action. She would have found that such a claim constituted an incremental development of the law that should be allowed to proceed to trial for adjudication on its merits.
While there may be further appeals, the Equifax case represents a significant development in Canadian privacy law, with the majority confirming the status of intrusion upon seclusion as an intentional tort that should not be conflated with negligence. The defendant must be the party to commit the intrusion - intrusion upon seclusion is not a viable cause of action where the plaintiff alleges only that the defendant failed to act to prevent a cyberattack.
The majority judgment also reaffirms the cause of action certification criterion as a meaningful screening tool. Equifax confirms that novel claims, including a novel application of a recognized cause of action, should be fully vetted at the pleadings stage if it is possible to do so.
Co Author by Mackenzie Claggett (Summer Law Student)
For permission to reprint articles, please contact the Blakes Marketing Department.
© 2020 Blake, Cassels & Graydon LLP.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.