On November 25, 2022, the Court of Appeal for Ontario (the “Court”) released a trio of decisions that materially impact the viability of class actions against organizations that fall victim to a cybersecurity attack. More particularly, the Court considered and definitively determined the issue of whether organizations that collect and store personal information about individuals for commercial purposes (“Database Defendants”), can be held liable for the tort of “intrusion upon seclusion”, if they fail to take adequate steps to protect the information from third-party “hackers”.
In Owsianik v Equifax Co. (“Owsianik”), Obodo v Trans Union of Canada, Inc. (“Obodo”) and Winder v Marriot International, Inc. (“Winder”) (collectively, the “Intrusion Cases”), three proposed class actions, the Court found that Database Defendants cannot be held liable for an intrusion upon seclusion caused by unknown, malicious third parties. While plaintiffs may continue to pursue other claims against Database Defendants, such as negligence or breach of contract, other causes of action often require proof of actual pecuniary loss. Accordingly, by eliminating the potential for plaintiffs to allege intrusion upon seclusion (which allows for claims of “symbolic” or “moral” damages), the Court has weakened support for the argument that a class proceeding is the preferable procedure for claims against Database Defendants that are subject to a cyberattack.