In Winder v Marriott International Inc. (“Winder“), the Ontario Superior Court of Justice has recently confirmed that a hacked company is not an “intruder” within the meaning of the tort of intrusion upon seclusion. Thus, no reasonable cause of action based on this tort lies against a company solely because it has been the victim of a hack.
In Winder, the plaintiffs had commenced a proposed privacy class action against the hotel chain. Included in the statement of claim was a claim based in intrusion upon seclusion. The plaintiffs argued that the hotel chain had been a constructive intruder because it had allegedly allowed the hackers into the affected database through inadvertence and then carried out an insufficient remedial response.
This was a motion under Rule 21.01(1)(a) to determine whether the tort of intrusion upon seclusion extended beyond the actual intruder. Relying on Obodo v Trans Union of Canada Inc., Del Giudice v Thompson, and Owsianik v Equifax Canada Co., the Court held that the ambit of the tort does not extend to constructive intruders and is limited to real ones. The Court reasoned that “constructive intruders” do not accord with the “letter and spirit” and policy rationales underlying the tort. Further, extending the tort to include constructive intruders such as hacked companies would serve no purpose but to open the floodgates unnecessarily. The Court found that there were no gaps in privacy laws that needed to be filled, as liability may already be imposed on a hacked company on the basis of other established causes of action, such as breach of contract or negligence.
The trend, at least in Ontario, appears to be that courts will construe intrusion upon seclusion narrowly, making it more difficult for plaintiffs’ counsel to successfully plead the tort in cases of data breaches. However, the tort of intrusion upon seclusion rarely travels alone; plaintiffs’ counsel are likely to increasingly rely on other companion causes of action such as negligence, breach of contract, and misrepresentation.
For more information about data protection and breaches or the litigation that may result therefrom, please contact Michael Schafler or Kristin AuCoin of Dentons’ Litigation and Dispute Resolution in Canada.
For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business, including enterprise privacy audits, privacy program reviews and implementation, data mapping and gap analysis, and training in respect of personal information.