New legal action for privacy breach doesn’t apply to hacked data aggregators

Ontario’s new legal tort of ‘intrusion upon seclusion’ does not apply in class actions against data aggregators that have been hacked, the Court of Appeal has confirmed.

Nine years ago, the courts came up with the new tort of intrusion upon seclusion to cover a situation in which one bank employee hacked the personal information of her colleague at the bank. The victim of the hack was an ex of the hacker’s partner at the time.

Having established the new tort, the courts said its scope would depend on how the caselaw developed. The tort doesn’t require proof of actual harm. To succeed in an intrusion upon seclusion privacy breach, the court looks for three conditions to be met:

• the defendant’s conduct must be intentional or reckless
• the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns
• a reasonable person would regard the invasion as “highly offensive, causing distress, humiliation or anguish.”

Obodo v. Trans Union of Canada Inc., released Friday, confirms the new tort does not apply to situations in which the defendant aggregators of sensitive information get hacked. Rather, it suggests a class action based on negligence is better suited in these situations.

Odobo references the court’s decision in Owsianik v. Equifax Canada Co., in which Equifax successfully argued the Court of Appeal did not intend for the intrusion upon seclusion tort to be expanded to database defendants.

“According to Equifax, to extend the tort to the custodian [of hacked data and information], would be to allow for the imposition of liability on a party who is itself a victim of the intrusion,” as the court framed the argument in Owsianuk.

The 2-1 majority of judges in Owsianuk agreed, stating: “The tort of intrusion upon seclusion…has nothing to do with a database defendant. It need not even involve databases….[T]o extend liability to a person who does not intrude, but who fails to prevent the intrusion of another…would, in my view, be more than an incremental change in the common law.”

Essentially, Odobo’s fact situation is similar, Ontario Court for Appeal Justice David Doherty wrote in his decision Friday. In Odobo, the Appeal Court only dealt with the question of whether TransUnion could be held vicariously liable for the breach — the only way to frame its security breach as ‘intentional.’

Odobo involves a large-scale intrusion by unknown and unauthorized persons into TransUnion’s database, which happened between June and July 2019. The hackers accessed the credit profiles of 37,444 persons, including credit reports, risk scores, and other personal information. The data was accessed using valid credentials belonging to an authorized employee of TransUnion’s customer, CWB National Leasing Inc.

The lead plaintiff in the case, Michael Odobo, whose personal information was hacked, asked the Appeal Court to overturn a lower court decision that declined to certify a class action lawsuit against TransUnion on the basis of intrusion upon seclusion. (The lower court did certify the class action on the basis of claims of negligence and some claims based on privacy law. The merits of the case have yet to be heard in court.)

The Appeal Court declined to do so, noting TransUnion was hacked and did not do the hacking.

Odobo tried to argue TransUnion was vicariously liable for the actions of one of the hackers, the employee of one of its customers. But the court found the hackers were not employees of TransUnion, and so the credit bureau was not vicariously libel for their actions.

“Mr. Obodo describes Trans Union as ‘an enabler,’” Doherty wrote. “There is, however, no allegation that Trans Union and the unknown hacker were co-conspirators, acted in concert, or in pursuit of a common unlawful goal. To the contrary, the allegation is that the hacker gained access to Trans Union’s database by stealing information from one of Trans Union’s customers….

“Absent a properly pleaded allegation of conspiracy or common enterprise, Trans Union could only be liable for the intrusion upon seclusion perpetrated by the third-party hacker if Trans Union was somehow vicariously liable for the actions of the hacker.”