A company learns its cybersecurity is vulnerable to hacking but fails to implement preventative measures. Hackers attack and access the private data of clients. Can these clients sue the company for the tort of privacy invasion (“intrusion upon seclusion”) or can the company escape liability because it has only allowed a third-party invasion?
The question turns on the definition of invasion. As held in the leading case of Jones v Tsige, the tort of intrusion upon seclusion consists of three elements:
- Intentional or reckless conduct;
- That invades the defendant’s privacy; and
- The invasion must reasonably be regarded as highly offensive causing distress, humiliation or anguish.
Does allowance of a third-party invasion meet the second requirement?
In deciding which of two actions should proceed as a class action in Ontario, the Court in Agnew-Americano v Equifax Canada expressed preliminary support favouring the possibility of liability for third-party invasions. The Court held claims that third-party invasions could attract liability for the tort of intrusion upon seclusion are not “fanciful or frivolous” but supported by a “viable argument.” In addition to drawing upon limited case law, the Court held that such claims are in tune with the broad and liberal approach courts have taken to privacy rights.