Significant Limits Placed on Cybersecurity Class Actions by the Highest Court in Ontario

Significant Limits Placed on Cybersecurity Class Actions by the Highest Court in Ontario

On November 25, 2022, the Ontario Court of Appeal (the ONCA) held that intrusion upon seclusion is not an eligible cause of action against a defendant who has been the victim rather than the perpetrator of a cyberattack. Owsianik v. Equifax Canada Co., 2022 ONCA 813 (Owsianik) was the lead case in a trilogy of decisions released the same day that offer long awaited clarity on the scope of this tort. These cases confirm that a defendant’s alleged failure to prevent a breach of privacy by an outside party will not give rise to a claim for intrusion upon seclusion.


Jones v Tsige was a classical snooping case and resulted in a seminal decision of the ONCA in 2012. Jones and Tsige were both employees of the Bank of Montreal (“BMO”) but worked at different branches. Jones did all of her personal banking with BMO. Over the course of four years and on 174 occasions, Tsige accessed and reviewed Jones’ private banking records. She was disciplined by BMO. Jones further sued Tsige for her conduct, alleging she committed the tort of invading her privacy. Both parties moved for summary judgment, with Tsige arguing that there is no common law tort of invasion of privacy. The lower court agreed with Tsige but the ONCA overturned the decision and recognized a new tort of “intrusion upon seclusion”. The ONCA held that in order to make out a claim for the tort of intrusion upon seclusion, a plaintiff must prove the following:

  1. The defendant’s conduct must be intentional, which can include recklessness;
  2. The defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns;
  3. The reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.

These three elements thus provide conduct, state of mind and consequence requirements for the tort. Note that proof of harm to economic interests is not required to make out a claim for intrusion upon seclusion. The ONCA intended to keep the parameters of this intrusion tort tight and narrow to avoid a floodgates of litigation.

In the decade since Jones, a number of privacy class actions have been commenced – and some certified – in circumstances bearing little similarity to Jones, including cases involving cyberattacks by third party bad actors. Owsianik and its two companion appeals (Obodo v. TransUnion of Canada, Inc., 2022 ONCA 814 and Winder v. Marriott International, Inc., 2022 ONCA 815) were proposed class actions arising out of cyberattacks in which hackers unlawfully accessed personal information stored on the defendants’ systems. The issue before the ONCA in all three appeals was whether such class action lawsuits are eligible to be certified because the defendants could be liable for intrusion upon seclusion, even if it was the hackers, rather than the defendants themselves, who had intruded on class members’ personal information.


In Owsianik, the Court unanimously upheld the lower court finding that it was “plain and obvious” that the intrusion upon seclusion claim could not succeed. The ONCA clarified that the state of mind requirement must be established in relation to the conduct requirement. If the defendant does not commit an intrusion, its intention or recklessness with respect to some other conduct will not suffice. As a result, a defendant who is the victim of a third party cyberattack cannot be liable for intrusion upon seclusion, even if the defendant was allegedly reckless in failing to properly secure the plaintiff’s private information. The ONCA also considered that the plaintiffs’ practical inability to sue the hacker in the present case was not a proper basis to impose liability on the defendants.

In Obodo, the ONCA also rejected the plaintiffs’ invitation to impose a form of vicarious liability on a defendant for “enabling” a cyberattack by failing to detect or prevent it. The policy considerations that justify the imposition of vicarious liability cannot exist absent an employer-employee relationship between the actual intruder and the defendant. The ONCA also emphasized the importance of disposing of claims without merit at an early stage rather than allowing them to proceed to trial, underscoring that even novel questions of law can and should be resolved on certification motions. In this regard, the ONCA noted the unfair burden placed upon class action defendants when courts artificially delay determination of important legal issues, giving the plaintiffs an undue advantage in any settlement negotiations.


This trilogy of cases gives much-needed clarity on the scope of the intrusion upon seclusion tort, and is extremely useful for businesses finding themselves in the position of having to defend privacy class action suits. The cases certainly encourages class action defendants to seek preliminary motions to dispose of claims without merit at an early stage. Going forward, we can expect claims based on the tort of intrusion upon seclusion to be limited to cases where the defendant itself has deliberately invaded the plaintiff’s privacy. However, depending on the factual circumstances, plaintiffs may still be able to bring loss-based claims such as negligence or breach of contract in response to cyberattacks.

Contact PRIVATECH for support with your privacy compliance obligations, data breach coaching, developing an effective incident response plan, or for further clarification on the tort of intrusion upon seclusion.