Alleged careless security is not enough to make a hacked company the “intruder”
The tort of intrusion upon seclusion was brought into the Canadian common law with the Ontario Court of Appeal’s decision in Jones v Tsige. That case opened a virtual floodgates for privacy class actions across Canada, many of which have been initiated after data breaches at companies potentially exposed large troves of customer information. Since then, courts hearing certification applications for such class actions have been whittling away at the application of that particular tort in cases of externally caused data breaches. Most recently, in Winder v. Marriott International, Inc., the Ontario Superior Court of Justice refused to certify a class action claim on the basis of the intrusion tort.
The suit was commenced following an extended compromise of the information systems of the Marriott chain of hotels. Over a four year period a hacker had compromised Marriott’s databases and installed malware. Once in the system, the threat actor had the ability to extract the personal information of customers. The plaintiffs alleged that after the data breach was discovered, Marriott waited two months before it took steps to mitigate the harm the affected individuals. “It is alleged that Marriott’s remedial steps were of miniscule assistance to the Class Members, who were not provided with credit monitoring and other measures to protect their identities. They were not offered compensation for the harm to their privacy rights.” (at para 3)
A range of recent cases have established that it is the “hacker” who intrudes and would be a proper defendant for intrusion upon seclusion claims, but a company whose systems are compromised has not “intruded” upon the private affairs of the affected individuals. The plaintiffs in this case, in an argument characterized as “quite clever” by Justice Perell, said that Marriott was akin to an intruder because of its reckless security.
[9] In a quite clever argument, Mr. Winder submits that in the immediate case, Marriott obtained the Class Members’ highly confidential personal information deceptively, that is, by false premises, and he submits that this makes Marriott a reckless intruder who exposed sensitive stored personal information to the risk of harm. He submits that this conduct is reckless and objectively offensive to a reasonable person.
[10] In a Trojan Horse analogy, (ironically apt for a data breach case), Mr. Winder’s argument is that Marriott is an intruder to the database that housed their personal information. Like the Athenians and Spartans, whose wooden horse got them inside the formidable stone walls of Troy, were intruders, Marriott allowed the hacker into its database. Mr. Winder goes on to argue that he has pleaded the material facts for the other constituent elements of the tort of intrusion on seclusion.
Justice Perell quoted from his previous overview of the tort of intrusion upon seclusion from Del Giudice v. Thompson and found the claim failed on five grounds:
[13] First, I am not persuaded that the pleaded material facts of the immediate case are sufficient to make Marriott an intruder for the purposes of the tort of intrusion on seclusion. At most, it might be said that Marriott is a constructive intruder. However, a reading of the Court of Appeal’s decision in Jones v. Tsige reveals that both the letter and spirit of the Court’s decision and the policy reasons behind it, prescribe a narrow – do not open the floodgates of liability – ambit for the tort of intrusion on seclusion. The ambit of the tort does not extend to constructive intruders and is limited to real ones.
[14] Second, there is no gap in the law of privacy that needs to be filled by extending the nature of intruders. The tort of intrusion on seclusion is not needed to extend liability to defendants who obtain information by false pretenses or by breaching contractual promises or by failing to comply with statutorily imposed privacy safeguards. The law associated with negligence, breach of confidence, breach of fiduciary duty, breach of contract, and breach of statute address or could address the pleaded circumstances of the immediate case.
[15] Third, clever as the attempt is to fashion an extension to the tort of intrusion on seclusion, the essence of the Class Members’ claims, their pith and substance so to speak, are the other causes of action with their well-established doctrinal elements. Contrary to the doctrinal and legal policy concerns emanating from the Court of Appeal’s decision in Jones v. Tighe, extending the tort of intrusion on seclusion to constructive intruders would open the “floodgates” and would ascribe liability adequately controlled by other causes of action.
[16] Fourth, while there are advantages to a class member having a claim for the tort of intrusion because of its prospect of supporting a claim for class-wide aggregate damages, the availability of a cause of action is determined by the substantive law not by the tactical and strategic imperatives of a procedural regime or by the aspirations of the parties for negotiating leverage.
[17] Fifth, ultimately the case at bar is indistinguishable factually, doctrinally and on legal policy grounds from Owsianik v. Equifax Canada Co., Del Giudice v. Thompson, and Obodo v. Trans Union of Canada Inc. I am bound to follow those decisions.
Thus, the intrusion claim against Marriott was struck.