OTTAWA — A company that treats its customers’ data with inexcusable sloppiness might be liable for damages if hackers make off with that data, but is no more an accomplice to the theft than a security guard who dozes off on the job, the Ontario Court of Appeal has ruled.

The unanimous decision by a three-judge panel in Ontario’s top provincial court pulls together three cases with big-name defendants: credit bureaus Equifax and TransUnion and hotel chain Marriott, each of which is being sued for failing to protect customers’ data from hackers.

The decision sharply limits the financial penalties for companies with weak cyber defences. It means people whose private data gets stolen in Ontario can be repaid if they can prove the theft has cost them real money, but not for more amorphous “moral damages.”

It also makes class-action cases over negligence in protecting customer data, in which victims band together behind a single legal team fighting on their collective behalf, harder to bring.

The plaintiffs—customers of each company, seeking to start class-action suits—wanted to argue that Equifax, TransUnion and Marriott were so sloppy, they were effectively participants in hackers’ breaches of their systems.

The actual cases have not been heard but in the Equifax case the appeal court focused on for its reasoning, there’s no dispute about the basic facts: between May and July 2017, hackers broke into Equifax’s data stores and got detailed information on about 20,000 Canadians, from social insurance numbers to credit card numbers and passwords. Equifax told the world about it that September, including letters to its customers sent in the following weeks.

The hack has been expensive. Most of the estimated 147 million victims were in the U.S., and Equifax reached a US$425-million settlement with the Federal Trade Commission over it.

In February 2020, the Federal Bureau of Investigation indicted four people it identified as hackers working for China’s military for “the largest known theft of personally identifiable information ever carried out by state-sponsored actors,” alleging they exploited a weakness in Equifax’s online system for resolving disputes.

The woman suing Equifax, Alina Owsianik, got one of the letters. Equifax didn’t just track her creditworthiness—she was a customer on a subscription plan for active credit monitoring and assistance if her identity were stolen, so she had a specific relationship with the company.

Owsianik can still sue Equifax on the grounds of negligence, breach of contract and failure to live up to Ontario’s consumer-protection standards, the Court of Appeal found, but not for a wrong the court calls “intrusion upon seclusion.”

The right against intrusion upon seclusion is part of the definition of privacy that courts have built in Ontario. There’s no provincial legislation laying it out; judges have built it up through rulings, starting in a 2012 decision over a Bank of Montreal employee’s snooping in her partner’s ex-wife’s accounts.

If you violate someone’s right against intrusion upon seclusion in Ontario, you’ve committed a “tort,” a wrong for which you can be made to pay damages. In the 2012 case, snooper Winnie Tsige was ordered to pay her target $10,000. She hadn’t stolen anything quantifiable but she had still harmed her victim.

It “allows for a category of damages that aren’t available in negligence [cases],” Eric Charleston, a privacy-law specialist at the blue-chip law firm BLG, said in an interview. “With intrusion upon seclusion, all you would need to do is prove elements of the tort itself, and then the victim automatically gets an amount.”

If every victim is entitled to the same payment for a misdeed, it makes a class action much easier to pull together, he said.

But that idea doesn’t apply in any of these three cases, the Ontario Court of Appeal found. Third-party hackers broke into the computers and unless Equifax, TransUnion or Marriott was actively helping them, the companies aren’t in the same position as Tsige was, rummaging through her partner’s ex’s personal information.

If they were, Justice David Doherty wrote for a three-judge panel, the results would be absurd: “The security guard who fell asleep on the job, recklessly allowing an assailant to assault the person who the security guard was obliged to protect, would become liable for battery. The garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot.”

We’re not buying it, the judges ruled. You can sue on other grounds in these cases, but people who failed to guard something are not in the same category as the people who stole it.

“The extension of the common law proposed in this submission would not be a small step along a well-established path, but would be a giant step in a very different direction,” the decision said.

“We do not yet know if we will be seeking leave to appeal to the Supreme Court of Canada,” Owsianik’s lawyer Jean-Marc Leclerc told The Logic in an email. “But there would seem to be a strong case for it. The [Supreme Court] considers cases having broad public interest, and every appeal court in Ontario that has touched the case has agreed there is broad public interest in the underlying issue of intrusion upon seclusion in hacker cases, which are occurring with greater frequency.”

If the Ontario decision stands, it protects companies there against some substantial risks, Charleston said, if they’re following industry-standard cybersecurity hygiene and privacy laws. 

“If, despite that, a third-party hacker gets into your system and steals data, you likely will not be responsible for the tort of intrusion upon seclusion,” he said. “The third-party act will not be viewed as your behaviour. And if you’re doing everything you should be doing with respect to cybersecurity and privacy compliance, then you likely will have a pretty good defence to a charge of negligence.”