Skip to content

Canada's Business and Tech Newsroom

  • Professional Subscription
  • Partnerships & Advertising
  • Licensing & Syndication
Log In Subscribe
Welcome,
  • My Account
  • Log Out
  • Business
  • Tech
  • National
  • The Big Read
  • Briefings
  • Commentary
Search
Log In Subscribe
Welcome,
  • My Account
  • Log Out
News

Ontario court ruling limits damages in privacy-breach cases

OTTAWA — A company that treats its customers’ data with inexcusable sloppiness might be liable for damages if hackers make off with that data, but is no more an accomplice to the theft than a security guard who dozes off on the job, the Ontario Court of Appeal has ruled.

News

Ontario court ruling limits damages in privacy-breach cases

Decision makes class actions more difficult to bring by ruling out ‘moral damages’

By David Reevely
The Equifax building in Atlanta, Ga., in 2012. Photo: AP Photo/Mike Stewart
Dec 5, 2022
A A
A Small A Medium A Large
Share

Gift

Share

The Equifax building in Atlanta, Ga., in 2012. Photo: AP Photo/Mike Stewart

OTTAWA — A company that treats its customers’ data with inexcusable sloppiness might be liable for damages if hackers make off with that data, but is no more an accomplice to the theft than a security guard who dozes off on the job, the Ontario Court of Appeal has ruled.

The unanimous decision by a three-judge panel in Ontario’s top provincial court pulls together three cases with big-name defendants: credit bureaus Equifax and TransUnion and hotel chain Marriott, each of which is being sued for failing to protect customers’ data from hackers.

The decision sharply limits the financial penalties for companies with weak cyber defences. It means people whose private data gets stolen in Ontario can be repaid if they can prove the theft has cost them real money, but not for more amorphous “moral damages.”

Talking Points

  • Ontario’s courts recognize that privacy includes a right against “intrusion upon seclusion” that can lead to financial liability even if a victim doesn’t suffer a quantifiable harm
  • Companies that are sloppy with customer data might be liable for negligence or other damage, but they aren’t violators of privacy rights in the same way as hackers who take advantage of them, the province’s Court of Appeal has ruled

It also makes class-action cases over negligence in protecting customer data, in which victims band together behind a single legal team fighting on their collective behalf, harder to bring.

The plaintiffs—customers of each company, seeking to start class-action suits—wanted to argue that Equifax, TransUnion and Marriott were so sloppy, they were effectively participants in hackers’ breaches of their systems.

The actual cases have not been heard but in the Equifax case the appeal court focused on for its reasoning, there’s no dispute about the basic facts: between May and July 2017, hackers broke into Equifax’s data stores and got detailed information on about 20,000 Canadians, from social insurance numbers to credit card numbers and passwords. Equifax told the world about it that September, including letters to its customers sent in the following weeks.

Related Articles

Ottawa takes second shot at overhauling Canada’s consumer privacy laws

By Murad Hemmadi
Treasury Board President Jean-Yves Duclos, then the social development minister, speaking during Question Period in the House of Commons in June 2019.

Ottawa won’t say whether cabinet ministers’ offices have suffered privacy breaches

By Murad Hemmadi

The hack has been expensive. Most of the estimated 147 million victims were in the U.S., and Equifax reached a US$425-million settlement with the Federal Trade Commission over it.

In February 2020, the Federal Bureau of Investigation indicted four people it identified as hackers working for China’s military for “the largest known theft of personally identifiable information ever carried out by state-sponsored actors,” alleging they exploited a weakness in Equifax’s online system for resolving disputes.

The woman suing Equifax, Alina Owsianik, got one of the letters. Equifax didn’t just track her creditworthiness—she was a customer on a subscription plan for active credit monitoring and assistance if her identity were stolen, so she had a specific relationship with the company.

Owsianik can still sue Equifax on the grounds of negligence, breach of contract and failure to live up to Ontario’s consumer-protection standards, the Court of Appeal found, but not for a wrong the court calls “intrusion upon seclusion.”

The right against intrusion upon seclusion is part of the definition of privacy that courts have built in Ontario. There’s no provincial legislation laying it out; judges have built it up through rulings, starting in a 2012 decision over a Bank of Montreal employee’s snooping in her partner’s ex-wife’s accounts.

You can sue on other grounds, but people who failed to guard something are not in the same category as the people who stole it, the judges ruled.


If you violate someone’s right against intrusion upon seclusion in Ontario, you’ve committed a “tort,” a wrong for which you can be made to pay damages. In the 2012 case, snooper Winnie Tsige was ordered to pay her target $10,000. She hadn’t stolen anything quantifiable but she had still harmed her victim.

It “allows for a category of damages that aren’t available in negligence [cases],” Eric Charleston, a privacy-law specialist at the blue-chip law firm BLG, said in an interview. “With intrusion upon seclusion, all you would need to do is prove elements of the tort itself, and then the victim automatically gets an amount.”

If every victim is entitled to the same payment for a misdeed, it makes a class action much easier to pull together, he said.

But that idea doesn’t apply in any of these three cases, the Ontario Court of Appeal found. Third-party hackers broke into the computers and unless Equifax, TransUnion or Marriott was actively helping them, the companies aren’t in the same position as Tsige was, rummaging through her partner’s ex’s personal information.

If they were, Justice David Doherty wrote for a three-judge panel, the results would be absurd: “The security guard who fell asleep on the job, recklessly allowing an assailant to assault the person who the security guard was obliged to protect, would become liable for battery. The garage operator who negligently, and with reckless disregard to the risk of theft, left the keys in a vehicle entrusted to his care, would become a thief if an opportunistic stranger stole the car from the garage parking lot.”

We’re not buying it, the judges ruled. You can sue on other grounds in these cases, but people who failed to guard something are not in the same category as the people who stole it.

“The extension of the common law proposed in this submission would not be a small step along a well-established path, but would be a giant step in a very different direction,” the decision said.

“We do not yet know if we will be seeking leave to appeal to the Supreme Court of Canada,” Owsianik’s lawyer Jean-Marc Leclerc told The Logic in an email. “But there would seem to be a strong case for it. The [Supreme Court] considers cases having broad public interest, and every appeal court in Ontario that has touched the case has agreed there is broad public interest in the underlying issue of intrusion upon seclusion in hacker cases, which are occurring with greater frequency.”

Gift the full article

If the Ontario decision stands, it protects companies there against some substantial risks, Charleston said, if they’re following industry-standard cybersecurity hygiene and privacy laws. 

“If, despite that, a third-party hacker gets into your system and steals data, you likely will not be responsible for the tort of intrusion upon seclusion,” he said. “The third-party act will not be viewed as your behaviour. And if you’re doing everything you should be doing with respect to cybersecurity and privacy compliance, then you likely will have a pretty good defence to a charge of negligence.”

#cybersecurity #Equifax #Ontario #privacy #Trans Union

Loading...

Thanks for sharing!

You have shared 5 articles this month and reached the maximum amount of shares available.

Close
This account has reached its share limit.

If you would like to purchase a sharing license please contact The Logic support at [email protected].

Close
Want to share this article?

Upgrade to all-access now

Close
Gift the full article!

You have gifted 0 article(s) this month and have 5 remaining.

Copy link and gift
Copy Link
Email to a friend
Send Email
Gift on Social Media

Recipients will be able to read the full text of the article after submitting their email address. They will not have access to other articles or subscriber benefits.

Photo: AP Photo/Mike Stewart

Most Popular This Week

A shot of a placard on a table reading "Let Alberta Decide." There is a person out of focus in the foreground wearing a cowboy hat.
The Big Read

What Alberta’s corporate heavyweights really think about separation

By Meghan Potkins
Carney and Trump at a photo op in Sharm El-Sheikh, Egypt, against a white backdrop that features a peace-themed logo for the gathering. Carney is leaning toward a scowling Trump and pointing his index finger at the U.S. president.
News

The U.S. has chosen not to extend CUSMA. Here’s what happens next

By Joanna Smith
A person in glasses and a blue top is sitting and typing on a laptop in an office. A desktop screen next to the laptop displays some blurred-out coding work.
News

A niche white-collar role is becoming the AI industry’s hot new job

By Anita Balakrishnan
A logo that reads AI in blue lettering against a light yellow background.
News

What happened when a VC firm let AI do almost everything

By Catherine McIntyre

In-depth, agenda-setting reporting

Great journalism delivered straight to your inbox.

A shot of Mark Carney in a hardhat speaking to a German naval officer. They are standing in a small group on a scaffold deck, beside the open hatch of a submarine.
News

The $100B bet Canada is putting on European submarines

By David Reevely

Briefing

Brookfield-backed Csquare seeks to raise up to US$1.35B in its IPO

By Catherine McIntyre   |   Jul 6, 2026 | 3:23 PM ET

Alberta government uses Claude to check its code

By Murad Hemmadi   |   Jul 6, 2026 | 3:20 PM ET

Rogers to take full control of MLSE, buying Kilmer Sports’ stake for $4.35B

By Claire Brownell   |   Jul 6, 2026 | 1:39 PM ET

Best business newsletter in Canada

Get up to speed in minutes with insights and analysis on the most important stories of the day, every weekday.

Exclusive events

See the bigger picture with reporters and industry experts in subscriber-exclusive events.

Membership in The Logic Council

Membership provides access to our popular Slack channel, participation in subscriber surveys and invitations to exclusive events with our journalists and special guests.

Recent Popular Stories

The Big Read

What Alberta’s corporate heavyweights really think about separation

By Meghan Potkins   |   Jul 2, 2026
A shot of a placard on a table reading "Let Alberta Decide." There is a person out of focus in the foreground wearing a cowboy hat.
News

A niche white-collar role is becoming the AI industry’s hot new job

By Anita Balakrishnan   |   Jun 30, 2026
A person in glasses and a blue top is sitting and typing on a laptop in an office. A desktop screen next to the laptop displays some blurred-out coding work.
News

What happened when a VC firm let AI do almost everything

By Catherine McIntyre   |   Jun 29, 2026
A logo that reads AI in blue lettering against a light yellow background.
News

Carney’s new deal for B.C. paves way for West Coast pipeline

By David Reevely and Meghan Potkins   |   Jul 2, 2026
Workers position pipe during construction of the Trans Mountain pipeline expansion in Abbotsford, B.C., in May 2023.
Analysis

Canada’s ETF industry is almost a trillion-dollar business

By Chaimae Chouiekh   |   Jul 3, 2026
Despite a down year a sign board displays the TSX's upbeat close on the final day of the year, in Toronto's financial district on Monday, Dec. 31, 2018.
Analysis

It turns out Trump does need something from Canada—aluminum

By Joanna Smith   |   Jun 25, 2026
A close-up of a made-in-Canada stamp on the end of a cylindrical piece of raw aluminum.

Canada's most influential executives and policymakers are reading The Logic

  • CPP Investments
  • Sun Life Financial
  • C100
  • Amazon
  • Telus
  • Mastercard
  • bdc
  • Shopify
  • Rogers
  • RBC
  • General Motors
  • MaRS
  • Government of Canada
  • Uber
  • Loblaw Companies Limited
logic-logo

Canada's Business and Tech Newsroom

100% human-crafted journalism

Newsroom

  • News Tips
  • AI Policy
  • Editorial Disclosures
  • Story Pitches

Company

  • About Us
  • Terms of Service
  • Privacy Statement
  • Corporate Information

Contact

  • Contact Us
  • Advertise
  • FAQs
  • Work at The Logic

© 2026 The Logic Inc. All Rights Reserved.

Trusted by leaders

Error

Account creation failed.

Please email us at [email protected].

Create Account

[wppb-register form_name=”cozmo-registration-form-for-modal”]

I do have an account
Login
or

[wppb-login]

I don’t have an account