SUBJECT OF A CYBER ATTACK? THE ONTARIO COURT OF APPEAL JUST CLARIFIED THE SCOPE OF A FIRM’S LIABILITY….
On November 25, 2022, the Ontario Court of Appeal released a series of decisions on Class Actions (including Owsianik v. Equifax Canada Co.) that clarified that “intrusion upon seclusion” claims cannot be certified against the defendant companies that had been hacked.
Meaning, if your firm failed to protect a client’s personal information from intrusion but did not actually intrude on the private affairs of the client, your firm’s liability is limited. Even if there is an inability to identify the hacker(s), it does not justify extending the penalties due to the hackers, on firms. See: Liability for cyber attacks clarified by Ontario Court of Appeal | Insights | Torys LLP):
“While the Court refused to impose vicarious liability on the defendants for the actions of third-party hackers in these cases, the Court did not go so far as to refuse the possibility of vicarious liability in other circumstances. We expect the boundaries of vicarious liability in other cyber contexts, especially breaches involving malicious employee conduct, to continue to be contested.”
As such, and as always, IIAC Member firms are encouraged to stay vigilant.