The recent hack of the Ashley Madison website and the subsequent release of personal information is already the subject of multiple class actions. The risks associated with information technology are not new. Any company which holds personal information or relies on a computer network is potentially susceptible to cyber-liability through hacks, network interruptions, programming errors, data theft, and other cyber-risks. However, the exposure from a privacy law class action is relatively novel and companies should take care to examine their insurance policies and ensure there is no gap in coverage.
In Ontario, class actions like those based on the Ashley Madison hack arise out of the new and evolving area of privacy law. Invasion of privacy was first recognised as a distinct cause of action by the Ontario Court of Appeal in Jones v. Tsige, 2012 ONCA 32.
In Jones v. Tsige, the privacy tort in issue was intrusion upon seclusion. Importantly, the nature of this tort presents a potential insurance issue as the cause of action is complete without proof of harm to a recognized economic interest.[1] The three key features of intrusion upon seclusion are:
- the conduct must be intentional, which includes recklessness;
- the defendant invaded the private affairs or concerns of an individual without lawful justification; and
- a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish.[2]
The tort of intrusion upon seclusion is meant to arise only in cases of deliberate and significant invasions of personal privacy. Personal subject matter can include financial or health records, sexual practises and orientation, employment, diary or private correspondence – generally, information which when viewed on the reasonable person standard, it would be highly offensive to have had invaded.[3]
Although grounded in negligence, it bears repeating that in this tort, damages can be awarded where no loss has been sustained. While these damages are limited to a relatively modest range on an individual basis,[4] a class action ups the ante and magnifies the exposure.
To date, privacy law class actions have encompassed the taking of customers' personal information by an employee and provision to a third party for fraudulent and improper purposes,[5] the loss of an external hard drive that contained personal information,[6] and the incidental disclosure of a person's involvement in a medical program by identification of that program on the outside of an envelope,[7] to name but a few. None of these privacy law class actions have been determined on their merits and so it is as yet unknown to what standard corporations will be held. Nonetheless, there are enough privacy class actions to identify a clearly growing trend.
Looking forward, managing cyber-risk will involve not only loss prevention strategies but also, when the inevitable breach or exposure occurs, loss transfer strategies. Many insurers are now writing and offering cyber-risk assessment and cyber-risk coverage both as stand-alone products and/or as part of pre-existing risks policies and covers. Corporations would be well advised to check their own policies for cyber-risk coverage and, in particular, for coverage for the new evolving privacy torts.
When discussing cyber-risk insurance with their brokers, corporations should ensure that they understand the current data protection regulation in their relevant jurisdictions, examine and understand the strengths and weaknesses of their information technology systems, and that they have adequate policies and procedures in place to guard against potential breaches as well as cyber-risk coverage. Managing cyber-risk exposure should be top of mind and will probably involve professional advice across a wide range of areas, including information technology, human resources, legal, and insurance.
The content contained in these blogs is intended to provide information about the subject matter and is not intended as legal advice. If you would like further information or advice on any of the subjects discussed in a blog post, please contact the author.
[1] Jones v. Tsige, 2012 ONCA 32 at para. 71
[2] supra at para. 71
[3] supra at para. 72
[4] supra at para. 87
[5] Evans v. Bank of Nova Scotia, 2014 ONSC 2135
[6] Condon v. Canada, 2014 FC 250; allowing additional claims 2015 FCA 159
[7] Doe v Her Majesty the Queen, 2015 FC 916