A company learns its cybersecurity is vulnerable to hacking but fails to implement preventative measures. Hackers attack and access the private data of clients. Can these clients sue the company for the tort of privacy invasion (“intrusion upon seclusion”) or can the company escape liability because it has only allowed a third-party invasion? The question turns on the definition of invasion. As held in the leading case of Jones v Tsige, the tort of intrusion upon seclusion consists of three elements: Intentional or reckless conduct; That invades the defendant’s privacy; and The invasion must reasonably be regarded as highly offensive causing distress, humiliation or anguish. Does allowance of a third-party invasion meet the second requirement? In deciding which of two actions should proceed as a class action in Ontario, the Court in Agnew-Americano v Equifax Canada expressed preliminary support favouring the possibility of liability for third-party invasions. The Court held claims that … Read More