The Litigation Consequences of Cybersecurity Breaches – Part 2

March 14, 2023
Computer Screen System Hacked Warning Icon


Part I of the Litigation Consequences of Cybersecurity Breaches ((2022), 53 Adv. Q. 127) introduced this audience to cyber threats and new attack vectors that threaten Canadians and organizations’ cybersecurity. It explored Canada’s statutory framework and its responses to the problems and harms caused by cyberattacks or cyberbreaches.

There is no unitary statutory framework in Canada. Instead, there are several frameworks and regimes that attempt to address organizational cybersecurity obligations, as well as individual cybersecurity rights and protections. We reviewed these in Part I: Frameworks of General Application, such as PIPEDA or FIPPA, and sector-specific ones, such as the OSFI’s guidelines for FRFIs, or IIROC’s guidelines for dealer members.

Part I also looked forward hopefully to novel, robust cybersecurity legislation. But that hope remains distant relative to the cybersecurity protection Canadians expect from organizations.

As new threats or issues arise, courts continue in their efforts to expand the remedies and protections under those frameworks through thoughtful interpretation. However, these statutory frameworks are limited in the civil remedies they can offer for violations, and even more limited in the monetary redress they provide.

Enter the common law. In cybersecurity law’s nascent state, cyberbreaches in Canada (and elsewhere) are accreting around privacy. This accretion is befitting. Privacy law is itself in a nascent state. It is in emerging privacy torts that most, if not all, cyberbreaches seek their civil litigation footing, in addition to repurposed existing torts (e.g., negligence) or breach of contract. Given these nascent states, our vista is limited. Just as there is no perfect technology or perfect technological solution to cyberbreaches, civil litigation as yet offers no single or perfect solution to cybersecurity issues.1 Cyberbreach litigation is only beginning to take shape. Its Donoghue v Stevenson moment has yet to arrive. Part II of the Litigation Consequences to Cybersecurity Breaches will focus on (i) common law remedies, and (ii) some liability avoidance strategies.

This is a pre-copy edited, post-peer reviewed version of the Contribution accepted for publication in The Advocates’ Quarterly. Reproduced by permission of Thomson Reuters Canada Limited.