PRIVACY BREACHES raise majorreputational and legal liabilities for autodealers of all sizes.

Why? Auto dealerships collect a great deal of personally identifiable information, in some cases, even more than banks. By accumulating consumer credit applications, credit card numbers, Social Insurance numbers, and financing information – your business is a prime target for cybercrime.

The consequences for failing to take preventative measures range from reputational fallout and customer mistrust to governmental investigations, fines, breaches of dealership agreements with respective manufacturers, and civil liability.

Snooping Gets You Sued

Intrusion upon seclusion is the term used for cases where a person intentionally accesses another's private information or affairs. If the invasion is highly offensive to the reasonable person, a lawsuit is possible.

The key features of this cause of action are:

  1. the defendant's conduct must be intentional or reckless
  2. the defendant must have invaded the plaintiff's private affairs or concerns, without lawful justification
  3. a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish

If these requirements are met, a court may award damages.

Are Auto Dealers Liable for Consumer Information Stolen by Hackers?

Not right now, but potentially in the future.

The Court recently clarified this issue in the recent case of Owsianik v. Equifax Canada Co., 2021 ONSC 4112, where a security breach of the defendant's inadequately guarded computer systems led to the exposure of private information of millions of consumers located across North America.

Fortunately, the Court's majority decision held that intrusion upon seclusion does not apply where a person fails to prevent the intrusion of another. It was emphasized that the defendant must be the party to commit the intrusion. The court's view was that this category of intrusion is adequately controlled by the tort of negligence, and extending the law would be more than an incremental change in the common law and unnecessary at this time.

Conversely, the Court's dissenting opinion emphasized that privacy rights are fundamental rights that are facing unprecedented threats in the era of modern technology. Therefore, based on the dissenting view, development in this area of law could conceivably support future liability against businesses who are reckless or careless in the design, maintenance and operation of their computer systems, making the system vulnerable to a hacker's intrusion. From this perspective, the law may be extended over time in response to this growing threat.

Dissenting opinions are often a good indicator of where the law may head. It is quite possible that Canadian law will be developed in the coming years to further protect privacy rights by putting greater responsibility on businesses to safeguard information, even in the face of cyber-attacks.

Intrusion Upon Seclusion vs. Negligence

Although the two seem similar they differ in the sense that:

The tort of negligence does permit those affected by a privacy breach to sue information gatherers and custodians for cyber-attacks. However, plaintiffs in such actions will generally have to prove either quantifiable losses or a serious and prolonged disturbance in order to recover damages.

The tort of intrusion upon seclusion is yet to be extended to hackers, but permits claims for intangible damages (losses that cannot be measured precisely in money). Unlike in negligence, proof of harm to a recognized economic interest is not a required element of this cause of action.

Are Your Current Cyber Practices Sufficient?

As you are likely aware, many businesses in recent years that have been victims of cyber-attacks have also subsequently been defendants in related class actions.

If your dealership does not take appropriate steps to safeguard consumer privacy, you may be exposing yourself and your dealership to potential legal liability.

The following are some suggestions to develop and update your cybersecuritypreparedness strategy:

  • Security Awareness Training
  • Up-to-Date IT infrastructure
  • Cyber Insurance
  • Encrypted and Backed up Data
  • Seek legal advice before the data breach happens
  • Implement an Incident Response Plan

How Can You Benefit From Expert Advice?

Data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to comprehensively understand these frameworks and take active steps to reduce risks can have serious legal and financial consequences for any business.

Lawyers can provide advice in the following ways:

  • Advise businesses on reporting obligations, insurance considerations, potential class-action liability and managing investigations;
  • Negotiate and structure contracts with data controllers, processors, third party service providers;
  • Draft and negotiate comprehensive data sharing agreements;
  • Spot weaknesses that need to be rectified from a compliance perspective and make recommendations;
  • Assist with implementing policies, incident response planning, staff training; and,
  • Assist with all aspects of a cyber security lawsuit from settling on favourable terms, determining appropriate damages, and assessing available defences.

The Takeaway

No business is immune from the risks associated with collecting and storing highly-sensitive personal information of current and past customers. In response to this modern and growing threat, your businesses' cyberpreparedness will be key to avoiding financial, legal and reputational damage.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.