Cybercrime: Be Careful What You Click For

( Disponible en anglais seulement )

décembre 15, 2014

Author: Gregory Cohen

Cybercrime highlights the unique value of information and the need for a risk strategy to deal with online security and liability. In particular, data breaches and network outages can cause significant consequences for individuals, governments, organizations, and companies of all sizes.

Resulting costs include recovering lost or corrupted data, economic loss, copyright and patent infringement, business interruption, violation of privacy, reputation damage, and legal fees and fines.

For example, the Canada Revenue Agency encountered the “Heartbleed Bug” which compromised taxpayer information; a prominent electronics company lost over $150 million responding to a cyber attack exposing 77 million customer files; and software and social media companies faced similar attacks affecting over 40 million users. An estimated 40% of such attacks involve small to medium-sized businesses.

In Jones v. Tsige (2012), the Ontario Court of Appeal provided a judicial response to digital crime. A new tort – intrusion upon seclusion – exemplifies the importance of a risk strategy to protect privacy and digital assets and reduce exposure to liability. When an employee infiltrated a colleague’s personal financial records and Justice Stinson held that invasion of privacy was not a recognized tort in Ontario, this prompted judicial lawmaking by the Court of Appeal.

An intrusion upon seclusion may be established where:

  • a Defendant invades a plaintiff’s private affairs without lawful justification;
  • the Defendant’s conduct is intentional or reckless; and
  • a reasonable person would regard the invasion as highly offensive, causing distress, humiliation, or anguish.

This case serves as a reminder of the vicarious liability employers face and the need for strict policies governing privacy and security.

A Risk Strategy (including an incident response plan) is an important component of a proactive approach to cybercrime and should focus on:

  • creating guidelines and policies to ensure best practices
  • prioritizing prompt communication, investigation, and containment
  • adherence to mandatory notification requirements (eg. Personal Health Information Protection Act and Personal Information Protection and Electronic Documents Act)
  • protecting data, eradicating threats, and reducing exposure to liability
  • specialized insurance coverage where electronic data is excluded from general policies (eg. in definitions of tangible property).

Cybercrime and related legal issues require attention and preparedness. Individuals, governments, and organizations of all sizes are recommended to address technological challenges pre-emptively before they cause significant harm.

“Sink or swim the internet is a vast cyberspace enabling instant connectivity with global markets, seemingly endless growth potential, and an innovative pulse driving rapid change…”

Avis de non-responsabilité

Cette publication est fournie à titre informatif uniquement. Elle peut contenir des éléments provenant d’autres sources et nous ne garantissons pas son exactitude. Cette publication n’est ni un avis ni un conseil juridique.

Miller Thomson S.E.N.C.R.L., s.r.l. utilise vos coordonnées dans le but de vous envoyer des communications électroniques portant sur des questions juridiques, des séminaires ou des événements susceptibles de vous intéresser. Si vous avez des questions concernant nos pratiques d’information ou nos obligations en vertu de la Loi canadienne anti-pourriel, veuillez faire parvenir un courriel à

© Miller Thomson S.E.N.C.R.L., s.r.l. Cette publication peut être reproduite et distribuée intégralement sous réserve qu’aucune modification n’y soit apportée, que ce soit dans sa forme ou son contenu. Toute autre forme de reproduction ou de distribution nécessite le consentement écrit préalable de Miller Thomson S.E.N.C.R.L., s.r.l. qui peut être obtenu en faisant parvenir un courriel à