What is a tort and how does it shape civil liability in Ontario?

Ontario Security Testing: A Legal Lens on a Technical World

Let’s talk about a concept that sits at the crossroads of law and security work: the tort. You’re probably here because you want to understand not just how systems fail, but what happens when those failures cause real harm. In Ontario, as in the rest of Canada, torts shape how people and businesses seek compensation after injuries or losses. And for anyone involved in evaluating and improving security, grasping this idea can change how you approach risk, reporting, and even how you communicate with clients.

A quick question that often pops up, because it helps keep the ideas straight: What is a tort?

A. Bad evidence in a criminal proceeding

B. Non-contractual civil wrong

C. Hair and fiber evidence

D. None of the above

The right pick is B. A tort is a non-contractual civil wrong. That means it’s a harm—usually something like injury to a person or damage to property—that isn’t tied to a breach of a contract. The injured party can seek compensation through civil courts. Simple enough in theory, but its implications ripple through how we think about security after the fact.

Let me explain the core idea in plain terms. Tort law focuses on how people behave and the consequences of those actions. It isn’t about whether there was a contract, though contracts can come into play in parallel. If someone’s careless actions cause harm, the harmed person may have a claim for damages. The goal isn’t to punish on principle alone; it’s to restore the injured party to the position they were in before the harm, as much as possible.

Contrast that with the other choices in that question, and the distinction becomes clearer. Bad evidence in a criminal case relates to how evidence is admitted or excluded in criminal prosecutions. Hair and fiber evidence is a forensic topic tied to investigations. And “none of the above” isn’t correct here because we do have a precise definition that fits. So, in Ontario, a tort sits squarely in civil law and centers on compensating harm caused by wrongful actions.

Why should a security tester care about torts? Because the work you do doesn’t exist in a vacuum. Your assessments and recommendations can, if not handled carefully, contribute to real-world harm—think data leaks, physical injuries, or financial losses. Here are a few practical takeaways you’ll want to keep in mind on the job.

• Duty of care matters. In tort law, there’s a concept called a duty of care. It’s basically a responsibility to act reasonably to avoid causing harm to others. In a security context, this translates to designing systems and processes that reduce risk to users and clients. Do you owe your client and their customers a reasonable level of protection? Yes, you do.

• Breach is the core. If you fail to meet that reasonable standard, you can be said to have breached your duty. In practice, that could mean failing to patch a known vulnerability, neglecting to test an exposure, or overlooking weak access controls. Breach isn’t just about intentions; it’s about outcomes—did the risk materialize in a harmful way?

• Causation and damages. Even if there’s a breach, you still need to connect the harm to that breach. In other words, did the security failure cause the injury or loss, and what is the financial or practical impact? Damages aren’t always monetary; they can be reputational, operational, or even personal. The chain from fault to harm matters.

• Negligence isn’t the only flavor. You’ll hear about negligence, but intentional torts and strict liability exist too. For most tech and security work, negligence is the most common thread—but don’t forget other possibilities in certain scenarios, like intentional misuse or scenarios where the law imposes liability regardless of fault.

Let’s ground this with concrete, everyday examples you might encounter in Ontario.

• A data breach caused by sloppy configuration management. If a company leaves a database exposed and a customer’s information is stolen, the company could face a tort claim for negligence if the exposure was preventable by reasonable steps.

• A data center with insufficient physical security leading to theft or injury. Poor locking, lack of monitoring, or ignored maintenance could be seen as a breach of duty of care toward anyone who enters the site.

• A security vendor who misses a critical patch and a client sustains harm as a result. The vendor’s duty to act reasonably can be called into question, especially if they knew about the risk and did not remediate in a timely fashion.

• A service interruption that disrupts hospital operations. If the interruption was due to avoidable misconfigurations or insufficient redundancy, it could raise tort-like questions about fault and damages.

In Ontario, the legal backdrop blends tort concepts with statutes and regulatory obligations. Privacy laws, health-and-safety requirements, and industry-specific rules all interact with civil claims. You don’t have to be a lawyer to recognize this intersection: good security practice reduces legal risk just as it reduces technical risk.

How does this help you as a security-focused professional? Here are some practical angles to bring into your day-to-day work.

• Communicate risk with a legal frame. When you document risks and remediation steps, describe the potential harms and who could be affected. Frame your findings in terms of potential damages and the likelihood of harm. It makes your reports clearer to clients and to stakeholders who think in terms of risk, liability, and responsibility.

• Prioritize fixes that close the most dangerous gaps. If a vulnerability could lead to a data breach that would cause material damages, that’s a high-priority item. The tort lens helps you justify why certain fixes matter beyond mere uptime or speed.

• Build a culture of accountability. Awareness that negligent security can have civil consequences nudges teams toward better governance. It’s not about blame; it’s about understanding cause-and-effect and making responsible choices.

• Document due care. Keep records of the steps you took to address risk, including tests performed, configurations reviewed, and patches applied. That kind of documentation matters if questions about fault ever arise.

If you want a quick mental model to keep in mind, think of torts as a framework for asking: Did someone owe a duty to do or not do something? Did they fall short? Did that shortfall cause harm? And what is the scale of that harm? Answering these questions helps you see where security controls fit into the bigger picture of responsibility.

A practical way to internalize these ideas is to connect them to real-world tools and resources you already use.

• CanLII (Canadian Legal Information Institute) is a straightforward place to check how Ontario courts have interpreted tort concepts in various contexts. It’s not about copying case law into reports, but it’s helpful for understanding the legal contours as you plan and assess security controls.

• Privacy and data protection resources from the Office of the Information and Privacy Commissioner of Ontario can illuminate how privacy duties intersect with civil liability. You’ll see why certain data-handling practices matter beyond policy language.

• Occupational health and safety guidelines remind us that physical security isn’t optional. If a security gap creates a risk at a site, there can be a direct line to civil liability—and in some cases, regulatory fines.

Let me offer one more thought to keep this grounded. Security work often feels technical, almost like you’re solving a puzzle with code and networks. Yet people bear the impact of those technical decisions—patients in hospitals, customers in a store, or employees in an office building. The tort perspective is a reminder that choices have consequences beyond the blink of a dashboard alert. When you design, test, and report, you’re not just fixing a bug. You’re shaping a safer environment that respects people’s rights and livelihoods.

A small, practical takeaway you can apply this week: adopt a simple risk-triage habit. For every finding you generate, ask yourself three questions:

• What harm could this cause if exploited or ignored?

• Who would be affected, and how severely?

• What’s the cheapest, most robust step to reduce that risk?

If the answer points to a substantial potential harm and a clear path to remediation, that item deserves priority. Not because a legal claim is looming, but because lowering risk is the right thing to do for people who rely on your systems.

A quick aside for the curious: the multiple-choice example we started with is a tidy reminder that not all security-relevant questions live in the same universe. Some are about policy and liability, some about technology, and some about how people actually behave. The tort concept sits neatly at the crossroads. It reminds you to look beyond the immediate symptom—whether a system is up or down—and to consider the ripple effects of your decisions on real lives.

To wrap it up, here’s the takeaway you can carry forward: knowing what a tort is helps you think more clearly about responsibility and risk in security work. It helps you write better recommendations, justify fixes with more than just “it’s faster” or “it’s cheaper,” and communicate with the people who rely on your assessments. In Ontario, where law and technology increasingly intersect, that clarity is priceless.

If you’re ever unsure how a particular scenario maps to tort concepts, you’re not alone. Start from the core idea—non-contractual civil wrong—and then layer in duty of care, breach, causation, and damages. You’ll find that many risk conversations align nicely with this framework, even when the specifics look very different from one situation to the next.

In short: the next time you’re outlining a security finding, picture the potential harm and the path from fault to remedy. It’s a simple mindset, but it makes your work more accountable, more credible, and more human. That balance—technical precision with clear, responsible thinking—is what helps you stand out in Ontario’s security landscape. And that’s a good thing, because people’s safety and trust depend on it.