As privacy and cybersecurity concerns grow in significance, digital breaches are a growing area of legal risk. A recent decision of the Ontario Court of Appeal made clear that traditional insurance policies may not extend coverage for cyber matters, potentially leaving businesses vulnerable.
On March 15, 2021, the Court released its decision in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, finding that data exclusion clauses within insurance policies cleared Co-operators General Insurance Company (Co-operators) from having to defend the insureds from claims arising due to a cyber breach.
Data Breach Leads to $75M Class Action
In August 2015, Family and Children’s Services of Lanark, Leeds and Grenville (FCS) contracted Laridae Communications Inc. (Laridae) to perform communications and marketing services and to update the FCS website. The contract required Laridae to obtain general liability insurance coverage naming FCS as an additional insured. In April 2016, FCS was hacked and suffered a data breach. Following the breach, a confidential report containing details about case files and investigations was shared on Facebook pages.
Subsequently, a $75 million class-action suit was commenced against FCS alleging the breach and leaked report contained defamatory material and that FCS was negligent in securing its website. Both FCS and Laridae were insured by Co-operators and claimed they were owed a duty to defend against the class proceeding. Co-operators denied coverage to both parties on the basis of exclusion clauses within the insurance policies that excluded claims arising from the distribution or display of data by means of an internet website.
Parties Disagree on Extent of Exclusion Clause
FCS and Laridae brought an application to interpret the exlcusion clause with respect to Co-operators’ duty to defend the class action. The applications judge held that the clause did not exclude the duty to defend in the matter at hand. Co-operators appealed the decision, arguing the clause did preclude them from a duty to defend in this matter.
On appeal, the Court found the matter could be dealt with through an application as it involved the interpretation of an insurance policy and was a matter of contractual interpretation with no material facts justifying a trial. The central issue was whether Co-operators owed a duty to defend FCS and Laridae, with the Court finding that all of the claims were covered by clearly-worded exclusions.
Interpreting Insurance Exclusion Clauses
In assessing the scope of the duty to defend, the Court of Appeal began with a review of the principles underlying the interpretation of insurance policies. To begin, the language of the policy is construed by the usual rules of contract interpretation and not by inferring expectations. The Court noted that this is especially true in the case of sophisticated commercial parties and that the insurer must explicitly state where coverage is limited.
The first step in the coverage analysis is to determine whether the policy is ambiguous. In this case, the insurance policies clearly excluded claims arising from the display or distribution of data. The provision was unambiguous, so there was no need to consider the reasonable expectations of the parties.
The second step involves the application of the provisions to determine if some of the claims may be covered by the policy. This requires ascertaining the true substance of the claims pleaded.
FCS and Laridae argued some of the claims extended beyond the exclusion on the basis that sharing a link to the report was not a display of data, and that the damages sought included physical not just electronic distribution of personal information. The Court disagreed, concluding that both a hyperlink and an image of a hyperlink were representations of the source of the electronic file and fell within the policy exclusions.
Likewise, there was no claim that there was a physical display of confidential information; all of the alleged injuries resulted from the distribution of the report over the internet. Even if the class proceeding alleged that physical copies were taken, the true nature of the claim was still the wrongful appropriation of information and making it available on the internet.
The Court also considered the argument by FCS and Laridae that the application of the exclusion clause would nullify coverage under the policy. Instead, the Court found that the exclusion was consistent with the purpose of the coverage to provide compensation for injury except in accordance with specific exclusions. The insurance policies did not insure against all risks and clearly set out the boundaries of what was covered. Giving effect to the exclusion clause would not nullify all coverage under the policy.
Traditional Insurance Policies May Not Protect Against Cyber Risks
The decision demonstrates the importance of contract interpretation within an insurance coverage dispute and serves as a reminder of the value of clear and unambiguous language to aid parties in policy interpretation.
The decision also carries precedential value due to the cyber and data context. Significantly, the Court of Appeal interpreted the data exclusion broadly, potentially impacting a large swath of claims related to digital data. The decision makes it critical for organizations to assess their insurance policies coverage of potential cyber threats, particularly considering the increase in remote business operations due to the pandemic. Organizations may need to consider obtaining separate policies to guard against potential cyber risks.
The Toronto lawyers at Milosevic Fiske LLP are skilled commercial litigators who regularly represent clients in insurance litigation matters and complex commercial claims. Our team has extensive experience advocating for our client’s rights. Call us at 416-916-1387 or contact us online to schedule a consultation.