BACKGROUND
The recent decision in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, has provided useful guidance regarding an insurance provider’s duty to defend lawsuits arising from a cyber data breach in the context of a “data exclusion” clause in their policy. The decision is important because it is the first appellate level decision to interpret the “data exclusion” clause that has become increasingly common in commercial general liability policies and because the Court of Appeal has reaffirmed the analysis required on a duty to defend application and confirmed that even a “novel interpretation issue” can be decided on application.
In this case, Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”) retained Laridae Communications Inc. (“Laridae”) to, among other things, update and secure the FCS website.[1] In April 2016, an unauthorized user accessed a secured portal of the FCS website and obtained a report containing the confidential information of 285 individuals. A hyperlink to the confidential information was subsequently posted on two public Facebook pages.[2]
A class proceeding was commenced against FCS alleging the report contained defamatory material and that FCS was negligent in securing its website. In turn, FCS brought a third party claim against Laridae for negligent performance and breach of contract.[3] FCS was an additional insured under Laridae’s commercial general liability (“CGL”) policy issued by Co-operators General Insurance Company (“Co-operators”) and both, therefore, claimed that Co-operators owed a duty to defend against the class proceeding and third party claim, which Co-operators denied on the basis that the insurance policies contained “data exclusion” clauses.[4] Laridae was also insured under a professional liability policy.
The CGL policy excluded claims “arising out of the distribution or display of ‘data’” on the internet or a “similar system designed or intended for the electronic communication of ‘data’”. The professional liability policy also excluded any claims that arise “directly or indirectly” from the distribution or display of data. Both policies defined ‘data’ as representations of information or concepts in any form.[5]
In May 2020, an application was brought pursuant to Rule 14.05(3)(d) of the Rules of Civil Procedure to interpret the policies.[6] The application judge made three findings which became the focus on appeal:
- the applicability of the data exclusion clauses was a “novel interpretation issue” and, accordingly, the duty to defend should only be denied on a full record, not on an application;
- the data exclusion clause did not exclude Co-operators’ duty to defend either the class action or the third party claim as it had not established that there was “no possibility” of coverage; and,
- neither FCS nor Laridae had any reporting obligations to Co-operators, in light of the conflict of interest between the two insured and the insurer.[7]
THE APPEAL
Co-operators appealed the decision on the grounds that the above conclusions reached by the application judge were wrong. Justice Thorburn, writing for the court, allowed the appeal and found that the existence of a duty to defend could be resolved by application, Co-operators had no duty to defend either the class action proceeding or the third party claim, and, even if such a duty did exist, Co-operators would not be deprived of its right to participate in the defence.
(i) Whether the duty to defend could be addressed by way of application
In the court below, it was held that because the clause at issue had not previously been subject to judicial interpretation, the determination of whether the claim was excluded, and therefore the duty-to-defend did not arise, had to be determined on a full record. On appeal, Co-operators argued that the duty-to-defend could properly be determined and the court agreed, noting that rule 14.05(3)(d)[8] provides that a proceeding may be brought by application where the relief claimed is the determination of rights that depend on the interpretation of a contract. Despite the fact that the interpretation of data exclusion clauses raised a “novel interpretive issue” the policy provisions themselves were found to be clear and unambiguous.[9] Given that all parties elected to proceed by application,[10] which involved the interpretation of policy provisions clearly set out in the records and the application of those provisions to the claims as pleaded, there were no material facts in issue which would require a trial.[11]
(ii) Whether Co-operators owed a duty to defend to FCS and Laridae
Co-operators argued that the data exclusion clauses preclude coverage for both the class action proceeding against FCS and the third party claim brought by FCS against Laridae. The Court of Appeal agreed, holding that Co-operators owed no duty to defend either FCS or Laridae because:
- the exclusion clauses were unambiguous;
- all claims asserted in these proceedings were covered by the clear language of the exclusion clauses; and
- denial of coverage would not nullify the policies.[12]
(a) Is the data exclusion clause ambiguous?
The policy provisions, on their face, were clear and unambiguous. Thorburn J.A. found that the CGL policy clearly excluded claims “arising out of the distribution or display of ‘data’” by means of the internet or similar system designed or intended for electronic communication of ‘data’ and that the professional liability policy was even more clear in its exclusion of any claims that arose “directly or indirectly” from the distribution or display of data.[13]
(b) Is there a possibility some claims are covered by the policy?
The court confirmed that an insurer has a duty to defend where, on the facts as pleaded, there is a possibility that a claim within the policy may succeed.[14] In this respect, FCS and Laridae argued that the hyperlink to the confidential information was not a ‘display’ of data within the meaning of the exclusion clauses as such an image simply enabled a user to obtain the information. Further steps were required by the user to fully obtain the information. Thorburn J.A. rejected this argument. Both a hyperlink and an image of a hyperlink were found to constitute “representations of information” within the meaning of the exclusions.[15] Notably, the use of a hyperlink to make the confidential information “readily available”, constituted a “system designed or intended for electronic communication of “data”” and, as such, the hyperlink was a display of data within the meaning of the exclusion.[16]
FCS and Laridae also argued that the claims sought recovery for both the online and the physical display of the report. It was FCS and Laridae’s position that, in the event that the online display of the report was not covered, Co-operators would owe a duty to defend if the physical display were. Thorburn J.A. disagreed. Both the claims, as pleaded, and the “substance and true nature of the claim” for damages arose from the wrongful appropriation of the confidential information and posting it on the internet, which would apply even if the claims included an allegation regarding the physical display of the report, which they did not.[17] Here, there was only one chain of causation as all injuries, in the class proceeding and third party claim, flowed from the first wrongful act. Accordingly, the Court of Appeal held that the data exclusion clause excluded coverage for the defence of the class proceeding and the third party claim and, on the facts as pleaded, there was no possibility that a claim within the policy could succeed.[18]
(c) Would denial of coverage result in nullification of coverage under the policy?
FCS and Laridae argued that, if the data exclusion clauses were to be interpreted to exclude coverage in this case, this would effectively nullify coverage under the policy as it would be inconsistent with the main purpose of the coverage and contrary to the reasonable expectations of the parties. The main purpose of the coverage was identified as to provide “compensatory damages for personal injury arising from the conduct of business except in accordance with specific exclusions.”[19] The court held that the data exclusion clause was entirely consistent with the main purpose of the coverage, which extended well beyond the terms of the data exclusion.[20] The court found that a reasonable policyholder would expect that the data exclusion clause would exclude the dissemination of a sensitive report over social media.[21] The Court of Appeal aptly stated:
“They [Co-operators] clearly articulate what is and is not covered. Non-bodily injury arising from the display or distribution of data on the internet is not covered by their terms. To hold the parties to this bargain is consistent with the provisions in the policy, it does not nullify the effect of the policies, and it accords with the reasonable expectations of the parties.”[22]
(iii) Removal of the Right to Participate in the Defence
Co-operators argued that, even if there was a duty to defend, they would have the right to participate in the insured parties’ defences. The Court of Appeal did not address in detail the issue of Co-operator’s right to participate in the defence given the conclusion that it did not owe a duty to defend. However, the parties agreed that if Co-operators did have a duty to defend, Co-operators should receive reports from counsel, have the ability to jointly instruct counsel, and that it would be appropriate to establish a joint protocol for the management of documents and the litigation, similar to that ordered by the court in Markham (City) v. AIG Insurance Company of Canada, 2020 ONCA 239, 445 D.L.R. (4th) 405, leave to appeal refused, [2020] S.C.C.A. No. 170.
Conclusion
The decision in this case should offer comfort to insurers who have been concerned about so-called “silent cyber”, i.e.: claims arising out of cyber incidents made under non-cyber policies. Where it was clearly the intent of the parties not to include coverage for third party losses resulting from a data breach, as evidenced by a data exclusion clause, the court should uphold that intention. For insureds who maintain digital personal information or personal health information of clients or customers, this case is an important reminder to ensure that the organization has explicit coverage for personal injury resulting from a cyber incident and/or privacy breach. If the organization is relying on a service provider or third party contractor to have insurance, and will be listed as an additional insured, it is important to ensure they have an appropriate cyber policy in place.
In addition, the decision reaffirms the analysis for determining whether an insurer has a duty to defend and confirms that such analysis can and should occur at the application stage, rather than on a full record further on in the litigation, even when the matter involves a “novel interpretation issue”.
____
[1] Family and Children’s Services of Lanark, Leeds and Grenville v. Co- operators General Insurance Company, 2021 ONCA 159 at para 13 [FCS]
[2] Ibid. at para 1, 17 and 18.
[3] Ibid. at para 3.
[4] Ibid. at para 28, 29.
[5] Ibid. at 68.
[6] Rule 14.05(3)(d) of the Rules of Civil Procedure, R.R.O. 1990, Reg. 194.
[7] FCS at para 6.
[8] Rule 14.05(3)(d) of the Rules of Civil Procedure, R.R.O. 1990, Reg. 194.
[9] FCS at para 51.
[10] Ibid. at para 45.
[11] Ibid. at para 48-51; see also, Fort William Band v. Canada (Attorney General), 76 O.R. (3d) 228 (S.C.), at paras. 5 and 28-31.
[12] Ibid. at para 103.
[13] Ibid. at para 68.
[14] Ibid. at para 58; see also, Nichols v. American Home Assurance Co., [1990] 1 S.C.R. 801, at p. 810.
[15] Ibid. at para 77.
[16] Ibid. at para 77-79.
[17] Ibid. at para 90.
[18] Ibid. at para 94.
[19] Ibid. at para 98.
[20] Ibid. at para 98.
[21] Ibid. at para 100.
[22] Ibid. at para 102.
