Skip to content

Our Ontario Lawyers

When success matters, there is no substitute for the advantage that comes from experience.

Search for a lawyer below:

Office:

Search Results

We're sorry, We cannot locate any lawyers with that criteria. Please search again.

Sort By:

Experience and Expertise:

How Can We Help? We’ll be happy to match you to the right qualified Lerners Lawyer.
Insights

Cyber Liability: Interpretation of “Data Exclusion” Clauses in an Insurer’s Duty to Defend

6 minute read
Also authored by: Jacqueline M. Palef

The recent decision in Laridae v Co-operators,[1] is one of the first cases to consider whether an insurer has a duty to defend in the context of a cyber incident and privacy breach despite the presence of “data exclusion” clauses in an insurance policy. The scope of such an exclusionary clause has not yet received much interpretation from the Ontario courts and it was for this reason, in part, that the duty to defend applications were granted in this case.

The case is also significant as it arises in the context of a claim on behalf of a cyber incident victim against the third party contractor who had responsibility for ensuring the security of a website, thus demonstrating that such claims are likely on the rise.[2]

Background

In this case, Laridae Communications Inc. (“Laridae”), was retained by Family and Children Services of Lanark, Leeds and Grenville (“FCS”), to review and refresh FCS’s website and advise on issues relating to the design and security of its website.[3] In 2016, an unauthorized party accessed documents from a secured section of FCS’s website. The unauthorized party downloaded a written report, allegedly containing personal information about 285 people who were subjects of FCS’s investigations, which was subsequently disseminated via the internet.[4]

A class proceeding was brought against FCS alleging breaches of privacy rights resulting from the publication of a defamatory and untrue report containing personal information.[5] The claim alleged that FCS’s failure to properly secure its website caused the personal information of the putative class members to be publically available.[6]

FCS commenced a third party claim against Laridae claiming that it breached its contractual obligations and was negligent in providing service. FCS sought contribution and indemnity from Laridae for damages. [7] Notably, FCS did not limit its claims in its Third-Party Claim against Laridae to contribution and indemnity in respect of the Class Proceeding claims. Instead, it also makes claims for general and special damages based on allegations that Laridae provided inaccurate advice, made negligent misrepresentations and breached contractual obligations by permitting unauthorized users to access private documents.[8]

The “Data Exclusion” Clause

Laridae was insured under two policies by Co-Operators: a Commercial General Liability policy and a Professional Liability/Errors & Omissions policy. FCS was an additional insured under the CGL policy and so FCS also claimed a duty to defend. [9] Co-operators denied it owed a duty to defend either party based on two “data exclusion” clauses contained in the two insurance policies.[10]

At issue before the court was whether the “data exclusion” clauses in the policies eliminated coverage. The clauses at issue excluded “any liability arising from the display or distribution of data on the Internet or any system or device intended for electronic communication.”[11]

The court noted that even where only some claims are covered under an insurance policy, the insurer has a duty to defend and pay all reasonable costs associated with the entire defence.[12] There was no dispute that coverage was provided by the policies for oral and written publication of materials that were defamatory or violate a person’s right to privacy.[13] The only issue for the court to decide was whether the “data exclusion” clauses negated such coverage and the duty to defend.

The insurer has the burden of proving that the claim falls within the “data exclusion” clauses.[14] The applicants argued that the interpretation of the “data exclusion” clauses should not be determined on a duty to defend application when these types of exclusionary clauses have not yet been judicially considered by the courts.[15] The court agreed, finding that “such a novel interpretive issue should be considered on a full record and not in these [duty to defend] Applications.”[16]

In finding a duty to defend existed in this case the court noted:

I agree that until the courts have had an opportunity to adjudicate the complex issues raised by these broadly worded data exclusion clauses, it would be improper for this court, having regard to present jurisprudence to uphold Co-operators’ denial of a duty to defend. Further, I can not find on these Applications that Co-operators has shown that there is no possibility of coverage.  I find that Co-Operators has not discharged its onus of establishing that the substance of the Claims clearly fall within the Data Exclusion Clauses and that there is no possibility of coverage under the Policies. Rather, in addition to the issue of the interpretation of the data exclusion clauses, it is apparent that there are claims and allegations in the Class Proceeding and the Third-Party Claim that would not be excluded by the Data Exclusion Clauses. As there is at least some possibility that the Claims are covered under the Policies, I find that Co-Operators owes a duty to defend Laridae and FCS.[17]

Conclusion

While the interpretation of a “data exclusion” clause is still novel, the types of privacy claims alleged in this case, i.e.: intrusion upon seclusion and breach of confidence, are not. Jurisprudence interpreting the scope of “data exclusion” clauses is likely to follow as the claims involving privacy breaches, data hacks, phishing scams and other cyber attacks continues to grow.


[1] Laridae v Co-Operators, 2020 ONSC 2198.

[2] Link to recent cyber subrogation article

[3] Ibid at para 9.

[4] Ibid at para 14.

[5] Ibid at para 15.

[6] Ibid.

[7] Ibid at paras 16 – 17.

[8] Ibid at para 18.

[9] Ibid at para 10.

[10] Ibid at para 2.

[11] Ibid at para 11.

[12] Ibid at para 26 and 30.

[13] Ibid at para 31.

[14] Ibid at para 32.

[15] Ibid.

[16] Ibid.

[17] Ibid at para 36.

LERNx Sidebar

Insights

Our lawyers are committed to making the law easier to access for all by publishing high-quality and industry-leading content.

Jennifer L. Hunter

We are here to help.

Do you have any questions about your unique scenario? Feel free to reach out directly by visiting my Lerners Profile View My Full Profile