The recent decision in Laridae v Co-operators,[1] is one of the first cases to consider whether an insurer has a duty to defend in the context of a cyber incident and privacy breach despite the presence of “data exclusion” clauses in an insurance policy. The scope of such an exclusionary clause has not yet received much interpretation from the Ontario courts and it was for this reason, in part, that the duty to defend applications were granted in this case.
The case is also significant as it arises in the context of a claim on behalf of a cyber incident victim against the third party contractor who had responsibility for ensuring the security of a website, thus demonstrating that such claims are likely on the rise.[2]
Background
In this case, Laridae Communications Inc. (“Laridae”), was retained by Family and Children Services of Lanark, Leeds and Grenville (“FCS”), to review and refresh FCS’s website and advise on issues relating to the design and security of its website.[3] In 2016, an unauthorized party accessed documents from a secured section of FCS’s website. The unauthorized party downloaded a written report, allegedly containing personal information about 285 people who were subjects of FCS’s investigations, which was subsequently disseminated via the internet.[4]
A class proceeding was brought against FCS alleging breaches of privacy rights resulting from the publication of a defamatory and untrue report containing personal information.[5] The claim alleged that FCS’s failure to properly secure its website caused the personal information of the putative class members to be publically available.[6]
FCS commenced a third party claim against Laridae claiming that it breached its contractual obligations and was negligent in providing service. FCS sought contribution and indemnity from Laridae for damages. [7] Notably, FCS did not limit its claims in its Third-Party Claim against Laridae to contribution and indemnity in respect of the Class Proceeding claims. Instead, it also makes claims for general and special damages based on allegations that Laridae provided inaccurate advice, made negligent misrepresentations and breached contractual obligations by permitting unauthorized users to access private documents.[8]
The “Data Exclusion” Clause
Laridae was insured under two policies by Co-Operators: a Commercial General Liability policy and a Professional Liability/Errors & Omissions policy. FCS was an additional insured under the CGL policy and so FCS also claimed a duty to defend. [9] Co-operators denied it owed a duty to defend either party based on two “data exclusion” clauses contained in the two insurance policies.[10]
At issue before the court was whether the “data exclusion” clauses in the policies eliminated coverage. The clauses at issue excluded “any liability arising from the display or distribution of data on the Internet or any system or device intended for electronic communication.”[11]
The court noted that even where only some claims are covered under an insurance policy, the insurer has a duty to defend and pay all reasonable costs associated with the entire defence.[12] There was no dispute that coverage was provided by the policies for oral and written publication of materials that were defamatory or violate a person’s right to privacy.[13] The only issue for the court to decide was whether the “data exclusion” clauses negated such coverage and the duty to defend.
The insurer has the burden of proving that the claim falls within the “data exclusion” clauses.[14] The applicants argued that the interpretation of the “data exclusion” clauses should not be determined on a duty to defend application when these types of exclusionary clauses have not yet been judicially considered by the courts.[15] The court agreed, finding that “such a novel interpretive issue should be considered on a full record and not in these [duty to defend] Applications.”[16]
In finding a duty to defend existed in this case the court noted:
I agree that until the courts have had an opportunity to adjudicate the complex issues raised by these broadly worded data exclusion clauses, it would be improper for this court, having regard to present jurisprudence to uphold Co-operators’ denial of a duty to defend. Further, I can not find on these Applications that Co-operators has shown that there is no possibility of coverage. I find that Co-Operators has not discharged its onus of establishing that the substance of the Claims clearly fall within the Data Exclusion Clauses and that there is no possibility of coverage under the Policies. Rather, in addition to the issue of the interpretation of the data exclusion clauses, it is apparent that there are claims and allegations in the Class Proceeding and the Third-Party Claim that would not be excluded by the Data Exclusion Clauses. As there is at least some possibility that the Claims are covered under the Policies, I find that Co-Operators owes a duty to defend Laridae and FCS.[17]
Conclusion
While the interpretation of a “data exclusion” clause is still novel, the types of privacy claims alleged in this case, i.e.: intrusion upon seclusion and breach of confidence, are not. Jurisprudence interpreting the scope of “data exclusion” clauses is likely to follow as the claims involving privacy breaches, data hacks, phishing scams and other cyber attacks continues to grow.
[1] Laridae v Co-Operators, 2020 ONSC 2198.
[2] Link to recent cyber subrogation article
[3] Ibid at para 9.
[4] Ibid at para 14.
[5] Ibid at para 15.
[6] Ibid.
[7] Ibid at paras 16 – 17.
[8] Ibid at para 18.
[9] Ibid at para 10.
[10] Ibid at para 2.
[11] Ibid at para 11.
[12] Ibid at para 26 and 30.
[13] Ibid at para 31.
[14] Ibid at para 32.
[15] Ibid.
[16] Ibid.
[17] Ibid at para 36.