March 19, 2021 by David Gambrill
The Co-operators does not have a duty to defend a cyber liability case involving a “novel” policy exclusion for breached data being published over the internet, the Ontario Court for Appeal has ruled.
Reversing the previous decision of a lower court, the appeal court found that the insurer’s policy exclusion for data posted on the internet was clear and unambiguous, it did not negate other coverage contained in the policy, and it applied to all of the pleadings contained in the statement of claim.
“The [lower] court simply just didn’t feel comfortable deciding the [policy exclusion] issue on a duty-to-defend application,” Co-operators’ counsel Danielle Marks commented in an interview Thursday about the court’s ruling, issued Mar. 15, 2021. “From our perspective at The Co-operators, if that decision had been upheld, it would have set the groundwork that if insureds even alleged that the exclusion clause at issue essentially nullified the primary grant of coverage, then a full trial would always be required [to resolve an insurer’s duty to defend]. We felt strongly about appealing the decision.”
In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, someone hacked into a password-protected portal managed by Family and Children’s Services [FCS] of Lanark, Leeds and Grenville in April 2016.
The hacker took a confidential report containing details about the case files and investigations of 285 people and posted a hyperlink to the report on two Facebook pages. A $75-million class action was brought against FCS, alleging that the leaked document contained defamatory material and that FCS was negligent in securing its website. FCS in turn sued Laridae Communications Inc., a third-party service provider, for negligence and breach of contract. None of these allegations have been proven in court.
The Co-operators insured both FCS and Laridae. The Co-operators denied it had a duty to defend either party on the basis of a data exclusion contained in both the FCS’s commercial general liability (CGL) policy and in a professional liability policy.
The data exclusion at issue in the professional liability policy states: “There shall be no coverage under this policy in connection with any claim…arising directly or indirectly from the distribution or display of data by means of an internet website…designed or intended for electronic communication of ‘data.’”
An applications judge initially held that the insurer had a duty to defend the data breach case because there was an absence of case law to help interpret the meaning of the “novel” policy exclusion for data published on the internet. For that reason, the applications judge felt the analysis of whether the policy exclusion applied should take place at a full trial and not merely on a duty-to-defend application.
The Court of Appeal reversed that decision, saying the applications judge had enough information and knowledge of the law to make the decision on the duty-to-defend motion. Essentially, the appeal court found the motions judge had skipped a staged analysis that should always happen when deciding whether an insurer has a duty to defend.
That staged analysis includes answering the following questions:
“This application involved the interpretation of the policy provisions and the application of those provisions to the claims as pleaded to see if there is a possibility that some of the claims may be covered by the policy,” Ontario Court of Appeal Justice Julie Thorburn wrote in her decision. “The agreements, describing the services that Laridae was to provide FCS, were in the record before the application judge, as were the CGL policy and the professional liability policy. There were no material facts requiring a trial…
“The policy provisions are clear and unambiguous and the application judge is presumed to know the law — even if the law is, in her view, unclear or unsettled. She could and should have, addressed both (i) the scope and effect of the data exclusion clauses in the policy, and (ii) FCS and Laridae’s argument that giving effect to the exclusion clauses would nullify coverage under the policies. She erred in failing to do so and I will therefore conduct the analysis.”
For the Co-operators, the appeal court’s decision restores the staged analysis that typically happens during the duty-to-defend application. Had such an analysis been deferred to trial, insurers would effectively be saddled with a duty to defend every time a policy exclusion was considered to be “novel” or unique, as Co-operators’ counsel Bob Dowhan explained to Canadian Underwriter in an interview.
“You are supposed to look at the pleadings [outlined in the statement of claim], you are supposed to look at the policy,” Dowhan said. “You determine whether or not, if those pleadings were to come into fruition, they would create a duty to indemnify. That drives your duty to defend.
“We thought [deferring that analysis until a trial is held] was the most glaring part of the [lower court] decision that was wrong. It created an impossible standard: Every claim would result in a duty to defend if it ultimately needed to be tested at trial.”
For Marks, the appeal court decision contains some hints for underwriters when it comes to crafting clear and unambiguous policy wording.
“The [data exclusion policy] language, from our perspective, and in the Court of Appeal’s interpretation, was absolutely clear on its face,” Marks said.
“Part of the clarity…comes from the mirroring [of language] in the primary grant of coverage and the exclusion for data. The language in the exclusion mirrored the language in the primary grant of coverage, which makes it as clear as possible. There can be no confusion when the language in the exclusion clause mirrors the language in the primary grant of coverage. ‘This is what we are granting, and here is what we are excluding,’ using very similar language.”
Feature image courtesy of iStock.ca/Zolnierek
Other image courtesy of iStock.ca/andresr