How the lack of cyber caselaw worked against an insurer in a $75-million data breach lawsuit

The lack of cyber case law worked against an insurer in the Ontario Superior Court of Justice recently, with the court deciding that The Co-operators has a duty to defend two parties named in a $75-million cyber breach class action lawsuit.

The Co-operators had denied a duty to defend on the basis of data exclusions written into two of its commercial insurance policies. But the absence of case law around the “broadly-worded” data exclusions meant the court did not feel comfortable deciding the issue in a “duty to defend” action.

“I agree that until the courts have had an opportunity to adjudicate the complex issues raised by these broadly worded data exclusion clauses, it would be improper for this court, having regard to present jurisprudence to uphold Co-operators’ denial of a duty to defend,” Ontario Superior Court Justice Andra Pollak wrote for the court in Laridae v. Co-operators, released in May.

Laridae is a communications consulting firm that advised Family and Children Services of Lanark, Leeds and Grenville (FCS) about issues relating to the design and security of the FCS’s website.

In 2016, an unauthorized party accessed documents from a secured section of FCS’s website in which documents for authorized users and accessible only with passwords were uploaded. After this happened, Laridae advised FCS that it had implemented additional security features for the secured section of the website and advised FCS to do nothing to remove any of those confidential documents, according to Pollak’s decision.

However, the unauthorized user accessed the documents again and downloaded a file containing a written report that was posted on various internet sites and accessible to the public. The report allegedly contained personal information about 285 persons who had been subjects of FCS’s investigations between April and November 2015.

A class proceeding was brought against FCS seeking general, special and punitive damages for $75 million. The representative plaintiff alleges breaches of privacy rights as a result of the alleged publication of a defamatory and untrue report containing personal information.

The allegations in the class action lawsuit have not proven in court. The plaintiffs in the class proceeding contend that FCS’s failure to properly secure its website caused the personal information of the class members to be available to the public.

In a third-party claim, FCS alleges that Laridae breached its contractual obligations and was negligent in providing services to it under their Communications Services Contract. Laridae and FCS both claimed that Co-operators had a duty to defend them in the class action proceedings, based on two commercial policies they had with Co-operators. But the insurer denied duty to defend based on data exclusions it had written into each policy.

Co-operators issued a Commercial General Liability (CGL) policy to Laridae as the primary insured and to FCS as an additional insured. FCS is an additional insured on Laridae’s CGL Policy.

Under the CGL Policy, Co-Operators agreed to provide coverage to Laridae for sums that it becomes legally obligated to pay as compensatory damages because of “personal injury,” and to defend Laridae in any proceeding seeking such compensatory damages. The term “personal injury” under the CGL policy means injury other than “bodily injury,” and includes offences such as:

• Oral or written publication of material that libels or slanders a person or organization or disparages a person’s or organization’s goods, products or services;
• Oral or written publication of material that violates a person’s right to privacy.

Under the errors and omissions policy, Co-Operators provides coverage for compensatory damages resulting from liability claims for any error, omission or negligent act in the course of providing “professional services.”

There are data exclusions written into both policies.

In the CGL policy, the data exclusion is as follows:

Data Exclusion

There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly, or indirectly from the distribution or display of “data” by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of “data.”

In the E&O policy, the data exclusion reads:

Data

1. 1. Liability for:
   2. erasure, disruption, corruption, misappropriation, misinterpretation of “data;”
   3. erroneously creating, amending, entering, deleting or using “data;”

Including any loss of use therefrom;

1. 1. “Personal injury” arising out of the distribution or display of “data” by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of “data.”

In assessing whether the data exclusions applied to the duty to defend, the Ontario Superior Court found in favour of the insureds. Laridae and FCS, the court noted, “rely on the argument that the courts will not enforce exclusion clauses which have the effect of nullifying the insurance which the insurer undertook to provide. They submit that Co-operators should not provide general coverage but rely on broadly worded exclusions which would have the effect of eliminating the coverage which it contracted to provide.

“It is submitted that this is an important issue on these applications and that a court should not determine this issue in a “duty to defend” application, where such data exclusion clauses have not yet been judicially considered by our courts. I agree that such a novel interpretive issue should be considered on a full record and not in these [duty to defend] applications.”

The court’s ruling means Co-operators does have a duty to defend the insureds at trial.

Feature image by iStock/wildpixel

Other images by iStock/maginima and iStock/eternalcreative