Insuring your business may be costly, but gaps in your insurance may cost you more. A recent decision from the Ontario Court of Appeal could prevent you from making claims against your insurance policy if you happen to suffer a cyber security breach.
In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company1, the Court of Appeal found that data exclusion clauses in the two policies at issue operated to absolve Co-operators General Insurance Company (“Co-operators”) of a duty to defend the insureds against claims arising out of a data breach.
At first instance, the Superior Court application judge found that despite the “data” exclusion clauses in their respective policies, the Co-operators owed a duty to defend both Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”) and Laridae Communications Inc. (“Laridae”) in respect of claims against them.
Background
In 2015, FCS contracted Laridae to, among other things, review and update the FCS website to ensure FCS maintained compliance with applicable legislative requirements. The agreement required Laridae to obtain commercial general liability insurance that would name FCS as an additional insured under the policy.
In July 2016, an action was commenced against FCS under the Class Proceedings Act, 1992,2 over a data breach which resulted in confidential information of clients of FCS being made public. The disclosed information was supposed to be stored in a secure portal, accessibly only by FCS’s board of directors. The data was shared on multiple public Facebook forums and on Youtube. FCS brought a third-party claim against Laridae alleging negligence and breach of contract.
Both FCS and Laridae were insureds under the commercial general liability policy, and Laridae was additionally insured under a professional liability policy.
You’re on your own: No duty to defend
In determining that Co-operators did not owe a duty to defend either FCS or Laridae, the Court of Appeal held:
- The data exclusion clauses clearly and unambiguously excluded any claims arising “directly or indirectly” from the distribution or display of data. The application judge wrongly and unnecessarily applied the general rules of contract construction.
- Both claims – the class action, and the third-party claim – fit squarely within the ambit of the data exclusion clauses, as the claims resulted from the display and distribution of data.
- Coverage under the policies – both the general liability policy and the professional liability policy – would not be nullified if the exclusions applied to deny coverage in this case as both policies provided meaningful coverage for a range of services beyond the terms of the data exclusions.
Takeaway: Protect your business
The Court of Appeal’s broad interpretation of “data” exclusions in traditional insurance policies is a warning to all to review your policies to ensure you have the right coverage. If your company doesn’t have a standalone cyber insurance policy, now is the time to start looking.
Siskinds Privacy, Cyber & Data Governance team maintains excellent relations with a number of leading cyber insurance brokerages and insurers. Call us for information on the scope of your current coverage, and for assistance with sourcing cyber coverage appropriate to your needs. We can also assist with measures designed to harden your data security, which will typically lead to lower premiums, or permit companies that are otherwise uninsurable to obtain coverage.
Should you have any questions or comments, you can reach out to the authors Peter Dillon, Ontario attorney specializing in Privacy, Cyber & Data Governance, at peter.dillon@siskinds.com or Eric Blain, Ontario student-at-law, at eric.blain@siskinds.com.
2 SO 1992, c 6.
This article was written in collaboration with lead co-author Eric Blain, student-at-law.