Insuring your business may be costly, but gaps in your insurance may cost you more. A recent decision from the Ontario Court of Appeal could prevent you from making claims against your insurance policy if you happen to suffer a cyber security breach.
In Family and Children's Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company1, the Court of Appeal found that data exclusion clauses in the two policies at issue operated to absolve Co-operators General Insurance Company (“Co-operators”) of a duty to defend the insureds against claims arising out of a data breach.
At first instance, the Superior Court application judge found that despite the “data” exclusion clauses in their respective policies, the Co-operators owed a duty to defend both Family and Children's Services of Lanark, Leeds and Grenville (“FCS”) and Laridae Communications Inc. (“Laridae”) in respect of claims against them.
In 2015, FCS contracted Laridae to, among other things, review and update the FCS website to ensure FCS maintained compliance with applicable legislative requirements. The agreement required Laridae to obtain commercial general liability insurance that would name FCS as an additional insured under the policy.
In July 2016, an action was commenced against FCS under the Class Proceedings Act, 1992,2 over a data breach which resulted in confidential information of clients of FCS being made public. The disclosed information was supposed to be stored in a secure portal, accessibly only by FCS's board of directors. The data was shared on multiple public Facebook forums and on Youtube. FCS brought a third-party claim against Laridae alleging negligence and breach of contract.
Both FCS and Laridae were insureds under the commercial general liability policy, and Laridae was additionally insured under a professional liability policy.
You're on Your Own: No Duty to Defend
In determining that Co-operators did not owe a duty to defend either FCS or Laridae, the Court of Appeal held:
- The data exclusion clauses clearly and unambiguously excluded any claims arising “directly or indirectly” from the distribution or display of data. The application judge wrongly and unnecessarily applied the general rules of contract construction.
- Both claims – the class action, and the third-party claim – fit squarely within the ambit of the data exclusion clauses, as the claims resulted from the display and distribution of data.
- Coverage under the policies – both the general liability policy and the professional liability policy – would not be nullified if the exclusions applied to deny coverage in this case as both policies provided meaningful coverage for a range of services beyond the terms of the data exclusions.
Takeaway: Protect your Business
The Court of Appeal's broad interpretation of “data” exclusions in traditional insurance policies is a warning to all to review your policies to ensure you have the right coverage. If your company doesn't have a standalone cyber insurance policy, now is the time to start looking.
2 SO 1992, c 6.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.