An Ontario Court ordered an insurer to defend a data breach claim in the face of data exclusion clauses where it was unclear whether or not all of the claims against the insured fell within the clauses.

Laridae v. Co-operators, 2020 ONSC 2198, per Pollak, J.

Facts and Issues

Family and Children's Services of Lanark (“FCS”) suffered a data breach in 2016 when an unauthorized hacker accessed a secured portion of the FCS website which should only have been accessible to authorized users with passwords. 

FCS retained Laridae Communications Inc. to address the breach:

9.  Laridae was retained by FCS to “recommend and implement communication” strategies. Its mandate was to “review and refresh” FCS's website to ensure that the new website and its components are compliant with privacy and other legislative requirements. Laridae advised FCS on issues relating to the design and security of its website.

Laridae added additional security features to the FCS website and advised FCS that it needed to do nothing regarding the confidential documents stored on or referred to in the website.

After that, the same hacker gained access to the FCS website again and downloaded a report which contained personal information of 285 people and posted it on internet sites available to the public.

A class action (the “Class Proceeding”) was brought against FCS seeking $75 million in damages (including punitive damages) alleging breach of the privacy rights in respect of the allegedly defamatory report. The Class Proceeding was framed in many causes of action, including negligence, defamation, negligent misrepresentation, intrusion upon seclusion, breach of confidence and breach of fiduciary duty.

FCS brought a Third Party Claim against Laridae, alleging breach of contract, negligent provision of services under its contract with VCS and negligent misrepresentation. FCS's Third Party Claim was not restricted to contribution and indemnity re: the Class Proceeding.  In addition it also sought damages for electronic distribution through the internet and for physical distribution.

Laridae was insured under two policies issued by Co-operators:

  1. A CGL policy, which required Co-operators to cover Laridae as the primary insured (with FCS as an additional insured) for sums legally required to pay as compensatory damages for “personal injury”.
    1. “Personal injury” was defined as injury other than “bodily injury” for, inter alia “[o]ral or written publication of material that libels or slanders a person or organization or disparages a person's or organization's goods, products or services” or “[o]ral or written publication of material that violates a person's right to privacy”.
    2. Co-operators relied on a Data Exclusion  in the CGL policy which excluded coverage for: 

Data

a. Liability for:

1.   erasure, disruption, corruption, misappropriation, misinterpretation of “data”;

2.   erroneously creating, amending, entering, deleting or using “data”;

Including any loss of use therefrom;

b. “Personal injury” arising out of the distribution or display of “data” by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of “data”.

  1. A Professional Liability/Errors & Omissions policy (the E&O Policy), which covered Laridae for sums payable as compensatory damages for “any error, omission or negligent act in the course of providing ‘Professional Services'”.
    1. Co-operators relied on a Data Exclusion in the E&O Policy which provided as follows:

Data Exclusion

There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly, or indirectly from the distribution or display of “data” by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of “data”.

The term “data: in both policies was defined as “representations of information or concepts, in any form.”

The Co-operators agreed that the coverage clauses in both policies provided coverage to FCS for the Class Proceeding and to Laridae with respect to the Third Party Claim but denied coverage based on the Data Exclusions.

HELD: For the insureds; Co-operators directed to defend. 

  1. The Court emphasized that the Applications were based on the insurer's duty to defend, as opposed to its duty to indemnify and concluded that where there was a possibility that some of the claims against the insured are covered, the insurer must defend the entire claim:

26      The parties are agreed on the law to be considered on these Applications. It is important to note that these are “duty to defend” and not “duty to indemnify” proceedings. Our Courts have held that even where only some claims are covered under an insurance policy, the insurer has a duty to defend the insured for the whole claim.

27      The Ontario Court of Appeal in Tedford v. TD Insurance Meloche Monnex, 2012 ONCA 429, has held that if there is any possibility that a claim falls within liability coverage of an insurance policy, the insurer must defend the insured. The Court outlined the following principles:

a.   “an insurer has a duty to defend if the pleadings filed against the insured allege facts, which if true, would require the insurer to indemnify the insured;

b.    if there is any possibility that the claim falls within the liability coverage, the insurer must defend;

c.   the court must try and ascertain the substance and true nature of the claims;

d.   if the pleadings are not sufficiently precise to determine whether the claims would be covered by the policy, the insurer's obligation to defend will be triggered where, on a reasonable reading of the pleadings, a claim within coverage can be inferred; and

e.   in determining whether the policy would cover the claim, the usual principles governing the construction of insurance contracts apply, namely: the contra proferentem rule and the principle that coverage clauses should be construed broadly and exclusion clauses narrowly.”

28      The Claims in these Applications are broad and comprehensive and not limited to the distribution of the report on the Internet. The Claims do include damages for non-electronic distribution (i.e. physical distribution) of the report or other private information. Paragraph 19 of the Statement of Claim in the Class Proceeding asserts that “the personal information of the class members can be accessed by any unauthorized third party who accessed the information, bought the information, or found the information posted on the internet...”

29      If this Court finds that the Policies cover at least some of the allegations in the litigation, Co-operators has a duty to defend on all of the Claims. The insurance policies contain an unqualified obligation to defend for these claims. The Policies have no provision limiting the application of Co-operators' duty to defend in respect of “mixed” claims.

30      In Hanis v. University of Western Ontario, 2008 ONCA 678, the Ontario Court of Appeal has held that if some but not all of the claims are covered by an insurance policy, and there is an unqualified obligation in the policy to defend, the insurer must pay all reasonable costs associated with the entire defence.

31      As mentioned above, there is no dispute that the allegations in the litigation are covered by the insurance policies as coverage is provided for oral and written publication of materials that is defamatory or a violation of a person's right of privacy. The only issue on these applications is whether the “Data Exclusion” clauses clearly negate the duty to defend.

32      Co-operators has the burden of proving that the substance of the claims in this litigation clearly fall within the data exclusion clauses. The insureds make submissions regarding the enforceability of these data exclusion clauses. They rely on the argument that the courts will not enforce exclusion clauses which have the effect of nullifying the insurance which the insurer undertook to provide. They submit that Co-operators should not provide general coverage but rely on broadly worded exclusions which would have the effect of eliminating the coverage which it contracted to provide. It is submitted that this is an important issue on these Applications and that a court should not determine this issue in a “duty to defend” application, where such data exclusion clauses have not yet been judicially considered by our courts. I agree that such a novel interpretive issue should be considered on a full record and not in these Applications.

  1. The Court held that the insurer bears the burden of proving that a claim “clearly” falls within an exclusion clause upon which it relies, i.e. that in this case “Co-operators has the burden of proving that the substance of the claims in this litigation clearly fall within the data exclusion clauses” (para 32)
  1. The Court held that in this case the insurer owed an obligation to defend the entirety of both claims.
    1. Pollak, J. held that:
      1. It was not clear that the claims against FCS and Laridae fell within the “broadly worded” Data Exclusion clauses. The Court apparently held that the insureds' submissions on this point gave rise to this possibility:

32      Co-operators has the burden of proving that the substance of the claims in this litigation clearly fall within the data exclusion clauses. The insureds make submissions regarding the enforceability of these data exclusion clauses. They rely on the argument that the courts will not enforce exclusion clauses which have the effect of nullifying the insurance which the insurer undertook to provide. They submit that Co-operators should not provide general coverage but rely on broadly worded exclusions which would have the effect of eliminating the coverage which it contracted to provide. It is submitted that this is an important issue on these Applications and that a court should not determine this issue in a “duty to defend” application, where such data exclusion clauses have not yet been judicially considered by our courts. I agree that such a novel interpretive issue should be considered on a full record and not in these Applications.

33      The insureds submit that the interpretation of the exclusionary clause, as emphasized by Co-operators, is not conclusive in determining whether Co-operators has a duty to defend. As a result of imbalance of negotiating power as between insureds and insurers, interpretive principles have been developed to protect consumers of insurance policies. One of these most fundamental principles is that literal meanings of the policy should not be applied if it would render an unrealistic result wherein coverage provided by the insurance is virtually nullified or would be contrary to the reasonable expectations of the parties at the time the policy was concluded. Courts are to examine the terms of the policy considering the surrounding circumstances in order to determine the intent of the parties and the scope of their understanding.

34      Further, the insureds submit that exclusion clauses should not be enforced, if enforcement would be inconsistent with the main purpose of the insurance coverage, and where it would be contrary to the reasonable expectations of the ordinary person who purchased coverage. The Data Exclusion Clauses would nullify coverage for a significant portion of the services provided by Laridae. The insureds argue that Laridae's business is to create and handle “data” as that term is defined in the Policies. Such data is routinely “distributed” or “displayed” using the Internet or similar forms of technology. It would not make commercial sense that Co-operators be permitted to sell comprehensive insurance policies and rely on “Data Exclusion” clauses that are so broad that they have the effect of nullifying virtually all the coverage which the insurer contracted to provide.

35      Most importantly, it is argued that it cannot be that such an effect would have been within the parties' reasonable expectations.

  1. There was a possibility that some of the claims in the Class Proceeding and the Third Party Claim would trigger the insurer's duty to indemnify in the end.  In the Third Party Claim the allegation was based on physical distribution of the data in addition to electronic distribution.
  2. The Court concluded as follows:

36      I agree that until the courts have had an opportunity to adjudicate the complex issues raised by these broadly worded data exclusion clauses, it would be improper for this court, having regard to present jurisprudence to uphold Co-operators' denial of a duty to defend. Further, I cannot find on these Applications that Co-operators has shown that there is no possibility of coverage. I find that Co-operators has not discharged its onus of establishing that the substance of the Claims clearly fall within the Data Exclusion Clauses and that there is no possibility of coverage under the Policies. Rather, in addition to the issue of the interpretation of the data exclusion clauses, it is apparent that there are claims and allegations in the Class Proceeding and the Third-Party Claim that would not excluded by the Data Exclusion Clauses. As there is at least some possibility that the Claims are covered under the Policies, I find that Co-operators owes a duty to defend Laridae and FCS.

[emphasis by the Court]

COMMENTARY:  We emphasize two points regarding this decision:

  1. With respect, it is by no means clear that if some claims may be covered the insurer must defend the insured in all cases.  There is case law to suggest an apportionment of defence costs and/or responsibility where the covered and non-covered claims can be clearly separated and can be defended separately.
  2. This case is not authority for the proposition that such Data Exclusion clauses exclude coverage for electronic data distribution. Again, this decision only dealt with the duty to defend, as opposed to the duty to indemnity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.