We had previously written about a court case relating to a $75 million class action that was brought after a password-protected portal was hacked, resulting in a leak of confidential information online.  

In a 2021 Alberta decision, the court heard an application to certify a class action against Uber after a cloud computing personal data breach. Ultimately, the court refused to certify the proposed class action, finding no evidence of provable harm or damages as a result of the breach.

Uber Users and Drivers’ Personal Data Hacked 

In October 2016, Uber was the subject of an attack by two hackers, who illegally accessed electronic personal data, which was collected and stored in the “cloud” by Uber. 

Subsequently, a representative plaintiff commenced aproposed class proceeding against Uber on behalf of herself and a proposed national class, who were either users of or drivers for its online transportation services. The plaintiff argued that Uber had failed in its “contract, common law and statutory obligations to protect the personal [data] … and [to] ensure it is not accessed by unauthorized parties” and sought personal and punitive damages as a result.

Specifically, the plaintiff alleged that:

• After accessing the personal data, the hackers had made a ransom demand of Uber in 2016;
• Uber had identified two hackers;
• Uber had not notified any of the class members, regulators, or police for over a year, instead paying the two hackers $100,000, on the promised “guarantee” that they would destroy the personal data, and;
• The class had only learned of the hack in November 2017 after it was discovered by third parties and exposed in the media.

Court Refuses to Certify Class Action 

At the outset, the court narrowed the issue to that of determining whether there was “some evidence” of or “some basis in fact” for any real resulting common harm, loss or damagefrom the alleged common law or statutory breaches.

While Uber submitted that there must be proof of harm or loss for a successful action in negligence, the plaintiff asserted that in contract there was no requirement of proof of harm, loss, or resulting damages.

After reviewing the facts and relevant legal principles, the court ultimately held that the plaintiff had not provided any evidence of class-wide harm. More specifically, the court stated:

“I not only find no evidence of any actual harm or loss, but do find evidence of no actual harm or loss, in relation to the common law or statutory breaches, including what is called “significant harm”….

More specifically, I find that [the plaintiff] has provided no evidence, on this record, to show a breach of any truly confidential information, or either “first loss” (at the time of or directly related to or coincident with breach) or any of “additional loss”, “consequential loss”, “future loss”, “enhanced loss”, or any otherwise categorized significant consequential losses following the Hack and resulting alleged breach(es).This alone may not be sufficient to deny certification, because of what may have become (in retrospect) a flawed legal presumption of deemed fact by pleading, in the context of class actions. Nevertheless, I do find, in all the circumstances, that [the plaintiff] has not established that a class proceeding is a preferable procedure on this record.“

As a result, the court refused to certify the proposed class action. 

Get Help

At Bader Law, we have been successfully advising tech start-ups and business owners for a number of years. In that time, we have built a reputation for our forward-thinking guidance and sound legal advice. We regularly help companies in up-and-coming areas including cloud computing, blockchain, other crypto-currency, and FinTech. We are familiar with the various challenges that start-ups face, particularly in the tech sector, and understand that entrepreneurs need a law firm that is going to be able to prioritize the most critical aspects of their venture with them.

The business law team at Bader Law has decades of experience in helping tech start-ups grow and expand, including negotiating licensing agreements and preparing companies for exit events. We are thorough, efficient, and focused on delivering the best possible outcome for every single client. Contact us online or at (289) 652-9092 to discuss your matter with a member of our team.

In a recent Ontario Court of Appeal decision, the court ruled that an insurance company had no duty to defend two insureds following a data breach because the data exclusion clauses applied. 

Online Data Breach Leads to $75 Million Class Action

In April 2016, someone hacked into a password-protected portal managed by the Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”). The hacker took a confidential report containing details about the case files and investigations of 285 people. A hyperlink to the report was posted on two Facebook pages.

A $75 million class action was then brought against FCS in which it was alleged that the leaked document contained defamatory material.

In turn, FCS brought a third-party claim against a communications company, Laridae, that had been responsible for its website, including security, in which it alleged negligence and breach of contract. 

Both FCS and Laridae were insured by the same insurance company, which denied having any duty to defend FCS or Laridae, relying on policy exclusion clauses that excluded claims arising from the distribution or display of data by means of an internet website. Their CGL Policies provided coverage for compensatory damages for “personal injury [other than bodily injury] … caused by an offence” that “arises out of the conduct of [the insured’s] business”. Additionally, Laridae was insured under a Professional Liability Policy, which provided coverage for “all sums the Insured shall become legally obligated to pay as compensatory damages resulting from ‘Claims’” by reason of “liability for any error, omission, or negligent act in the course of ‘Professional services’.” Laridae’s policy also contained the following similar clause: 

DATA EXCLUSION

There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly or indirectly from the distribution, or display of “data” by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of “data”.

For the purposes of this endorsement, “data” means representations of information or concepts, in any form.

All three parties brought applications to the court to interpret the insurance policies.

Lower Court Finds a Duty to Defend

In her endorsement, dated May 8, 2020, the application judge found that the insurance company had a duty to defend both claims, holding that:

• the applicability of the data exclusion clauses was a “novel interpretation issue” and accordingly the duty to defend should only be denied on a full record, not on an application;
• the data exclusion clause did not exclude the insurance company’s duty to defend the class action;
• the data exclusion clause did not exclude the insurance company’s duty to defend the third-party claim against Laridae; and,
• neither FCS nor Laridae had any reporting obligations to the insurance company, in light of the conflict of interest between the two insured and the insurer.

The insurance company appealed.

Court of Appeal Finds No Duty to Defend

In assessing the insurance company’s duty to defend, the court explained that the first step in coverage analysis is to review the policy to determine whether it is ambiguous.

In this case, it held that the CGL Policy clearly excluded claims “arising out of the distribution or display of ‘data’ by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of ‘data’”. It further held that the Professional Liability Policy was even clearer, as it excluded any claims that arose “directly or indirectly” from the distribution or display of data. 

As such, at the first step, the court held that because the policy provisions were clear and unambiguous, it need not consider the reasonable expectations of the parties in interpreting the exclusion provision in the policy, nor did it need to make recourse to extraneous sources.

The court then turned to the second step, which requires the application of the policy provisions to the claims to see if there is a possibility that some of the claims may be covered by the policy. It explained that this is determined by ascertaining the substance and true nature of the claims pleaded.

The court first held that the definition of ‘data’ was clear and unambiguous. Both a hyperlink and an image of a hyperlink constituted “representations of information” within the meaning of the policy exclusions. It was the representation of the source of the electronic file containing personal information. It then stated:

“The damages resulted from hacking the portal using the hyperlink to connect one electronic document to another. This is a “system designed or intended for the electronic communication of ‘data’”. As such, the link to the Report is a display of data within the meaning of the policy exclusion….

The data exclusion clause excludes claims that arise from the display and distribution of the confidential personal information on the internet. All of the injuries pleaded in the third-party claim arise, ultimately, from the distribution of the Report on the internet. There is only one chain of causation. As in the class action, the substance and true nature of the claim for damages arises from the wrongful appropriation of confidential personal information and posting it on the internet.”

The court therefore concluded that the data exclusion clause excluded coverage for the defence of both the class action and the third-party claim and there was no possibility that a claim within the policy would succeed.

Finally, the court rejected FCS and Laridae’s argument that, if the data exclusion clause in the policies applied, giving effect to the data exclusion clause would nullify coverage under the policy.

As a result, the court concluded that the insurance company owed no duty to defend either FCS or Laridae because: (i) the exclusion clauses were unambiguous, (ii) all claims asserted in the proceedings were covered by the clear language of the exclusion clauses, and (iii) denial of coverage would not nullify the policies.

Get Help

At Bader Law, we have been successfully advising tech start-ups and business owners for a number of years. In that time, we have built a reputation for our forward-thinking guidance and sound legal advice. We regularly help companies in up-and-coming areas including cloud computing, blockchain, other crypto-currency, and FinTech. We are familiar with the various challenges that start-ups face, particularly in the tech sector, and understand that entrepreneurs need a law firm that is going to be able to prioritize the most critical aspects of their venture with them.

The business law team at Bader Law has decades of experience in helping tech start-ups grow and expand, including negotiating licensing agreements and preparing companies for exit events. We are thorough, efficient, and focused on delivering the best possible outcome for every single client. Contact us online or at (289) 652-9092 to discuss your matter with a member of our team.

In a recent Federal Court decision, a Canadian company named “Smart Cloud” appealed a Trademarks Opposition Board (“TMOB”) decision which had rejected its opposition to IBM’s trademark application for the mark “IBM SMARTCLOUD”.

Smart Cloud Opposes IBM’s Trademark Application

The case involved  IBM, an international computer hardware, software and services company, and Smart Cloud, a Canadian company. Smart Cloud had been incorporated in October 2010 for the purpose of developing and offering business computing and consulting services centred on cloud computing, digital security, data storage and technical support in Canada and elsewhere.

IBM had filed a trademark application on October 5, 2011, which was advertised for opposition purposes in the Trademarks Journal on November 6, 2013. The application by IBM was for registration of the trademark “IBM SMARTCLOUD” (the “Mark”) in association with a broad range of computer hardware and software and business management, development, network and consulting services. 

Smart Cloud filed its statement of opposition on November 26, 2013, claiming that under the Trademarks Act (the “Act’), there was a likelihood of confusion between the Mark and Smart Cloud’s trademark and tradename “SMARTCLOUD”. Smart Cloud’s opposition to the application was primarily based on its position that the Mark was confusing with its prior use of the trademark SMARTCLOUD and the tradenames SMART CLOUD and SMARTCLOUD in association with services, including cloud computing services. 

Trademarks Opposition Board Rejects Smart Cloud’s Opposition

On July 31, 2019, the TMOB, on behalf of the Registrar of Trademarks, rejected Smart Cloud’s opposition to an application. The question was whether clients purchasing IBM’s goods and services under the Mark would believe the goods and services were provided by Smart Cloud.

In its decision, the TMOB stated that Smart Cloud’s trademark and tradename consisted of two ordinary dictionary words and referenced the definitions of those words in the online Oxford English Dictionary. As Smart Cloud’s services were essentially cloud computing services, the TMOB considered its trademark and tradename to be highly suggestive, possessing a low degree of inherent distinctiveness. The TMOB found the Mark to also have a low degree of inherent distinctiveness as it shared the element SMARTCLOUD and the IBM prefix was a combination of letters. As Smart Cloud had provided minimal evidence of use, the TMOB was unable to find that its trademark and tradename had any measure of acquired distinctiveness “that would result in an ambit of protection greater than what would ordinarily be accorded to a weak mark”. 

The TMOB further held that Smart Cloud had not shown that its trademark and tradename had acquired any distinctiveness through use or promotion as of April 5, 2011.

While the TMOB acknowledged a fair degree of resemblance between the parties’ marks, it concluded that the Mark clearly signalled cloud computing-related goods and services emanating from IBM. Additionally, it held that IBM’s reputation and its use as the prefix of the Mark would assist consumers in distinguishing the source of the goods and services associated with the Mark; as such, the surrounding circumstances strongly favoured IBM.

The TMOB then reviewed jurisprudence concerning weak trademarks, stating that it is well-established that a weak trademark (a mark of low inherent distinctiveness) is not entitled to a wide ambit of protection and that comparatively small differences will be sufficient to distinguish between weak marks. It held that because Smart Cloud had not shown extensive use of its trademark and tradename, the low degree of distinctiveness of the SMARTCLOUD mark had not been enhanced. As such, the TMOB concluded that the jurisprudence concerning weak trademarks favoured IBM.

Finally, the TMOB held that Smart Cloud had not satisfied its evidentiary burden of establishing that the SMARTCLOUD trademark and tradename had become sufficiently known in Canada to negate the distinctiveness of the Mark as of November 26, 2013. The TMOB found that Smart Cloud had provided no evidence of sales generated by the provision of services under SMARTCLOUD. Additionally, Smart Cloud’s evidence of advertising and promotion was narrow and limited to the period from late 2010 to mid-2011. Despite Smart Cloud’s president’s statement that its website had been continuously active since 2010, the TMOB ultimately found that there was no evidence indicating the number of Canadian consumers that may have visited the site.

In the result, the TMOB therefore rejected Smart Cloud’s opposition.

Smart Cloud appealed the decision.

Court Rejects Smart Cloud’s Appeal

At issue before the court was whether the TMOB had erred in its analysis and conclusions regarding the likelihood of confusion between the Mark and Smart Cloud’s trademark and tradenames.

After reviewing the parties’ new evidence, the court concluded that: 

“I find that the TMOB incorrectly relied on a dictionary definition of the term ‘cloud’ that was added after the material date for Smart Cloud’s grounds of opposition… However,  my review of the admissible new evidence in this appeal demonstrates that the SMARTCLOUD trademark and tradename was comprised of two ordinary words on April 5, 2011. There are no errors in the TMOB’s conclusions that SMARTCLOUD is a highly suggestive mark and possesses a low degree of inherent distinctiveness. The TMOB correctly relied on these conclusions and its finding that the mark SMARTCLOUD had not acquired any measure of distinctiveness through use in its review of the jurisprudence regarding weak marks. The TMOB did not err in concluding that the SMARTCLOUD trademark was a weak mark on the material dates in the opposition.

[T]he two words comprising Smart Cloud’s trademark and tradename SMARTCLOUD were words in common usage by April 5, 2011, and necessarily by September 2011, and were understood by the casual Canadian consumer of computer goods and related services.”

As such, the court held that there was no palpable and overriding error in the TMOB’s analysis and conclusions and dismissed Smart Cloud’s appeal.

Get Help

At Bader Law, we have been successfully advising tech start-ups and business owners for a number of years. In that time, we have built a reputation for our forward-thinking guidance and sound legal advice. We regularly help companies in up-and-coming areas including cloud computing, blockchain, other crypto-currency, and FinTech. We are familiar with the various challenges that start-ups face, particularly in the tech sector, and understand that entrepreneurs need a law firm that is going to be able to prioritize the most critical aspects of their venture with them.

The business law team at Bader Law has decades of experience in helping tech start-ups grow and expand, including negotiating licensing agreements and preparing companies for exit events. We are thorough, efficient, and focused on delivering the best possible outcome for every single client. Contact us online or at (289) 652-9092 to discuss your matter with a member of our team.