In a recent Ontario Court of Appeal decision, the court ruled that an insurance company had no duty to defend two insureds following a data breach because the data exclusion clauses applied.
Online Data Breach Leads to $75 Million Class Action
In April 2016, someone hacked into a password-protected portal managed by the Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”). The hacker took a confidential report containing details about the case files and investigations of 285 people. A hyperlink to the report was posted on two Facebook pages.
A $75 million class action was then brought against FCS in which it was alleged that the leaked document contained defamatory material.
In turn, FCS brought a third-party claim against a communications company, Laridae, that had been responsible for its website, including security, in which it alleged negligence and breach of contract.
Both FCS and Laridae were insured by the same insurance company, which denied having any duty to defend FCS or Laridae, relying on policy exclusion clauses that excluded claims arising from the distribution or display of data by means of an internet website. Their CGL Policies provided coverage for compensatory damages for “personal injury [other than bodily injury] … caused by an offence” that “arises out of the conduct of [the insured’s] business”. Additionally, Laridae was insured under a Professional Liability Policy, which provided coverage for “all sums the Insured shall become legally obligated to pay as compensatory damages resulting from ‘Claims’” by reason of “liability for any error, omission, or negligent act in the course of ‘Professional services’.” Laridae’s policy also contained the following similar clause:
There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly or indirectly from the distribution, or display of “data” by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of “data”.
For the purposes of this endorsement, “data” means representations of information or concepts, in any form.
All three parties brought applications to the court to interpret the insurance policies.
Lower Court Finds a Duty to Defend
In her endorsement, dated May 8, 2020, the application judge found that the insurance company had a duty to defend both claims, holding that:
- the applicability of the data exclusion clauses was a “novel interpretation issue” and accordingly the duty to defend should only be denied on a full record, not on an application;
- the data exclusion clause did not exclude the insurance company’s duty to defend the class action;
- the data exclusion clause did not exclude the insurance company’s duty to defend the third-party claim against Laridae; and,
- neither FCS nor Laridae had any reporting obligations to the insurance company, in light of the conflict of interest between the two insured and the insurer.
The insurance company appealed.
Court of Appeal Finds No Duty to Defend
In assessing the insurance company’s duty to defend, the court explained that the first step in coverage analysis is to review the policy to determine whether it is ambiguous.
In this case, it held that the CGL Policy clearly excluded claims “arising out of the distribution or display of ‘data’ by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of ‘data’”. It further held that the Professional Liability Policy was even clearer, as it excluded any claims that arose “directly or indirectly” from the distribution or display of data.
As such, at the first step, the court held that because the policy provisions were clear and unambiguous, it need not consider the reasonable expectations of the parties in interpreting the exclusion provision in the policy, nor did it need to make recourse to extraneous sources.
The court then turned to the second step, which requires the application of the policy provisions to the claims to see if there is a possibility that some of the claims may be covered by the policy. It explained that this is determined by ascertaining the substance and true nature of the claims pleaded.
The court first held that the definition of ‘data’ was clear and unambiguous. Both a hyperlink and an image of a hyperlink constituted “representations of information” within the meaning of the policy exclusions. It was the representation of the source of the electronic file containing personal information. It then stated:
“The damages resulted from hacking the portal using the hyperlink to connect one electronic document to another. This is a “system designed or intended for the electronic communication of ‘data’”. As such, the link to the Report is a display of data within the meaning of the policy exclusion….
The data exclusion clause excludes claims that arise from the display and distribution of the confidential personal information on the internet. All of the injuries pleaded in the third-party claim arise, ultimately, from the distribution of the Report on the internet. There is only one chain of causation. As in the class action, the substance and true nature of the claim for damages arises from the wrongful appropriation of confidential personal information and posting it on the internet.”
The court therefore concluded that the data exclusion clause excluded coverage for the defence of both the class action and the third-party claim and there was no possibility that a claim within the policy would succeed.
Finally, the court rejected FCS and Laridae’s argument that, if the data exclusion clause in the policies applied, giving effect to the data exclusion clause would nullify coverage under the policy.
As a result, the court concluded that the insurance company owed no duty to defend either FCS or Laridae because: (i) the exclusion clauses were unambiguous, (ii) all claims asserted in the proceedings were covered by the clear language of the exclusion clauses, and (iii) denial of coverage would not nullify the policies.
At Bader Law, we have been successfully advising tech start-ups and business owners for a number of years. In that time, we have built a reputation for our forward-thinking guidance and sound legal advice. We regularly help companies in up-and-coming areas including cloud computing, blockchain, other crypto-currency, and FinTech. We are familiar with the various challenges that start-ups face, particularly in the tech sector, and understand that entrepreneurs need a law firm that is going to be able to prioritize the most critical aspects of their venture with them.
The business law team at Bader Law has decades of experience in helping tech start-ups grow and expand, including negotiating licensing agreements and preparing companies for exit events. We are thorough, efficient, and focused on delivering the best possible outcome for every single client. Contact us online or at (289) 652-9092 to discuss your matter with a member of our team.