While well over a dozen class actions have been commenced in Canada with respect to alleged third-party losses stemming from large-scale data breaches, to date there has been no Canadian jurisprudence considering issues of insurance coverage in the context of such breaches.
Insurance coverage tailored specifically to damages arising in connection with data breaches and other cyber losses has been available in the Canadian market for a number of years. However, there remain questions as to whether coverage may also be available under other traditional forms of insurance, including general liability policies.
Several cases have worked their way through the Courts of the United States, dealing with the issue of whether there may be coverage under a traditional liability policy for third party losses arising from a large-scale data breach. There are conflicting decisions on the issue. A recent decision by the Fourth Circuit has found that an insurer had a duty to defend its health-care insured in a class action relating to the potential exposure of private medical information. The case of Travelers Indemnity Co. of America v. Portal Health Care Solutions, LLC No. 14-1944, 2016 U.S. App. Lexus 6554 at 1 (Fourth Cir. Apr. 11, 2016) dealt not with a hacking scenario, but rather with an alleged negligent failure to secure a server, leading to potential unrestricted access to confidential information online. Portal Health Care sought coverage in connection with a class action launched against it in connection with the breach, under the “publication” provisions of its general liability policy. The insurer argued that as there was no actual release of the medical records in question, the information had not been “published” and, therefore, coverage under the policy was not triggered. The Court disagreed.
Of importance in the Portal Health Care case was the fact that, under Virginia law, an insurer’s duty to defend depends on the comparison of the policy language with the underlying complaint to determine whether the claims alleged are covered by the policy. In particular, the court applied the “eight corners rule”, examining the four corners of the underlying class action complaint and the four corners of the underlying insurance policy, for purposes of determining if a duty to defend existed. This analysis with respect to the duty to defend has similarities to the Canadian approach set out by the Supreme Court of Canada in Lloyds of London v. Scalera  1 S.C.R 551, in which our top court held that an insurer owes a duty to defend when a statement of claim makes allegations that could potentially fall within coverage under the policy. The court in Portal Health Care found that the allegations as pleaded could potentially give rise to coverage under the “publication” provisions of the policy. No comment was made as to whether the insurer would ultimately be held liable to indemnify Portal Health Care.
Notably, Zurich had been successful in an earlier case dealing with a data breach, in arguing that Sony was not entitled to coverage under a general liability policy issued to it by Zurich, on the basis that release of information by hackers did not constitute “publication” under the general liability policy. In Portal Health Care, however, Portal Health Care maintained that the allegations in the complaint involved publication simply by placement of the data on the internet because third parties could potentially access the medical records online.
It should be noted that the policies at issue in the Portal Health Care case do not appear to have included any data breach exclusions language, which have been added to many general liability policies in recent years.
It can be anticipated that similar attempts may be made north of the border to find coverage for large-scale cyber losses, and it appears that the advertising and publication provisions under standard liability policies, which may not all include data breach exclusions, may be ripe ground for coverage litigation in Canada.