Cybercrime, once a thing of science fiction, is growing in frequency and sophistication. While there is growing desire for business to access insurance coverage for cyber events, many still seek to rely on traditional forms of insurance coverage, rather than specific cyber coverage, when claims arise. However, many traditional insurance coverages, such as commercial general liability, contain "electronic data" or other exclusions that limit the extent of coverage available under such policies.
Until recently, there has been an absence of any Canadian jurisprudence providing guidance with respect to the electronic data exclusion. Recently, in Laridae v. Co-Operators this gap in jurisprudence was one of the factors that weighed in favour of the Court finding an insurer had a duty to defend a claim arising in relation to a cyber-breach.
In Laridae, a public child protection agency ("the agency") retained Laridae Communications Inc. ("Laridae ") to recommend and implement communication strategies. Among other things, the agency retained Laridae to review and update its website to ensure compliance with privacy and other legislative requirements. Laridae counselled the agency with respect to both the design and security of the website.
In 2016, an unauthorized third party accessed documents from a secured section of the agency's website. In response, Laridae advised the agency that it had implemented further security features for the secured section of the website. Laridae advised the agency to do nothing to remove the confidential documents stored on the secured section of the website.
The unauthorized user subsequently accessed the documents again, downloaded a file containing a written report, and posted it on various public internet sites. The report contained the personal information of approximately 285 persons who had been the subject to agency investigations.
A class proceeding was brought against the agency seeking special and punitive damages of $75 million. The representative plaintiff alleged breaches of privacy and that the agency failed to secure its website. The statement of claim in the class action was broadly worded and alleged negligence, defamation, negligent misrepresentation, intrusion upon seclusion, breach of confidence, and breach of fiduciary duty. The class litigants sought damages arising from electronic distribution through the internet and physical distribution.
The agency issued a third party claim against Laridae alleging breach of contract and negligence. In addition to contribution and indemnity with respect to the class action, the agency sought general and special damages as against Laridae.
At the material time, Co-Operators insured Laridae pursuant to a Commercial General Liability policy (the "CGL Policy") and an Errors and Omissions Policy (the "E&O Policy"). Under the CGL Policy, Co-Operators agreed to provide coverage for sums that it became legally obligated to pay because of "personal injury" and to defend Laridae in any "proceeding" seeking such compensatory damages. Under the E&O Policy, Co-Operators agreed to provide coverage for sums that Laridae became legally obligated to pay as compensatory damages resulting from "Claims" by reason of liability for any error, omission or negligent act in the course of providing "Professional Services". The E&O policy also included coverage for defending Laridae in any proceedings for compensatory damages payable under the terms of the Policy.
Co-Operators did not dispute that the allegations contained within the class action fell within the insuring agreements of both policies. The central issue, however, was whether Co-Operators could rely on the "data exclusion" provisions to deny its due to defend.
The "data exclusion clause contained in the E&O Policy provided as follows:
There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly, or indirectly from the distribution or display of "data" by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of "data".
The "data clause contained in the CGL Policy provided as follows:
a. Liability for:
- erasure, disruption, corruption, misappropriation, misinterpretation of "data";
- erroneously creating, amending, entering, deleting or using "data";
Including any loss of use therefrom;
b. "Personal injury" arising out of the distribution or display of "data" by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of "data".
The definition of "data" under both Policies is defined as "representations of information or concepts, in any form."
Laridae and the agency both argued that they could reasonably expect the CGL policy would provide complete coverage against liability arising in the course of Laridae's business. The agency and Laridae argued that the exclusions would nullify coverage for a significant portion of the services offered by Laridae in the course of its cyber consulting business. The Court did not consider this argument but we query whether it would have been successful particularly given the existence of cyber insurance policies that are better suited for cyber-related events.
In deciding Co-Operators had a duty to defend under the policy, Justice Pollock observed that there were some allegations in each of the class action and third party claim that were not captured by the exclusion (specifically, "physical distribution" of sensitive information). Justice Pollack observed she was unable to find that there was no possibility of coverage. Her Honour held that until the courts have had an opportunity to adjudicate the complex issues raised by the exclusion clauses, it would be premature to deny a defense.
It is important to note that Laridae was an application with respect to the duty to defend. Courts have consistently held that where there is a mere possibility of coverage under the policy, the duty to defend is triggered. In Laridae, the claims were "broad and comprehensive". The court offered no analysis with respect to indemnification under the policy. The decision should not be taken to mean a standard CGL or E&O policy will provide ample coverage for cyber-related losses. Insurance consumers should review their business and business risks with an insurance professional to identify the most appropriate coverage.