Luke Sabourin
Associate
Article
8
In the recent case of Aviva v 8262900 Canada[1], Justice Koehnen of the Ontario Superior Court of Justice considered the application of a data exclusion endorsement in a commercial general liability policy. Justice Koehnen had to decide whether the exclusion endorsement applied to exclude coverage for liabilities stemming from a data breach suffered by the insured.
Justice Koehnen found that the data exclusion endorsement applied to exclude liability for personal injury claims, but did not apply to exclude liability for bodily injury claims. Justice Koehnen based his decision on a critical distinction in the exclusion endorsement wording.
The applicant insurer had issued a commercial general liability policy to the respondent, CarePartners Community Nursing Services Foundation ("CarePartners").
CarePartners Community Nursing Services Foundation provides home health-care services. As part of its operations, it receives personal information from employees and clients.
In 2018, computer hackers hacked into CarePartners' computer system and stole an unknown amount of data. The hackers demanded a ransom, and threatened to release the information if CarePartners did not pay it.
CarePartners declined to pay the ransom. The hackers posted the data online. The data contained the personal information of up to 80,000 of CarePartners' staff and customers for several years. The information contained credit card numbers, medical histories, social insurance numbers, and other sensitive information.
People affected by the data breach launched a class action against CarePartners. CarePartners sought defence and indemnity from the insurer for the class action. The insurer agreed to defend and indemnify CarePartners, but did so without prejudice to its right to later argue that it did not have to defend and indemnify CarePartners.
The class action settled for $3.4 million. The insurer brought an application seeking a declaration that it did not owe any duty to CarePartners to respond to the class action and an order that CarePartners had to reimburse the insurer for money spent defending and settling the class action.
The insurer argued that a data exclusion endorsement excluded coverage for CarePartners. The endorsement read:
This insurance does not apply to any liability for:
1. Erasure, destruction, corruption, misappropriation, misinterpretation of Data;
2. Erroneously creating, amending, entering, deleting or using Data; including any loss of use arising therefrom.
Additionally, this insurance does not apply to any personal injury or advertising injury, if otherwise insured, arising out of the distribution or display of Data, by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of Data.
A liability insurance policy entitles the insured to have their insurer indemnify them against liabilities falling within coverage. In addition, the insurer has a duty to defend the insured against claims potentially giving rise to liability for the insured. However, the insurer's duty to defend only extends to claims that could potentially trigger indemnity under the policy.[2]
Whether an insurer has to defend their insured against a lawsuit depends on the allegations in the plaintiff's pleading and the terms of the coverage provided in the insurance policy. Where there is a possibility that claim within the policy may succeed, the insurer must defend the insured.[3]
An insured has the burden of proof of establishing that a claim falls within coverage. On the other hand, the insurer holds the burden of proof to establish that an exclusionary clause removes a claim from coverage.[4]
The insurer agreed with CarePartners that the claims in the class action fell within coverage because they included claims for personal injury and bodily injury. However, the insurer argued that the data exclusion endorsement applied to remove the claims from coverage.
Justice Koehnen found that the endorsement excluded coverage for claims for personal injury. This was because the wording in the second part of the endorsement captured claims for personal injury:
…this insurance does not apply to any personal injury…arising out of the distribution or display of Data.
However, Justice Koehnen noted that this portion of the exclusion did not exclude bodily injury coverage. The insurer argued that the first part of the endorsement excluded coverage for bodily injury:
This insurance does not apply to any liability for:
1. Erasure, destruction, corruption, misappropriation, misinterpretation of Data;
The insurer argued that since the hackers had misappropriated data, and the class action flowed from the misappropriation of data, there could be no coverage for CarePartners.
Justice Koehnen disagreed with the insurer. First, Justice Koehnen noted that the statement of claim in the class action argued that CarePartners was negligent in how it maintained the data. Justice Koehnen then dismissed the insurer's argument that there was a single "proximate cause" of CarePartners' losses that cause was misappropriation of data. Justice Koehnen noted that when courts focus on "proximate cause" to determine what was the cause of a loss, they are typically dealing with language that refers to a claim "arising out of" an insured or uninsured risk.
Here, the second part of the exclusion clearly stated that there was no coverage for losses "arising out of" the distribution or display of Data. Conversely, the first part of the exclusion did not say "arising out of." Rather, it excluded coverage in respect of "liability for" misappropriation of data. The statement of claim in the class action did not seek to hold CarePartners liable for misappropriation. Rather, it sought to hold CarePartners "liable for" negligence, which the endorsement did not exclude. By including the wording "arising out of," the second part of the exclusion was much broader than the first part of the exclusion.
The insurer also argued that there were insurance products available for customers who wanted to have coverage for cyber breaches, and that CarePartners could not claim coverage for a cyber breach when it had the opportunity to purchase cyber breach coverage. Justice Koehnen dismissed this argument, finding that the availability of other insurance that could clearly cover the loss did not trump the plain meaning of the exclusion clauses. Justice Koehnen also noted that the insurer could have used more specific language in the first part of the exclusion, but chose not to. The difference in the choice of wording between the first and second parts of the exclusion suggested that the former was less exclusionary while the latter was.
The key takeaways from this decision are:
[1] Aviva v 8262900 Canada, 2023 ONSC 2641
[2] Non-Marine Underwriters, Lloyd's London v Scalera, 2000 SCC 24 at para 49.
[3] Family and Children's Services of Lanark, Leeds and Grenville v Cooperators General Insurance Company, 2021 ONCA 159 at para 58.
[4]Ledcor Construction Ltd v Northbridge Indemnity Insurance Co, 2016 SCC 37 at para 52.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.