New Ontario Court of Appeal Decision Impacts The Scope of Insurance Coverage for Cyber Matters
The Ontario Court of Appeal has, in a recent ruling, significantly narrowed the availability of insurance coverage for cyber matters under traditional insurance policies.
In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 0159, Co-operators General Insurance Company (“Co-operators”) denied a duty to defend Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”) and Laridae Communications Inc. (“Laridae”) against two claims, relying upon the “data” exclusions under the respective insurance policies.
Although the Superior Court application judge found Co-operators had a duty to defend against both claims, this decision was reversed by the Court of Appeal. The Court of Appeal determined that (1) the “data” exclusion clauses were unambiguous; (2) all claims asserted in the proceedings were covered by the clear language of the exclusions; and (3) denial of coverage would not nullify meaningful coverage under the policies.
Overall, the Court of Appeal broadly interpreted the insurance exclusion clauses to capture the claims in question and Co-operators was successful in denying insurance coverage, even at the duty to defend stage. The Court reached this conclusion even though the low threshold for coverage at the duty to defend stage is to demonstrate a “mere possibility” of coverage.
In August 2015, Laridae was retained by FCS, a children’s aid society, to perform communication and marketing services, including work on its website. Less than a year later, a hacker accessed FCS’ secured portal, and obtained a confidential report with case files and investigations of nearly 300 people. The report was subsequently shared on Facebook, disclosing sensitive personal information. As a result of the disclosure, a $75 million class action was filed against FCS alleging that the leaked report contained defamatory materials and that FCS was negligent for enabling the data breach.
As FCS and Laridae were insured by Co-operators, both parties claimed that Co-operators owed them a duty to defend against the class action and third-party claim brought by FCS against Laridae for breach of contract and negligence.
Legal Analysis of the Insurance Policies
Laridae’s commercial general liability policy contained a data exclusion clause, which excluded “[any] personal injury arising out of the distribution, or display of ‘data’”, and defined “data” as “representations of information or concepts in any form”.
Similarly, Laridae’s professional liability policy contained a data exclusion clause, which provided that “[t]here shall be no coverage under this policy in connection with any claim.. arising directly or indirectly from the distribution or display of data by means of an Internet Website … designed or intended for electronic communication of ‘data’”.
In concluding that Co-operators did not have to defend either FCS or Laridae, the Court of Appeal ruled that:
- There was no ambiguity in the policies, so general rules of contract construction used by the application judge (such as bringing in the reasonable expectations of the parties, avoiding unrealistic results, reviewing external sources) were not applicable.
- The claims were clearly covered under the policy exclusions. Sharing the image of a link, which requires a user to take further steps in order to access the content, is still within the definition of “data”.
- Applying the exclusions would not nullify meaningful coverage under the policies. It was clear that Co-operators would not insure against all risks while still providing coverage for a wide range of services. It was fair to hold parties to what they have bargained for.
This ruling signals a judicial shift in the interpretation of insurance policies for cyber coverage. Many insurers, in an effort to preclude so-called “silent” cyber coverage under non-cyber policies (such as commercial general liability policies, errors and omissions policies, directors and officers policies, property policies, and crime bonds) and to direct insureds to stand-alone cyber insurance policies for additional premiums, have inserted “data” exclusions in their non-cyber policies. The Court of Appeal interpreted such exclusions broadly as in effect applying to all claims directly or indirectly arising out of data. This decision highlights the need for businesses to obtain a separate cyber-specific insurance policy in order to better protect against cyber risks, rather than leaning on other insurance polices to provide adequate cyber coverage. Similarly, when negotiating contracts, it will be important to require counter-parties to undertake to obtain stand-alone cyber policies.
 Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 0159 at paras 34 and 35.
 Ibid at paras 29 and 37.