The Ontario Court of Appeal has found that an insurer does not have a duty to defend a privacy class action, or an associated third party claim stemming from the disclosure of an allegedly defamatory report authored by the Family and Children Services of Lanark ("FCS").

This decision overturns the lower court decision that was the subject of my previous blog entitled "Data and the Duty to Defend".

As I previously noted, the hacked report was stored in an apparently secured portion of the FCS website prior to being exposed by a hacker and posted on various internet sites viewable by the general public. The individuals whose personal information was exposed in the report initiated a class action against, among other parties.

Laridae Communications Inc. ("Laridae"), a third party in the class action, was retained by FCS to ""review and refresh" FCS's website to ensure that the new website and its components are compliant with privacy and other legislative requirements".

The insurer in question issued two policies to Laridae; a CGL policy and an E&O policy.

The insurer admitted that the claims would be covered by the policies, but for the application of the "data" exclusion in each policy.

The relevant exclusions provided as follows, as set out in the lower court's decision:

The "data exclusion" clause contained in the E&O Policy provides as follows:

Data Exclusion

There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly, or indirectly from the distribution or display of "data" by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of "data".

The" data exclusion" clause contained in the CGL Policy (wherein Laridae is the primary insured and FCS is an additional insured) states:

Data

a. Liability for:

1. erasure, disruption, corruption, misappropriation, misinterpretation of "data";

2. erroneously creating, amending, entering, deleting or using "data";

Including any loss of use therefrom;

b. "Personal injury" arising out of the distribution or display of "data" by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of "data".

The Court of Appeal, in overturning the lower court's decision, found that both exclusions were clear and unambiguous, that the exclusions removed any possibility of coverage for the insureds, and that therefore the insurer owed the insureds no duty to defend.

In addition, the Court of Appeal seemed to go out of its way to note that the reluctance of the lower court judge to decide the issue was unnecessary and out of place. The Court specifically referred to the Rules for applications, and noted that this matter was a dispute about the interpretation of a contract, which is one of the issues that applications, rather than "actions" were designed to address. The Court was also critical of both FCS and Laridae for arguing that they were entitled to findings in their favour on the application, but that the insurer was not. The Court summarily rejected this proposed "asymmetrical treatment of FCS and Laridae, on the one hand, and Co-operators, on the other".

In finding the data exclusions in both the CGL policy and the Errors and Omissions policy at issue in this matter to be "clear and unambiguous", the Court of Appeal has provided clarity which will assist both conventional insurers, and those insurers that offer cyber insurance.

Conventional insurers can point to this decision and rely on it to prevent insureds from trying to make what are really cyber or privacy claims against conventional policies. Cyber insurers can point to this decision to assist them in selling additional policies and to further cement the idea that conventional policies are not designed to cover cyber or privacy risks, and that conventional policies now in fact exclude those risks if they contain a properly worded data exclusion.

Insurers who have CGL and/or E&O policies in the market would do well to pattern their data exclusions after the exclusions referred to in this matter. Insurers who do not already have a data exclusion in their CGL or E&O policies would do well to include one that mirrors the appropriate exclusion referred to in this case. Cyber insurers would do well to educate their broker force about this decision, and to encourage them to educate their clients about the now increased risks of not carrying a dedicated cyber insurance policy.

See: Laridae v. Co-operators, 2020 ONSC 2198; overruled 2021 ONCA 159

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.