Earlier in May, in Laridae v. Co-operators, 2020 ONSC 2198, an Ontario court was hesitant to offer guidance on the proper application of two “electronic data exclusions” that expressly withdrew coverage for the misappropriation and display of electronic information on the internet. At issue were allegations arising from particularly egregious hacking incidents involving a child protection agency’s website. Noting an apparent lack of guiding authority (“there is no jurisprudence on the proper interpretation of data exclusion clauses”), Pollak J. ordered a liability insurer to separately defend the named and additional insureds.
Underlying Proceedings & Coverage
The named insured was a management consulting firm retained to develop a communications strategy for its client, a public child protection agency. The consultant’s mandate included updating the agency’s website to make it compliant with privacy legislation, and advising on website design and security. Thereafter, the child protection agency’s website was hacked. The consultant advised it had implemented additional security measures and counselled the agency not to remove any confidential information from the website’s secured section. Unfortunately, the website was hacked again. An unauthorized user downloaded sensitive child protection information, which was posted to other websites.
A class-action was brought against the child protection agency, seeking $75,000,000 in damages. The representative-plaintiff alleged the agency failed to properly secure its website, which permitted personal information to become publicly available. In turn, the child protection agency third-partied the consultant, seeking contribution and indemnity for liability arising from the class action allegations; also advancing independent contractual and negligent misrepresentation claims.
The consultant was the named insured under a commercial general liability policy and an errors and omissions liability policy issued by the same insurer (respectively “the CGL Policy” and the “E&O Policy”). The child protection agency was an additional insured under the consultant’s CGL Policy. Both sought defence coverage for allegations arising from the child protection agency’s website hacking incidents. The insurer denied coverage having regard to exclusionary clauses that withdrew coverage for liability arising out of the misappropriation, distribution or display of electronic “data” on websites, the internet, or other electronic media. The definition of “data” under both policies was defined as “representations of information or concepts, in any form.”
Decision
It was not disputed that the allegations fell within both policies’ respective insuring agreements (i.e. the CGL Policy’s “personal injury” coverage and the E&O Policy’s coverage for liability arising “in the course of providing professional services”). The central question was whether each policy’s electronic data exclusion withdrew coverage for the allegations arising from the hacking incidents (i.e. allegations against the agency in the class action and the agency’s third-party claim against the consultant). Pollak J. observed:
… there is no dispute that the allegations in the litigation are covered by the insurance policies as coverage is provided for oral and written publication of materials that is defamatory or a violation of a person’s right of privacy. The only issue on these applications is whether the “Data Exclusion” clauses clearly negate the duty to defend.
Arguing against the data exclusions’ application, the insureds noted that a core element of the consultant’s business involved the creation and handling of electronic “data” (i.e. websites). Consequently, it would be contrary to the parties’ reasonable expectations to permit the insurer to apply data exclusions in a manner that had the effect of “nullifying virtually all the coverage which the insurer contracted to provide.” Observing an apparent lack of guiding authority. Pollak J. ordered the insurer to separately defend both insureds. The Court explained:
[36] I agree that until the courts have had an opportunity to adjudicate the complex issues raised by these broadly worded data exclusion clauses, it would be improper for this court, having regard to present jurisprudence to uphold [the insurer’s] denial of a duty to defend. Further, I [cannot] find on these Applications that [the insurer] has shown that there is no possibility of coverage. I find that [the insurer] has not discharged its onus of establishing that the substance of the Claims clearly fall within the Data Exclusion Clauses and that there is no possibility of coverage under the Policies. Rather, in addition to the issue of the interpretation of the data exclusion clauses, it is apparent that there are claims and allegations in the Class Proceeding and the Third-Party Claim that would not [be] excluded by the Data Exclusion Clauses. As there is at least some possibility that the Claims are covered under the Policies, I find that [the insurer] owes a duty to defend [the consultant] and [the child protection agency]. [Emphasis added]
Pollak J.’s observation (i.e. that no Canadian decision directs how these exclusions are to be applied) is correct. While there are a few American cases in which electronic data exclusions are referenced, none provide much by way of analytical guidance as to their proper interpretation. Regardless, it is unfortunate that the Court chose simply to observe the analytical gap without addressing it. As the decision was likely to be appealed in any event, perhaps Pollak J. chose simply to resolve the matter in favour of the insureds without muddying the analytical waters during the intervening period.
More importantly, Laridae reflects a troubling trend in coverage litigation. In this instance, the apparent gap in coverage arose because the named insured, whose business involved website consulting, did not have a cyber liability policy. Notwithstanding the wording of the electronic data exclusion, both insureds argued they could reasonably expect the CGL Policy would provide complete coverage against liability arising in the course of the consultant's website advisory business. Respectfully, the insureds’ subjective understanding of coverage and the parties’ objectively determined reasonable expectations are not the same thing. In Canadian courts, insureds have become increasingly more inclined to conflate these two very different concepts to found arguments in favour of coverage. To the extent that such arguments find favour, insurers should be very concerned. A policy of one type should not be transmogrified into another of a very different kind to remedy the insured’s oversight of risk assessment.
In any event, given the damages plead in the class proceedings, I reasonably anticipate this decision will be appealed. If and when the Ontario Court of Appeal provides guidance as to how we apply electronic data exclusions, liability insurers around the world will surely take note.