The key takeaway for businesses is that in order to be properly insured against cyber-attacks, a cyber liability policy or endorsement is necessary. Cyber-attacks will not likely be covered by Commercial General Liability or crime policies.
Cyber Liability is a relatively new area of Canadian insurance law dealing with cyber-attacks including various forms of fraud perpetrated online. The issues generally involve the types of insurance policies which will respond to cyber-attacks, what types of losses are covered, and particularly the amount the insurer has agreed to cover in the event of a successful cyber-attack.
Cyber Liability Prior to FCSLLG v. Co-operators
The issue of determining whether a cyber-attack is covered under a policy was first dealt with in Canada in 2017 in The Brick Warehouse LP v. Chubb Insurance Company of Canada.[1]
In that case, fraudsters pretending to be a new employee of Toshiba tricked a Brick employee into providing them with payment information that was later used to convince Brick employees that Toshiba had changed banks. The fraudsters provided new banking details resulting in $338,322.22 being transferred to the fraudsters instead of Toshiba.
The Brick submitted a claim to its insurer for the funds it was unable to recover from the fraudsters under a policy intended to protect against various forms of crime including “funds transfer fraud”. The Court found that “funds transfer fraud” was intended to catch situations where the fraud was a result of a third-party fraudster impersonating an employee of the Brick, but not situations where the Brick employee knew about and consented to the transfer of funds, even where they were duped.
This did not provide much guidance on cyber liability policies given that a cyber policy was not at issue and the Court’s analysis was based on an interpretation of the plain and ordinary meaning of the phrase “funds transfer fraud”.
Enter the Ontario Court of Appeal decision Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company.[2]
FCSLLG v. Co-operators, Canada’s First real Judicial Interpretation of a Cyber Liability Policy
In FCSLLG v. Co-operators, released on March 15, 2021, Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”) was hacked in April 2016. The unidentified hacker stole confidential reports which were allegedly leaked onto two Facebook pages. Following the leak, a class action was commenced against FCS seeking $75 million in damages. FCS initiated a third-party claim against Laridae, the company that was retained to revise FCS’ website.
Importantly, as part of the contract to revise FCS’ website, Laridae was required to acquire a Commercial General Liability (“CGL”) policy which would name FCS as an additional insured, which it did.
At the time of the hack, Laridae had two policies of insurance with Co-operators:
1) a CGL policy wherein FCS was named as an additional insured; and
2) a Professional Liability Policy.
Laridae filed claims through both policies and FCS brought a claim through the CGL policy. Co-operators denied coverage under both policies relying on data exclusions.
History of Proceedings
FCS, Laridae, and Co-operators brought applications regarding the interpretation of the policies.
The Application Judge concluded that the claims in which FCS and Laridae sought coverage were broad and comprehensive and not limited to the distribution of the reports on the internet, such as including damages for non-electronic distribution of the reports or other private information.
Her Honour further found that the denial of a duty to defend was too important to be determined on an Application, that there was a possibility of coverage in this case, and that there was a conflict of interest due to competing interests between FCS and Laridae. As such, it was the Application Judge’s opinion that Co-operators was required to fund the defences of FCS and Laridae each with independent counsel, neither of whom would report to Co-operators.
The Exclusionary Clauses in the CGL Policy
The CGL policy excluded coverage for personal injury “arising out of the distribution or display of “data” by means of an Internet Website”. Data was defined as “representations of information or concepts in any form.”[3]
This “data exclusion” was the basis upon which Co-operators denied a duty to defend FCS and Laridae under the CGL policy, as the fraudster had hacked the website to obtain the confidential reports and it took the position that this scenario fell squarely within the data exclusion.
The Exclusionary Clauses in the Professional Liability Policy
The Professional Liability Policy provided similar coverage and exclusions as the CGL policy. This policy also had a data exclusion clause which indicated that coverage would not be afforded for any claims made against Laridae arising from the distribution or display of “data” by means of an Internet Website.[4]
Co-operators also relied upon this data exclusion clause to deny it had a duty to defend Laridae from the third-party claim by FCS.
The Appeal
Co-operators appealed the decision arguing that the duty to defend issue could be properly determined by way of Application without a full trial as it is an issue of law and the facts are not in dispute. Further, Co-operators argued that the data exclusion clauses meant that it was not obligated to defend FCS from the class action or Laridae from the third-party claim. In the alternative, if a duty to defend did exist, Co-operators argued that it had a right to participate in the defences of FCS and Laridae as per the usual course.
The Duty to Defend and an Insurer’s Right to Participate in the Defence of an Insured
The Court held that the data exclusions were clear and unambiguous, and Co-operators did not have a duty to defend FCS and Laridae and commented in obiter that even if Co-operators did have a duty to defend, that allowing it to participate in the defence was a fair balance between the insureds’ right to a fair trial and Co-operators’ right to control the defence because of its potential ultimate obligation to indemnify.
Key Takeaways
The major takeaway here is that in order to be covered for cyber-attacks, an insured will most likely need either a distinct cyber liability policy or a cyber liability endorsement or rider. While there may be room for “all risks” policies to cover cyber-attacks, it is important for an insured to consult with their broker about whether such a policy has coverage for online attacks or conversely if there are data exclusions similar to the ones found in this case.
The other takeaways are that if a loss is caught by these types of broad data exclusion clauses[5] then it may not trigger an insurer’s duty to defend, and in the event that an insurer has contracted with distinct parties in an action who have competing and/or conflicting interests, the insurer should still have the right to participate in both their defences given that it is the party ultimately responsible for indemnifying both insureds. The Court indicated that in these cases, it would be appropriate to establish a joint protocol for the management of documents and litigation similar to that ordered in Markham (City) v. AIG Insurance Company of Canada.[6]
[1] 2017 ABQB 413 (CanLII) (the “Brick”).
[2] 2021 ONCA 159 (CanLII) (“FCSLLG v. Co-operators”).
[3] The relevant exclusionary clauses under the CGL policy can be found at para 32 of the Court of Appeal’s decision: https://www.ontariocourts.ca/decisions/2021/2021ONCA0159.pdf
[4] FCSLLG v. Co-operators at para 37.
[5] Excerpts of the wording for the relevant policies and data exclusions can be found at paras 32-28 of the Court of Appeal’s decision.
[6] 2020 ONCA 239, 445 D.L.R. (4th) 405.
Co-author: Eric Blay, Lawyer