Ontario appeal court criticizes lower court for not ruling on duty to defend by way of application
The ruling in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 159 may open up avenues for insurers to seek declaratory relief in coverage disputes, an insurance defence lawyer says.
Insurance lawyers interpreting non-cyber and cyber policies can benefit from reading this case, which identifies the type of exclusion that the court will consider clear and unambiguous and which clarifies that findings as to whether an exclusion is clear and unambiguous can and should be made by lower courts on applications, says Mikel Pearce of Strigberger Brown Armstrong LLP to Canadian Lawyer.
“Certainly, it will be very helpful to reference the fact that the Court found the two exclusions to be ‘clear and unambiguous’ and that the Court of Appeal criticized the lower court for essentially refusing to render a decision despite the applicable Rule empowering it to do precisely that,” says Pearce.
In April 2016, a hacker accessed a password-protected portal managed by Family and Children’s Services of Lanark, Leeds and Grenville (FCS), a children’s aid society. The hacker caused the posting on two Facebook pages of a hyperlink to a confidential report with sensitive personal information about case files and investigations of 285 individuals.
Co‑operators General Insurance Company insured both FCS and Laridae Communications Inc., a company FCS retained pursuant to a contract for the provision of communications and marketing services, under a commercial general liability policy. Laridae was also insured under the insurer’s professional liability policy.
Both insurance policies contained exclusion clauses, with the commercial general liability policy excluding claims arising out of the distribution or display of data by means of an internet website and with the professional liability policy excluding claims arising directly or indirectly from the distribution or display of data.
FCS and Laridae claimed that the insurer had a duty to defend them against two claims: first, against a $75 million class action initiated against FCS in July 2016 wherein the representative plaintiff alleged that FCS was negligent in securing its website and that the leaked document contained defamatory material and, second, against a third-party claim brought by FCS against Laridae in May 2018 for negligence in its provision of professional services and for breach of contract.
The insurer denied having any duty to defend FCS or Laridae on the basis of the data exclusion clauses. The insurer, FCS and Laridae filed applications for the interpretation of the policies pursuant to Rule 14.05(3)(d) of the Ontario Rules of Civil Procedure, R.R.O. 1990, Reg. 194.
In May 2020, the application judge found that the insurer had a duty to defend both claims and that the issue should not be denied on an application because the applicability of the data exclusion clauses was a novel issue of interpretation. The application judge did not rule upon the issue of whether the policies’ provisions or the exclusion clauses were ambiguous.
The Court of Appeal for Ontario held that the existence of a duty to defend could be resolved by application and allowed the appeal. The appellate court ruled that the insurer had no duty to defend either FCS in the class proceeding or Laridae in the third-party claim because the policy provisions and the exclusion clauses were unambiguous, because all the claims asserted in the proceedings were covered by the clear language of the exclusion clauses and because denial of coverage would not nullify the policies.
The appellate court stressed that the contra proferentem rule in Tedford v. TD Insurance Meloche Monnex, 2012 ONCA 429 is applicable for resolving ambiguities and not applicable where the policy is clear and unambiguous on its face, as in this case. The data exclusion clause clearly excludes claims arising from the display and distribution of confidential personal information on the internet, so there is no coverage for the defence of both the class action and the third-party claim, the appellate court found.
The appellate court also ruled that the application judge could and should have addressed the issues by way of application on the basis of the materials before her. The relevant service agreements and policies were in the record, and there were no material facts that required a trial, the appellate court said.
Pearce authored a blog post covering the case, titled “Clarity on the ‘Data’ Exclusion and the Duty to Defend.”
“Conventional insurers can point to this decision and rely on it to prevent insureds from trying to make what are really cyber or privacy claims against conventional policies,” Pearce wrote in the blog post. “Cyber insurers can point to this decision to assist them in selling additional policies and to further cement the idea that conventional policies are not designed to cover cyber or privacy risks, and that conventional policies now in fact exclude those risks if they contain a properly worded data exclusion.”