2020: CAS whistleblower acquitted.
After a four-month investigation, Kelley Denham was charged with hacking and identifying children involved in court proceedings, when in fact she did neither, and earlier this week Ontario Court Justice Charles D. Anderson acquitted her of all charges and cleared her name after trial.
The judge noted that the CAS did not take appropriate measures to secure private information. The judge also noted there were no special computer skills or deception required to access the files, which were not marked as confidential and came with no warnings or disclaimers.
The information was publicly available, the judge ruled. He said there was no hacking and Denham didn’t break any Children’s Aid Society (CAS) laws about identifying children involved in court proceedings.
2016: Det.-Const. David Rakobowchuk interrogates Kelley Denham
'It was four years of my life on hold'
— 2020:CAS whistleblower cleared of hacking charges
https://youtu.be/vsc4pSvvk54
https://ottawa.ctvnews.ca/names-of-285-people-referred-to-children-s-aid-in-lanark-leeds-and-grenville-posted-online-1.2865944
https://www.recorder.ca/news/local-news/cas-whistleblower-acquitted
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
2016: TORONTO -- An eastern Ontario children's aid society is facing a $75 million lawsuit after a cyber attack resulted in a list of client names being stolen and shared on local Facebook groups.
Names of 285 people referred to children's aid in Lanark, Leeds and Grenville posted online...
In a news release, Det.-Const. David Rakobowchuk say a conviction could result in up to 10 years in jail in addition to the five-figure fine.
He said the accused have been released from custody and are scheduled to appear in Perth court on October 3.
Police believe the suspects accessed the FCS computer system and obtained multiple documents but only posted the one online.
Class action filed after privacy breach at one Ontario children's aid office
https://ottawa.ctvnews.ca/class-action-filed-after-privacy-breach-at-one-ontario-children-s-aid-office-1.2875478
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Affidavit of a Little Fish Paperback
“Crash, bang." I spring out of bed. Two of them are in my bedroom. They escort me to my kitchen where I see my husband, restrained. They sit us both in chairs. It is two-thirty in the morning. I notice some broken wood on my kitchen floor. “Did you kick down my door?” I ask. “Yes,” one replies. I can hear the other two in my bedroom. They are going through our stuff. We are not allowed to know what’s going on in there. One of them goes upstairs. My kids are sleeping up there. I ask to go up with him. They say no. It seems like hours before he comes back down. They start taking things from the house. The police officers leave. I immediately check on my kids. It appears they slept through all of it. Relief. I call a lawyer right away. From a normal mom of four to an accused hacker facing years in jail overnight, this is my real-life true account of how a pocket-dial changed my family’s life forever and how I fought back to protect them.
https://www.amazon.ca/Affidavit-Little-Fish-Kelley-Denham/dp/B08Z9VZXD1
Ontario Court of Appeal Upholds Data Exclusion Clauses in CGL Policies – No Duty to Defend.
The key takeaway for businesses is that in order to be properly insured against cyber-attacks, a cyber liability policy or endorsement is necessary. Cyber-attacks will not likely be covered by Commercial General Liability or crime policies.
Cyber Liability is a relatively new area of Canadian insurance law dealing with cyber-attacks including various forms of fraud perpetrated online. The issues generally involve the types of insurance policies which will respond to cyber-attacks, what types of losses are covered, and particularly the amount the insurer has agreed to cover in the event of a successful cyber-attack.
Cyber Liability Prior to FCSLLG v. Co-operators
The issue of determining whether a cyber-attack is covered under a policy was first dealt with in Canada in 2017 in The Brick Warehouse LP v. Chubb Insurance Company of Canada.[1]
In that case, fraudsters pretending to be a new employee of Toshiba tricked a Brick employee into providing them with payment information that was later used to convince Brick employees that Toshiba had changed banks. The fraudsters provided new banking details resulting in $338,322.22 being transferred to the fraudsters instead of Toshiba.
The Brick submitted a claim to its insurer for the funds it was unable to recover from the fraudsters under a policy intended to protect against various forms of crime including “funds transfer fraud”. The Court found that “funds transfer fraud” was intended to catch situations where the fraud was a result of a third-party fraudster impersonating an employee of the Brick, but not situations where the Brick employee knew about and consented to the transfer of funds, even where they were duped.
This did not provide much guidance on cyber liability policies given that a cyber policy was not at issue and the Court’s analysis was based on an interpretation of the plain and ordinary meaning of the phrase “funds transfer fraud”.
Enter the Ontario Court of Appeal decision Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company.[2]
FCSLLG v. Co-operators, Canada’s First real Judicial Interpretation of a Cyber Liability Policy
In FCSLLG v. Co-operators, released on March 15, 2021, Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”) was hacked in April 2016. The unidentified hacker stole confidential reports which were allegedly leaked onto two Facebook pages. Following the leak, a class action was commenced against FCS seeking $75 million in damages. FCS initiated a third-party claim against Laridae, the company that was retained to revise FCS’ website.
Importantly, as part of the contract to revise FCS’ website, Laridae was required to acquire a Commercial General Liability (“CGL”) policy which would name FCS as an additional insured, which it did.
At the time of the hack, Laridae had two policies of insurance with Co-operators:
1) a CGL policy wherein FCS was named as an additional insured; and
2) a Professional Liability Policy.
Laridae filed claims through both policies and FCS brought a claim through the CGL policy. Co-operators denied coverage under both policies relying on data exclusions.
History of Proceedings
FCS, Laridae, and Co-operators brought applications regarding the interpretation of the policies.
The Application Judge concluded that the claims in which FCS and Laridae sought coverage were broad and comprehensive and not limited to the distribution of the reports on the internet, such as including damages for non-electronic distribution of the reports or other private information.
Her Honour further found that the denial of a duty to defend was too important to be determined on an Application, that there was a possibility of coverage in this case, and that there was a conflict of interest due to competing interests between FCS and Laridae. As such, it was the Application Judge’s opinion that Co-operators was required to fund the defences of FCS and Laridae each with independent counsel, neither of whom would report to Co-operators.
The Exclusionary Clauses in the CGL Policy
The CGL policy excluded coverage for personal injury “arising out of the distribution or display of “data” by means of an Internet Website”. Data was defined as “representations of information or concepts in any form.”[3]
This “data exclusion” was the basis upon which Co-operators denied a duty to defend FCS and Laridae under the CGL policy, as the fraudster had hacked the website to obtain the confidential reports and it took the position that this scenario fell squarely within the data exclusion.
The Exclusionary Clauses in the Professional Liability Policy
The Professional Liability Policy provided similar coverage and exclusions as the CGL policy. This policy also had a data exclusion clause which indicated that coverage would not be afforded for any claims made against Laridae arising from the distribution or display of “data” by means of an Internet Website.[4]
Co-operators also relied upon this data exclusion clause to deny it had a duty to defend Laridae from the third-party claim by FCS.
The Appeal
Co-operators appealed the decision arguing that the duty to defend issue could be properly determined by way of Application without a full trial as it is an issue of law and the facts are not in dispute. Further, Co-operators argued that the data exclusion clauses meant that it was not obligated to defend FCS from the class action or Laridae from the third-party claim. In the alternative, if a duty to defend did exist, Co-operators argued that it had a right to participate in the defences of FCS and Laridae as per the usual course.
The Duty to Defend and an Insurer’s Right to Participate in the Defence of an Insured
The Court held that the data exclusions were clear and unambiguous, and Co-operators did not have a duty to defend FCS and Laridae and commented in obiter that even if Co-operators did have a duty to defend, that allowing it to participate in the defence was a fair balance between the insureds’ right to a fair trial and Co-operators’ right to control the defence because of its potential ultimate obligation to indemnify.
Key Takeaways
The major takeaway here is that in order to be covered for cyber-attacks, an insured will most likely need either a distinct cyber liability policy or a cyber liability endorsement or rider. While there may be room for “all risks” policies to cover cyber-attacks, it is important for an insured to consult with their broker about whether such a policy has coverage for online attacks or conversely if there are data exclusions similar to the ones found in this case.
The other takeaways are that if a loss is caught by these types of broad data exclusion clauses[5] then it may not trigger an insurer’s duty to defend, and in the event that an insurer has contracted with distinct parties in an action who have competing and/or conflicting interests, the insurer should still have the right to participate in both their defences given that it is the party ultimately responsible for indemnifying both insureds. The Court indicated that in these cases, it would be appropriate to establish a joint protocol for the management of documents and litigation similar to that ordered in Markham (City) v. AIG Insurance Company of Canada.[6]
[1] 2017 ABQB 413 (CanLII) (the “Brick”).
[2] 2021 ONCA 159 (CanLII) (“FCSLLG v. Co-operators”).
[3] The relevant exclusionary clauses under the CGL policy can be found at para 32 of the Court of Appeal’s decision:
[4] FCSLLG v. Co-operators at para 37.
[5] Excerpts of the wording for the relevant policies and data exclusions can be found at paras 32-28 of the Court of Appeal’s decision.
[6] 2020 ONCA 239, 445 D.L.R. (4th) 405.
https://canliiconnects.org/en/summaries/73734
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Appellate Court rules on cyber breach class action coverage dispute.
Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 159 (CanLII)
On March 15, 2021, the Ontario Court of Appeal released its decision in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company. This proceeding arose out of three separate applications dealing with the duty to defend, which were heard together.
Family and Children’s Services of Lanark, Leeds and Grenville (FCS) claimed that it was hacked in April 2016, and confidential reports were allegedly leaked onto two Facebook pages. Prior to this incident, FCS had hired Laridae Communications (Laridae) to refresh and review the FCS website. FCS and Laridae were both insured by Co-operators General Insurance Company (Co-operators). Following these alleged unintended disclosure incidents, a class proceeding was commenced against FCS seeking damages of $75 million. FCS also brought a third-party claim against Laridae.
Co-operators denied coverage to both FCS and Laridae, based on exclusion clauses in the policies, which excluded claims arising from the distribution or display of data by means of an internet website. FCS and Laridae claimed Co-operators had a duty to defend their interests in the class action and began applications. Co-operators brought a separate application for an order that it had no duty to defend Laridae in the class action.
The application judge found that she could not interpret the exclusion clauses at the application because it was a novel interpretive issue and required a full record. However, she still concluded that the exclusion clauses did not exclude Co-operator’s duty to defend either FCS or Laridae. She further held that neither FCS nor Laridae had any reporting obligations to Co-operators, due to a conflict of interest between the two insureds and the insurer.
There were three issues on appeal: (1) whether the duty to defend could be denied on application; (2) whether Co-operators had a duty to defend; and (3) whether, if Co-operators had a duty to defend, it would have the right to participate in the defence.
On the first issue, the Court of Appeal disagreed that the matter could not be dealt with by way of an application. According to the Appellate Court, there were no material facts in issue requiring a trial, as this was a simple matter of contract interpretation.
On the second issue, the Court of Appeal was critical of the application judge’s analysis of the duty to defend. The Court of Appeal held that Co-operators owed no duty to defend either FCS or Laridae because the exclusion clauses at issue were unambiguous and the claims asserted by the applicants were covered by the clear language of the exclusion clauses. Further, the court found that the policies at issue were not intended to insure against all risks and clearly articulated what was covered and not covered.
While the third issue on appeal did not require review given the court’s ruling, the court commented that the onus is always on the insured to establish a reasonable apprehension of conflict of interest on the part of the insurer.
While this decision affirms the importance of contract interpretation principles on a coverage dispute, the decision is a reminder that the principle of contra proferentem has no application where the language of the policy is found to be clear and unambiguous.
https://www.pallettvalo.com/articles/ontario-court-of-appeal-upholds-data-exclusion-clauses-in-cgl-policies-no-duty-to-defend/
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Comments
Post a Comment