Canada: Cyberbullying And The Implications For Insurers

Canada: Cyberbullying And The Implications For Insurers

Article by Michael Blinick and Leona Kung (Student-at-Law)

There can be no doubt that cyberbullying is a new and disturbing development that significantly impacts society these days. In a 2009 General Social Survey, Statistics Canada reported that 7% of adult internet users were cyberbullied.1 It has resulted in various high profile suicides involving teens and has contributed to some of the most horrific events of recent years. 2 A troubling variation of the commonly understood scope of cyberbullying is the sharing online of private and highly intimate videos of a sexual nature that were never intended to be shared publicly, colloquially referred to as ‘revenge porn’. Not surprisingly, this new form of bullying raises new societal issues, including new potential exposure for insurers.

Doe 464533 v. N.D3 and the new tort of Public Disclosure of Private Facts

On January 21, 2016, the Ontario Superior Court released the decision in Doe 464533 v. N.D. representing the first Canadian decision recognizing the new cause of action of “public disclosure of private facts”, an invasion of privacy tort.

In this case, the defendant posted an intimate video of the plaintiff on a pornographic website without her knowledge or consent. The plaintiff had sent the video to the defendant, who was her on-again-off-again boyfriend, on the understanding that it was private. When confronted by the plaintiff, the defendant admitted to posting the video and subsequently removed it from the website. Despite the removal, the plaintiff claimed to have suffered mental injuries as a result of the defendant’s actions and sought compensation for same.

Justice Stinson found that the defendant’s actions caused significant psychological and emotional harm to the plaintiff and awarded her compensatory general damages, aggravated damages and punitive damages totaling $100,000. 4 Although the video was removed, Justice Stinson recognized that there was no way to know how many times it was viewed or downloaded or copied elsewhere. In making his decision, Justice Stinson recognized the current role of technology in perpetuating the invasion of privacy.

The Honourable Justice Stinson cited American legal scholar William L. Prosser, who described the tort of public disclosure of private facts in his article “Privacy”. 5 Justice Stinson essentially adopted the elements of the cause of action enumerated by Professor Prosser, namely: 1) the disclosure of the private facts must be a public disclosure, not a private one; 2) the facts disclosed to be public must be private facts and not public ones; and 3) the matter publicized or the act of the publication would be a) highly offensive to a reasonable person, and b) is not of legitimate concern to the public. 6

Potential Impact of Decision for Insurer’s

With this decision, the court took a step towards responding to the increased awareness regarding the rise of social media and cyberbullying. At the same time, the recognition of this new privacy tort as a cause of action impacts certain insurers and gives rise to a new potential area of exposure. As demonstrated, victims of cyberbullying may now file civil actions against the perpetrator alleging the public disclosure of private facts where private facts, videos, pictures or other private information are shared. If the perpetrator is a child or dependent, then the plaintiff may also commence a claim against the parents of the cyberbully for negligent supervision when there is a failure to control their child or dependent and fails to prevent the harm caused by the child or dependent. Such a negligence claim against the parents has been held to be a distinct claim from the intentional tort claim against the child7 and not derivative from the child’s intentional acts in certain circumstances. 8

If the parents are named in the action, then their homeowners or tenant insurance policy insurer may have to respond. As a homeowner’s insurance policies generally includes both property coverages and liability coverages, including personal liability coverage for the insured’s personal activities worldwide, insurers could have a separate duty to defend. 9 As the duty to defend is triggered by the true nature of claims alleged in the pleadings, 10 it is not relevant, at the initial stage of the inquiry, whether the parents will be proven to be negligent.

It is true that the personal liability coverage from a homeowners’ policy may very likely contain an exclusion clause against providing coverage for an insured’s intentional or criminal acts, thereby excluding coverage for the child’s intentional cyberbullying, or cyber public disclosure of private acts. However, the exclusion clause may not necessarily exclude coverage for claims of negligence or claims of failure to act or supervise, as against the parents.

For example, in Durham District, a negligence claim was advanced against the parents for failing to properly supervise and discipline their son, who had set fire to the contents of his high school’s plastic recycling bin. In this case, the Ontario Court of Appeal interpreted the exclusionary clause in the homeowner’s insurance policy narrowly and construed the ambiguity against the insurer-drafter to hold that negligence claims were not excluded by the clause. Therefore, the insurer had a duty to defend the parents against the negligent supervision claim against them, while the claim against the child’s intentional act was excluded from coverage.

This contrasts with the decision in Unifund Assurance Co. v. E.(D.),11 a recent decision from the Court of Appeal that involved a negligence claim against the parents of a minor for their failure to investigate and take reasonable care to prevent the bullying that their daughter participated in against another minor at their school. As the parents’ homeowner’s policy specifically and unambiguously excluded the “failure of any person insured to take steps to prevent… psychological or emotional abuse” 12, the Court of Appeal held that the negligent supervision claim against the parents was separately and specifically excluded from coverage.

Therefore, absent a specific exclusion clause, a homeowner’s insurance policy may have to respond to negligent supervision claims against the parents where there is a cause of action against their child for the public disclosure of private acts. In Doe 464533, had the plaintiff instituted proceedings against the defendant’s parents for their failure to exercise reasonable supervision at the time of the posting of the video, then their homeowner’s policy insurer may very well have had to defend the parents’ claims even if the child’s intentional acts were excluded from coverage. In light of this, it may be prudent for insurers to reexamine the exclusions clauses in their homeowner’s policy to address the potential for these claims against the parents given the realities of the world that we currently live in and the potential for an increase in the number of claims that insurers could be asked to respond to.

Footnotes

1.Perreault, S, Statistics Canada, Self-reported Internet Victimization in Canada, 2009, (15 September 15, 2011) online:

2.See e.g. CBC News, “B.C. girl’s suicide foreshadowed by video”, (11 October 2012) online: CBC News ; and “Cyber-bullying-linked suicides rising, study says”, (20 October 2012) online: CBC News.

3.Doe 464533 v. N.D, 2016 ONSC 541.

4.Note that this was the amount claimed by the Plaintiff.

5.William L. Prosser, “Privacy”, 48 Cal. L. Rev. (1960).

6.For further details on the decision, see previous McCague Borlack article “New Privacy Tort Recognized in Ontario: Jane Doe 464533 v. X” published in February 2016

7.Durham District School Board v Grodesky, 2012 ONCA 270 at para 14; and Godonoaga (Litigation Guardian of) v Khatambakhsh (Guardian of) (2000), 49 OR (3d) 22 (Ont. C.A.) at para 20.

8.See Durham District, supra note 5.

9.See Godonoaga, supra note 4.

10. Non-Marine Underwriters, Lloyd’s of London v Scalera, [2000] 1 SCR 551.

11. 2015 ONCA 423.

12. Ibid. at para 24.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Cyberbullying Insurance Now Available to Chubb’s Canadian Homeowners Customers

Cyberbullying Insurance Now Available to Chubb’s Canadian Homeowners Customers

Press Release:

Chubb has added cyberbullying coverage to its Canadian Masterpiece® Family ProtectionSM policy to help cover clients and their families from the expenses associated with a cyberbullying incident.

“Technology is an integral part of our daily lives. It connects us and facilitates communication,” said Paul Johnstone, Senior Vice President, Chubb Personal Risk Services Canada. “But technology can also be a gateway to risk. Cyberbullying, including online threats and harassment, can create reputational damage and cause financial loss and emotional harm. Chubb’s new cyberbullying coverage can help protect the people who are most important to you.”

Cyberbullying coverage provides up to $60,000 in compensation to clients and family members for expenses related to harassment and intimidation committed via personal computers, telephones or mobile devices. Clients may recover costs incurred when cyberbullying results in wrongful termination, false arrest, wrongful discipline in an educational institution, or diagnosed debilitating shock, mental anguish or mental injury leading to the inability of the client or a family member to attend school or work for more than a week. The coverage provides compensation for psychiatric services, rest and recuperation expenses, lost salary, temporary relocation services, education expenses, professional public relations services, and cyber security consultants.

Cyberbullying coverage is available to all Canadian Masterpiece® homeowners customers who purchase a Family Protection policy. Chubb’s Masterpiece® Family ProtectionSM policy includes an array of coverages to help families recover and protect themselves from perils including stalking threats, carjacking, home invasion, air rage, hijacking and child abduction.

Coverage is subject to the language of the policies as issued.

About Chubb

Chubb is the world’s largest publicly traded property and casualty insurance company. With operations in 54 countries, Chubb provides commercial and personal property and casualty insurance, personal accident and supplemental health insurance, reinsurance and life insurance to a diverse group of clients. The company is distinguished by its extensive product and service offerings, broad distribution capabilities, exceptional financial strength, underwriting excellence, superior claims handling expertise and local operations globally. Parent company Chubb Limited is listed on the New York Stock Exchange (NYSE: CB) and is a component of the S&P 500 index. Chubb maintains executive offices in Zurich, New York, London and other locations, and employs approximately 31,000 people worldwide. Additional information can be found at: new.chubb.com.

SOURCE Chubb

Cyber insurance business booming alongside hacks, but are the risks covered?

Barbara Shecter | Financial Post

That basic yet key ingredient is all but missing in the growing business of cyber insurance, in which business is booming as the list of hacking incidents from Target to Ashley Madison grows. Add to the mix the ever-changing nature of hacks and different levels of security sophistication among companies, and the challenges mount alongside the opportunities.

“There are many unknowns,” said Nick Galletto, cyber risk services leader for the Americas at Deloitte.

Hacks such as the one that hit adultery website Ashley Madison can give an idea of the cost of the fallout of such an event. But that doesn’t come close to providing the depth of data insurers use to create and measure the underwriting standards when they sell protection against house fires, break-ins and car accidents.

Paul Schiavone, regional head of financial lines in North America at the corporate and specialty division of Allianz Group, said the global insurer is writing cyber insurance policies and is excited about the new line of business.

But he acknowledges the relative lack of data makes it difficult to know if the policies are properly calibrated to the risk when it comes to cyber insurance. “It’s difficult for the insurance industry to even price it,” Schiavone said in an interview.

Still, despite the unknowns, companies including his are anxious to be in the game.

“It’s exciting — that doesn’t happen often in insurance,” Schiavone said.

Terri Mason, who heads up Allianz’s professional indemnity and cyber risk business in Canada, said all insurance underwriting is a blend of science, based on actuarial experience, and art, based on assessing less tangible risk-worthiness. But in cyber insurance, it’s “a little bit more of an art at this point because it is so new and we don’t have that historical data that we do in other types of insurance coverage,” she said.

As a result, insurers will generally charge higher deductibles than they would be for other forms of corporate insurance, so the insurer to offset the risk something unanticipated is lurking.

“I think the cyber market will … look quite different in five or 10 years,” she said, comparing it to the early days of widespread insurance for corporate directors and officers insurance, which gained popularity a couple of decades ago. “Right now we’re all still sort of finding our way and learning as we go.”

Cyber insurance dates back to “Y2K” when it was believed the turn of the century might wreak havoc on computer systems and data storage around the world. But those who track the industry said it has grown substantially in the past couple of years along with the list of corporate and government hacks siphoning off private information to disrupt business or extract financial gain.

For now, many insurance policies primarily cover the costs of business interruption, data destruction, and extortion in cases where malware known as “ransomware” freezes workers out of their own company’s systems unless the company pays the hacker.

But coverage is expanding, with some policies now including extra protection for events such as a regulatory claim stemming from data loss or a breach of standards, according to a recent report from Allianz.

Insurers may also cover breaches related to technology belonging to a third party, but this is limited because of the potential accumulation of risk borne by the insurer, and it would only be offered after a detailed risk analysis, often conducted by a third party, the report said.

Deloitte’s Galletto said headline-making breaches at such companies as Sony, Home Depot, and JP Morgan Chase are masking a more serious and potentially more costly form of cyber attack that is just coming to light, bringing with it greater challenges for both companies and their insurers.

Known in the industry as advanced persistent threats, or APTs, these insidious breaches actually dwarf the headline-makers, Galletto said.

“Most organizations are completely unaware that APTs are present in their environments and potentially siphoning their critical data,” he said. He described the tactics as “low and slow” and therefore difficult to detect using traditional methods.

In one case, he said, a company was outbid in the late stages of a planned acquisition because an APT hack had slowly siphoned off key information to a competitor, undetected.

“The crisis management response required to investigate, contain, eradicate, and recover from an APT is significantly greater than a disruption of service or loss of equipment,” said Galletto.

“This makes it difficult for organizations and insurance companies to know how to plan ahead and how to cover costs that they could never predict.”

Companies turn to cyber insurance after Ashley Madison and other high profile hacks

In the wake of the Ashley Madison hack and other high-profile data breaches, Canadian companies are turning to so-called cyber insurance to protect themselves from the fallout of data leaks.

In July, adultery website Ashley Madison made headlines after hackers broke in to the company’s network and leaked customers’ personal information, including their messages to other members and sensitive financial data.

The ensuing class-action lawsuit – and founder and CEO Noel Biderman’s decision to step down in late August – were the latest in a series of incidents that experts say represent a wake-up call for executives about the real-world consequences of digital vulnerabilities.

Duncan Stewart, director of technology research at Deloitte, said the past year has seen a surge in awareness about cyberattacks, and companies are turning to insurers to prepare for what seems an inevitability in an increasingly interconnected world.

“The number of attacks are rising, the severity is rising, and when they come, they’re more difficult to deal with,” he said.

There is no legal requirement for companies to report a hack in Canada, making the true number difficult to determine, but security company Websense said in August 2014 that 36 per cent of Canadian businesses had observed a breach in their IT security last 12 months.

In a KPMG survey of Canadian property insurance executives, data security even beat out unexpected catastrophic events as the third-biggest risk facing Canadian companies in 2015 after regulatory burdens and low interest rates.

Stewart compared significant breaches like the Ashley Madison hack to automobile collisions that result in a total write-off, yet he said companies also require coverage for the small attacks and fender-benders of cybersecurity that happen far more often.

Insurance against cyberattacks is now just a part of the cost of doing business, he said.

“You wouldn’t have a factory and not have fire insurance, so why would you think about not having cyber insurance?”

Technology analyst Carmi Levy said in an email that insurance providers are stepping in to meet the needs of companies as they find themselves handling more and more data on behalf of their clients and suppliers.

“In the process, they are increasingly liable for what happens when hackers manage to break in and snag some of that data,” he said.

Insurance expert Paul Kovacs, president and CEO of the industry-funded oversight body PACICC, said insurance companies are expanding their offerings to provide more than just compensation and protection from liability in the event of a cyberattack.

“When this happens, you are going to need professional help with communications, with forensic investigation, with restoring your systems and putting the protections back in,” he said.

Kovacs pointed to the example of Sovereign General, part of the Co-Operators Group, which offers coverage for privacy breaches, business interruptions, extortion, and data recovery stemming from a cyberattack, as well as crisis management services.

He said companies and organizations used to dealing in sensitive information, such as hospitals and financial institutions, were among the first to become targets and have developed comprehensive cybersecurity policies.

Yet what used to be a concern just for the obvious targets is now a business risk for almost everyone, he said, and it’s not just customer data that’s at risk.

In July, security company Symantec issued a report detailing the “Butterfly” hacking group that it said is responsible for at least 40 attacks since 2012 meant to steal trade secrets and industrial data in order to sell it to the highest bidder.

Kovacs said industrial espionage is spreading out from the large companies that have long been in the crosshairs as hackers become more sophisticated.

“Now, they’re still going after the big companies but they’re going after the mid-size companies and even some relatively small companies,” he said. “The threat is spreading.”

 

Marsh: More German firms turning to cyber insurance

Reuters

Reporting by Jonathan Gould and Andreas Kroener, editing by William Hardy

The rising number of hacking attacks is prompting more companies in Germany to seek cyber insurance protection, insurance broker Marsh said on Tuesday.

While cyber premiums in Germany are expected to be worth only around $10 million this year – compared with $2 billion in the United States – the German market is expected to grow by 30 percent per year in the future, Marsh estimated.

“We are seeing a wave of enquiries that will lead to many more contracts in the coming months,” the head of Marsh’s German business Georg Braeuchle told a news briefing.

Many insurers see cyber as a key growth area at a time when premiums in other types of insurance are under pressure due to chronic over supply of insurance availability.

However, insurers are also advancing cautiously and will not cover all the losses a company could face from a cyber attack.

Marsh has brokered 46 contracts so far this year in Germany, compared with 20 in all of 2014, with industrial espionage and hacking attacks – such as one that forced the German parliament to switch off its entire computer system – helping to raise awareness.

“People are more conscious of the vulnerability of their own IT departments,” Braeuchle said, pointing out that interest was coming not just from online companies but also manufacturers, banks and health care providers.

Around 15 insurers are active in the German market, including Allianz, Axa, Hiscox, Ace , AIG, Talanx, Munich Re, XL Catlin and Zurich, allowing individual clients to take out up to 500 million euros ($562 million)in cyber risk cover.

Cyber insurance is still finding its feet in Germany, with buyers and sellers working to get to grips with pricing and risk, but at least one damage claim of nearly 100,000 euros has been paid already in a telephone hacking incident, Marsh said, without giving details.

Credit rating agency Standard & Poor’s on Tuesday said it would not look favourably on banks that relied solely on cyber insurance as protection against hacking.

“We view weak cyber security as an emerging threat that has the potential to pose a higher risk to financial firms in the future, and possibly result in downgrades,” Standard & Poor’s said. ($1 = 0.8897 euros)

Cyber-insurance: What you need to know?

By Roland Hung | Canadian tech law blog

A question that I often get from clients is one about cyber-insurance. In light of the recent passing of Bill S-4, better known as the Digital Privacy Act, the Personal Information Protection and Electronic Act (“PIPEDA”) has now been amended to include mandatory breach notification provisions. While these mandatory breach notification provisions are not yet in force, it is a good time to review your cyber-insurance coverage.

As data breach incidents continue to rise, and legislative regimes provide more and more stringent regulation of data breaches, including the proliferation of mandatory breach notification provisions, the expense associated with data breaches also rises. Estimated costs of dealing with a data breach, even to resolve a potential attack, or an attempted breach, have been as high as $600 000. Costs can be incurred as a result of forensic and investigative activities, assessment and audit services, crisis team management, and the necessary internal and external communications. As these incidents increase in number, scope, and impact, organizations are looking to transfer the risk associated with informational security breaches.

The most common way of transferring risk is by obtaining insurance policies: if the risk is insurable, the risk is transferable. Cyber and privacy insurance has been available on the market for the last decade, covering organizations’ liability for a data breach in which the organization’s or customers’ information is lost or stolen. Marsh Inc., a global insurance broker, said that the number of organizations that purchased cyber insurance in the US increased by 33% from 2011 to 2012, and that cyber insurance is currently the fastest growing area of commercial insurance in the world. Policies vary, with cyber insurance offered as an add-on or included in more generally policies, or sold as a distinct product. Marsh Inc. also noted that the lesser growth of cyber insurance in Canada compared to the US is likely due to the higher number of mandatory breach reporting regimes in the US.

Coverage

An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protectsproviders of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.

Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder. First party policies may cover:

(a) The costs associated with determining the scope of the breach and taking steps to stop the breach;

(b) The costs of providing notice to individuals whose identifying information was compromised;

(c)  Public relations services to counteract the negative publicity that can be associated with a data investigation;

(d)  The costs of responding to government investigations;

(e)   The costs of replacing damaged hardware or software;

(f)    The costs of responding to parties vandalizing the company’s electronic data; and

(g)    Business interruption costs.

Third party policies may cover:

(a)   Liability for permitting access to identifying information of customers;

(b)   Transmitting a computer virus or malware to a third-party customer or business partner;

(c)    Failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and

(d)    Potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.

Cyber insurance can also cover specifically the crisis stage of a data breach. This could include any expenses related to the management of the incident, such as investigation, remedial steps, required notifications, call and public relations management, credit checks for the subjects of the data, and any legal costs including fines or the costs of running a suit.

Limitations of Coverage: Relevant Considerations

It is important to determine the extent to which your organization’s cyber insurance policy will protect against liability for breaches. Because all insurance policy coverage is dependent on the particular terms and conditions in the policy at issue, organizations looking to obtain cyber insurance should consider a number of questions, including those detailed below. In general, organizations should ensure that their response plan to a potential or actual breach is consistent with their insurance policy.

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from ILSTV

You have Successfully Subscribed!

Pin It on Pinterest