In a recent decision an Ontario court found that an insurer has a duty to defend both the main action and a third party claim in a privacy class action stemming from the disclosure of an allegedly defamatory report authored by the Family and Children Services of Lanark (“FCS”). The report was stored in a secured portion of the FCS website prior to being exposed by a hacker and posted on various internet sites viewable by the general public. The individuals whose personal information was exposed in the report initiated a class action against, among other parties, FCS and Laridae Communications Inc. (“Laridae”).
Laridae, a third party in the class action, was retained by FCS to ““review and refresh” FCS’s website to ensure that the new website and its components are compliant with privacy and other legislative requirements”.
The insurer in question issued two policies to Laridae; a CGL policy and an E&O policy. The insurer admitted that the claims would be covered by the policies, but for the application of the “data” exclusions in each policy, which differed significantly.
The relevant exclusions provided as follows, according to the decision:
The “data exclusion” clause contained in the E&O Policy provides as follows:
There shall be no coverage under this policy in connection with any claim based on, attributable to or arising directly, or indirectly from the distribution or display of “data” by means of an Internet Website, the Internet, an Intranet, Extranet, or similar device or system designed or intended for electronic communication of “data”.
The“ data exclusion” clause contained in the CGL Policy (wherein Laridae is the primary insured and FCS is an additional insured) states:
- Liability for:
- erasure, disruption, corruption, misappropriation, misinterpretation of “data”;
- erroneously creating, amending, entering, deleting or using “data”;
Including any loss of use therefrom;
- “Personal injury” arising out of the distribution or display of “data” by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of “data”.
All parties agreed that these specific exclusions had not been interpreted by any court in a prior decision. Despite that, the insurer brought an application for a declaration that it did not have a duty to defend either Laridae or the FCS in the class action.
The Court started from the proposition that as long as there is a “possibility” that one or more of the claims being brought might be covered by the applicable policy, then the insurer would have a duty to defend. The Court noted that the claims being advanced were quite broad and went well beyond simple publication or distribution of data. Based on the broad spectrum of allegations and claims, the Court found that there were at least some claims in the statement of claim that were possibly covered, and as such found that the insurer owed a duty to defend.
The Court also found that given the lack of any jurisprudence on the application of the data exclusions, it was not prepared to accede to the insurer’s denial of a duty to defend at a preliminary stage, and stated that any such determination should be made with a more fulsome record. Considering this position, one wonders what might have been missing from the record before the court in the present applications.
Having found that the insurer owed the Defendants a duty to defend, the insurer was order to pay for counsel of the insured’s choice, and that counsel has no obligation to report to the insurer.
See: Laridae v. Co-operators, 2020 ONSC 2198