COURT FILE NO.: CV-21-00762487-0000
DATE: 20230501
SUPERIOR COURT OF JUSTICE – ONTARIO
RE: AVIVA INSURANCE COMPANY OF CANADA
Applicant
AND:
8262900 CANADA INC. O/A CAREPARTNERS/COMMUNITY NURSING SERVICES FOUNDATION
Respondent
BEFORE: Koehnen J.
COUNSEL: Christopher R. Dunn, for the Applicant
Geoffrey D. E. Adair, K. C., for the Respondent
HEARD: April 27, 2023
ENDORSEMENT
Overview
[1] This application involves a dispute between an insurer and an insured about the scope of coverage in a commercial liability policy. The specific issue concerns the interpretation of a Data Exclusion Endorsement to the policy.
[2] The insurer says the Data Exclusion Endorsement relieves it of the duty to defend and the duty to indemnify the insured in the underlying action. The insured disagrees. For the reasons set out below, I find that the Data Exclusion endorsement relieves the insurer of the duty to defend and duty to indemnify with respect to personal injury claims but does not relieve the insurer of those duties with respect to claims for bodily injury. Given that both parties agree that the underlying claim involved allegations of bodily injury, the insurer has a duty to defend and a duty to indemnify the claims for bodily injury in the underlying action.
The Facts
[3] The applicant, Aviva Insurance Company of Canada (“Aviva”) is an insurance company which issued a commercial liability policy to the respondent CarePartners Community Nursing Services Foundation (“CarePartners”).
[4] CarePartners is one of Canada’s largest providers of home health care services. As part of its operations, CarePartners receives personal information of employees and clients.
[5] In June 2018, computer hackers broke into CarePartners’ computer system and exfiltrated an unknown amount of unencrypted computer data. The hackers demanded a ransom and threatened to publicize the information if CarePartners did not pay.
[6] When CarePartners did not pay the ransom, the data was posted on a website. The hackers then made the data available to anyone who paid the hackers a specified fee. The data was downloaded from this site up to 1000 times. The data contained the personal information of up to 80,000 CarePartners' staff and patients going back to 2010. It included phone numbers, addresses, dates of birth, health care numbers, medical histories, care plans, credit card numbers, credit card expiry dates, T4 tax slips, social insurance numbers, bank account details, and plaintext passwords.
[7] The data breach led to a class action against CarePartners in the Ontario Superior Court of Justice. The class action ultimately settled for a payment of approximately $3.4 million which settlement was approved by this court in March, 2022.
[8] Aviva acted in good faith in response to the class action and agreed to defend and indemnify CarePartners without prejudice to its right to take the position in a later proceeding that it was not obliged to respond to the class action. This application is that later proceeding. In this application, Aviva seeks a declaration that it did not owe any duty to respond to the class action and seeks an order requiring CarePartners to reimburse Aviva for monies Aviva expended on the defence and settlement of the class action.
Legal Analysis
[9] Aviva agrees that, at a first stage, the coverage provisions in the policy for bodily injury and personal injury would require it to defend and indemnify CarePartners in the class action.
[10] Aviva submits, however, that this prima facie coverage is reversed by Endorsement No. 4 to the policy which is a “Data Exclusion Endorsement.” The endorsement, in its entirety, provides:
This insurance does not apply to any liability for:
Erasure, destruction, corruption, misappropriation, misinterpretation of Data;
Erroneously creating, amending, entering, deleting or using Data; including any loss of use arising therefrom.
Additionally, this insurance does not apply to any personal injury or advertising injury, if otherwise insured, arising out of the distribution or display of Data, by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of Data.
Further, where used in this endorsement the term Data means representations of information or concepts, in any form.
[11] Aviva says that, in Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company[^1] (“Lanark”) the Ontario Court of Appeal considered an almost identically worded endorsement and found that the endorsement relieved the insurer of a duty to defend or indemnify in a class action that arose out of circumstances substantially similar to the ones that CarePartners experienced.
[12] I do not read Lanark as broadly as Aviva does. In Lanark, the Court of Appeal focused solely on the second part of the exclusionary language of the Data Exclusion Endorsement. The equivalent language in the Aviva policy is the portion of the endorsement which reads:
Additionally, this insurance does not apply to any personal injury or advertising injury, if otherwise insured, arising out of the distribution or display of Data, by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of Data.
[13] Although the language of that portion of the exclusion was worded slightly differently in Lanark, the differences are immaterial. This second part of the exclusion does excuse Aviva from duties to defend and indemnify for personal injury claims in the class action because those claims clearly “arise out of the distribution or display” of data on a website.
[14] Although this portion of the exclusion excludes “personal injury” coverage it does not exclude “bodily injury” coverage. Aviva submits that bodily injury coverage is excluded by the first part of the Data Exclusion Endorsement. I do not agree with Aviva’s submission in this regard and read the first part of the exclusion differently.
[15] I note to begin with that the first part of the Data Exclusion Endorsement in Lanark was worded identically to the Data Exclusion Endorsement in the CarePartners policy. However, neither counsel nor the court in Lanark addressed this part of the exclusion. It appears that the second part of the exclusion was sufficient to deal with the entire case in Lanark.
[16] I repeat the relevant language of the first part of the exclusion for convenience:
This insurance does not apply to any liability for:
- Erasure, destruction, corruption, misappropriation, misinterpretation of Data;
The relevant act here is misappropriation.
[17] CarePartners submits that the class action did not seek to hold CarePartners “liable for”, misappropriation. Rather, the class action sought to hold CarePartners liable for its failure to safeguard the data.
[18] Whether there is a duty on an insurer to defend or indemnify is determined by the allegations pleaded and facts found in the underlying claim, read together with the terms of coverage provided by the insurance policy.[^2] On my reading of the statement of claim, it seeks to hold CarePartners “liable for” negligence. Paragraphs 14 to 18 of the statement of claim state:
CarePartners was, and is, obliged to secure and safeguard the employee and patient Personal Information in its custody or control, much of which was stored electronically on CarePartners' computer network.
At all times, CarePartners was obliged to have effective, current and robust cyber security protective measures in place to secure all of the patient and employee Personal Information which it collects and stores, including protection from attack by malicious third parties intent on exfiltration of the Personal Information for improper purposes.
CarePartners failed to do so. Its cyber security protective measures, if any, were antiquated, inadequate, unreasonable, and readily penetrable by third parties. CarePartners even failed to encrypt the Personal Information stored on its computer network, which was a patent breach of the relevant standard of care that it was obliged to meet to protect the Class Members' privacy.
As a result of CarePartners' cyber security failures, in breach of its duty of care owed to the Class, at some time in or about 2018, the Breach occurred, wherein hackers gained unauthorized access to CarePartners' computer network, …
[19] After describing the data breach and the publication of data, the statement of claim states in paragraphs 63:
The defendant is liable to the Patient Subclass Members for negligence, intrusion upon seclusion, breach of the PHIPA,[^3] breach of contract, and breach of the Consumer Protection Act.
[20] The claim then goes on over three and a half pages to particularize the allegations of negligence against CarePartners.[^4] It deals with the tort of intrusion upon seclusion and the breach of the PHIPA in one relatively short paragraph each. The essence of even those claims relates back to CarePartners’ negligence in the way it maintained the data.
[21] Aviva responds to this argument by referring to case law that requires courts to focus on the underlying substance and true nature of the claim for damages. It quotes from Lanark as follows:
Moreover, even if the class action did include an allegation that physical copies of Report were taken or created, which it does not, the substance and true nature of the claim for damages arises from the wrongful appropriation of confidential personal information and posting it on the internet. There is only one chain of causation as all injury flows from the display or distribution of physical copies follows from the first wrongful act.
The data exclusion clause excludes claims that arise from the display and distribution of the confidential personal information on the internet. All of the injuries pleaded in the third-party claim arise, ultimately, from the distribution of the Report on the internet. There is only one chain of causation. As in the class action, the substance and true nature of the claim for damages arises from the wrongful appropriation of confidential personal information and posting it on the internet. (Emphasis added by Aviva)
[22] Aviva asks me to adopt that analysis here and conclude that the class action flows from the misappropriation of data and is therefore excluded by the first part of the Data Exclusion Endorsement. In a similar vein, Aviva referred me to other cases that speak to the need for courts to focus on the proximate cause, root cause or causa causans of the loss to determine whether coverage applies.
[23] What Aviva’s submission misses, in my view, is that when courts deal with the concept of proximate cause in insurance cases, they are almost always dealing with policy language that refers to a claim “arising out of” a particular insured or uninsured risk. That was also the case in Lanark where the Court of Appeal made the statements quoted above in the context of its analysis of the second part of the Data Exclusion Endorsement to the effect that the policy
does not apply to any personal injury or advertising injury, if otherwise insured, arising out of the distribution or display of Data, by means of an Internet Website
[24] The key phrase in that second part of the endorsement is “arising out of”. If the class action “arises out of” the display of data on a website, it is excluded.
[25] If the first part of the Data Exclusion Endorsement had used similar language with respect to misappropriation and said that the policy does not apply to “any claim arising out of misappropriation of data” Aviva’s argument would have considerable force. The endorsement does not, however, say that. Instead, it says:
This insurance does not apply to any liability for… misappropriation … of data.
[26] Aviva clearly used two different forms of expression in the Data Exclusion Endorsement. In the first part of the Endorsement it excluded “liability for misappropriation.” In the second part of the endorsement it excluded “personal injury arising out of the distribution or display of data” on the Internet. Those different forms of expression have different meanings. The first form has a narrow meaning. The second has a much broader meeting. The broader exclusion, however, applies only to personal injury and not to bodily injury.
[27] It is well accepted that coverage provisions in a policy of insurance are interpreted broadly, and exclusion clauses are interpreted narrowly.[^5]
[28] The expression “liability for” is a simple and clear. An insured can be liable for negligence, fraud, misappropriation or any one of a myriad of other causes of action. The class action did not seek to hold CarePartners “liable for” misappropriation. It sought to hold CarePartners “liable for” negligence in failing to adequately protect the data.
[29] It would not be appropriate, in my view, to go beyond the plain meaning of the first part of the endorsement and import into it the words “arising out of” or the analysis surrounding those words when they simply are not there.
[30] In Lanark, the Court of Appeal set out the following rules of interpretation with respect to insurance policies:
a. When the policy language is unambiguous, the court should give effect to that language, reading the policy as a whole;
b. Where the language of the policy is ambiguous, general rules of contract construction apply and the court should prefer interpretations of the policy that are consistent with the reasonable expectations of the parties. Courts should avoid interpretations that would give rise to a result that is unrealistic; and,
c. Only when the rules of contract construction fail to resolve the ambiguity, courts will construe the policy against the insurer who drafted the policy. This means that coverage provisions are interpreted broadly, and exclusion clauses narrowly.[^6] (Citations omitted)
[31] In my view the language of the data Exclusion Endorsement is unambiguous. It provides a narrow exclusion for certain types of liability and a broader exclusion for other types of liability. In my view it is not necessary to go beyond the first of the three steps set out in Lanark.
[32] Aviva has introduced evidence to show that there are insurance products available in Canada that provide specific coverage for cyber breaches and submits that I should take this into account when interpreting the CarePartners policy. In particular, Aviva points to the Supreme Court of Canada’s reasons in Jesuit Fathers of Upper Canada v. Guardian Insurance Co. of Canada,[^7] where the court noted that there were policies available to the insured in that case that would have afforded coverage but that the insured never purchased such policies and could not now claim coverage which it did not purchase.
[33] The nature of the insurance products available on the market may well be an appropriate consideration in certain cases. It would not, however, be appropriate to ignore the plain meaning of the words in the Aviva policy just because there are also specific insurance products available for data breaches. I would turn the proposition around and note that contractual language was available to Aviva that would have excluded bodily injury coverage for claims arising out of data breaches, but that Aviva chose not to employ that language even though Aviva used it only a few lines later when dealing with personal injury claims. Those differences in the choice of wording are deemed to have meaning.
[34] I note as well that Aviva has not asked me to allocate defence or indemnity costs as between the personal injury claims and bodily injury claims in the underlying action.
Conclusion and Costs
[35] For the reasons set out above, I dismiss the application.
[36] Both sides have submitted bills of costs. Both sides agree that the costs request of the other is reasonable. As a result, I fix costs in favour of the respondents on a full indemnity scale at $34,578.57 including HST and disbursements. I fix costs at a full indemnity scale because the principle underlying insurance is indemnity. The insured contracted for defence and indemnity. It should not be put to additional cost to obtain what the insurer had promised in the first place.
Date: May 1, 2023
Koehnen J.
[^1]: Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company 2021 ONCA 159 (“Lanark”)
[^2]: Lanark at para. 58; Nichols v. American Home Assurance Co. 1990 CanLII 144 (SCC), [1990] 1 S.C.R. 801.
[^3]: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sch. A (the “PHIPA”)
[^4]: Paras. 65 (a) – (e ), 66 (a)- (k), 67 and 68
[^5]: Reid Crowther & Partners Ltd. v. Simcoe & Erie General Insurance Co., 1993 CanLII 150 (SCC), [1993] 1 SCR 252
[^6]: Lanark at para. 57.
[^7]: Jesuit Fathers of Upper Canada v. Guardian Insurance Co. of Canada, 2006 SCC 21 at para. 63.