COURT FILE NO.: CV-21-00663486-0000

DATE: 20230613

ONTARIO

SUPERIOR COURT OF JUSTICE

BETWEEN:

IRIS TECHNOLOGIES INC.

Plaintiff/Responding Party

– and –

LIBERTY MUTUAL INSURANCE

Defendant/Moving Party

A. Tadros and C. Ghai, for the Plaintiff / Responding Party

A. Brijpaul and H. Chan, articling student, for the Defendant / Moving Party

HEARD: By videoconference, March 2, 2023

CHALMERS, J.

REASONS FOR DECISION

OVERVIEW

[1] The Defendant, Liberty Mutual Insurance Company (Liberty) brings this motion for summary judgment dismissing the action brought by the Plaintiff, Iris Technologies Inc. (Iris).

[2] Iris states that it sustained losses as a result of a network security breach. The breach led to fraudulent telephone calls being made on client accounts. Iris reimbursed its customers for the fees (Customer Fees) charged for the fraudulent calls and paid its third-party vendors for the charges related to the calls (Vendor Expenses).

[3] Liberty issued a Tech Insure Policy bearing number TITOABWMCH001 to Iris (the Policy). On January 21, 2021, Iris submitted a claim to Liberty. Liberty denied the claim on the basis that the claims did not fall under the insuring agreements in the Policy or were otherwise excluded. Liberty also took the position that Iris was in breach of the voluntary payments provision of the Policy because it paid the Customer Fees and Vendor Expenses before the claim was submitted to Liberty. Iris argues that the claim was denied improperly and in bad faith.

[4] For the reasons set out below, I find that there is no coverage under the Policy with respect to the claims advanced by Iris. I also conclude that there is no basis for the bad faith claim. I grant summary judgment in favour of Liberty and dismiss the Plaintiff’s action.

FACTUAL BACKGROUND

The Fraudulent Calls

[5] Iris is a telecommunications company. It provides services that allow Canadian business customers to place international calls on Voice over Internet Protocol (VoIP) phones provided by Iris. Iris relies on its vendors to physically connect a customer’s long-distance call. Iris pays the vendor’s fee directly and invoices the customer for the telecommunications services.

[6] The Iris VoIP handsets and the “Zero Touch Provisioning” (ZTP) software was licensed from Plantronics Inc. Iris purchased telephone handset devices from Plantronics. The handsets came equipped with the ZTP software. This allows Internet Service Providers (ISPs) to load user details on the ZTP software to obtain authentication for phone services.

[7] In August 2020, Iris became aware of a high volume of claims for reimbursement from its customers with respect to disputed long-distance calls. There were reports of an excessive number of international calls made to various destinations, including the Maldives, Moldova and Madagascar. The high volume of reimbursement claims continued. In mid-October 2020, Iris began investigating the high volume of claims. Iris learned that there was some form of systemic cybersecurity hack that had occurred, the full details of which were not clear at that time.

[8] On October 9, 2020, Iris applied to renew the Policy with Liberty. The Policy period ended on November 1, 2020. Magdi Wanis, the Chief Financial Officer of Iris states in his affidavit that at the time of completing the renewal application, he was unaware of this potential claim. Up until that point, Iris was treating the claims for reimbursement as regular call disputes which occur in the normal course of business. Iris did not advise Liberty that there had been a high volume of reimbursement claims when it completed the renewal application.

[9] By December 2020, Iris had completed a technical and financial audit of the long-distance disputes for the period from August 2020 to November 2020. It was determined that there had been a network-wide cyber security breach with respect to the Plantronics ZTP software. Apparently, a person could exploit the Plantronics ZTP software to obtain the stored customer account credentials, which allowed the attacker to log onto the Iris platform and place unauthorized international long-distance phone calls.

[10] Mr. Wanis deposed in his affidavit that it was a matter out of Iris’ control. He stated that Iris could not prevent or mitigate the ZTP vulnerability because the breach was on the Plantronics system and not Iris’ software.

[11] Mr. Wanis deposed that, “as contractually obligated”, Iris credited its customers with respect to the disputed calls. It refunded or credited $171,440 in Customer Fees that had been charged for the fraudulently placed long-distance calls. Iris states that it was also contractually obligated to pay the Vendor Expenses for the disputed calls. It paid $178,931 in Vendor Expenses. The total amount of the claim is $350,371. The payments were made to the customers and vendors, before the claim was submitted to Liberty.

The Insurance Claim

[12] The Policy was originally in force from November 1, 2019 to November 1, 2020. The Policy was renewed for the 2020/2021 term. There were no material differences in the Policy wording for the renewal period.

[13] On January 21, 2021, Iris first notified Liberty of the claim. Iris states that the claim was submitted to Liberty as soon as practicable, subsequent to the conclusion of the internal investigation by Iris. The claim was submitted to Liberty after Iris had credited the Customers Fees and paid the Vendor Expenses. Liberty acknowledged receipt of the claim the next day.

[14] Liberty reviewed the matter. During the course of its review, it requested further details about the claim. The additional information was provided by Iris. On February 4, 2021, Iris was advised by its broker that Liberty would be denying coverage. Liberty provided its denial letter on February 9, 2021. Liberty referred to Insuring Agreement A.6, which provides coverage for privacy breach expenses. Liberty was satisfied that there had been unauthorized access. However, Liberty concluded that the loss in question, being the fees charges by vendors for placing the calls, did not constitute privacy breach expenses as defined in the Policy.

[15] On February 22, 2021, Iris received security bulletins from Plantronics outlining the various widespread cybersecurity attacks. The security bulletins provide that there was a vulnerability in the Plantronics ZTP that “could allow an authenticated, remote attacker to obtain pre-provisioning information.” It was determined that hackers had infiltrated the ZTP system, obtained customer information and logged into the system using customer credentials to place fraudulent calls.

[16] On February 28, 2021, Iris provided Liberty with the security bulletins it had received from Plantronics. Iris also provided its fresh coverage analysis prepared by its broker. The coverage analysis referenced the data breach liability coverage set out in Insuring Agreement A.3. Iris argues that as a result of the data breach, its customers had made a written demand for phone charge reimbursements which Iris was legally obligated to pay pursuant to its customer contracts.

[17] Liberty agreed to revisit its coverage position. The matter was referred to Liberty’s claims committee. On March 22, 2022, Liberty upheld its denial of coverage. Liberty confirmed that only Insuring Agreement A.6 was triggered in the present case, but that the loss in question, being those fees charged by vendors resulting from their placing of the calls, do not constitute privacy breach expenses.

[18] Iris takes the position that Liberty breached its obligation to act in good faith. Mr. Wanis states in his affidavit that in light of the factual circumstances pertaining to the claim and the cybersecurity breach, Liberty did not “accurately, prudently nor in good faith”, determine their coverage position pursuant to the Policy. Mr. Wanis was cross-examined on his affidavit. He confirmed that there are no other facts relied on by Iris to support the allegations of bad faith other than what is included in his affidavit. He stated that Liberty’s denial of the claim is the reason he believes Liberty acted in bad faith.

[19] On June 4, 2021, Iris caused the Statement of Claim to be issued.

THE ISSUES

[20] The following issues will be addressed:

(i) Is summary judgment appropriate for the coverage and bad faith claims?

(ii) Do the claims fall within the insuring agreements in the Policy?

(iii) If the claims fall within the insuring agreements, does exclusion 10 “Contractual Liability” oust coverage in any event? and

(iv) If the claims fall within the coverage and are not otherwise excluded, did Iris breach the Assumption of Liability/Voluntary Payments clause to eliminate coverage?

ANALYSIS AND DISCUSSION

Is Summary Judgment appropriate for the coverage and bad faith claims?

[21] Under Rule 20, a court shall grant summary judgment in an action where it is satisfied that there are no genuine issues requiring a trial. There is no genuine issue requiring a trial where the summary judgment motion allows the judge to: (i) make the necessary findings of fact, (ii) apply the law to the facts, and (iii) is a proportionate, more expeditious and a less expensive means to achieve a just result: Hryniak v. Mauldin, 2014 SCC 7, at para. 49.

[22] Summary judgment may be appropriate for both coverage and bad faith claims: MacDonald v. Chicago Title Insurance Company of Canada, 2015 ONCA 842, at para. 11.

[23] Iris argues that this case is inappropriate for summary judgment, because summary judgment will not allow the court to make the findings of fact necessary to determine both coverage and bad faith. Iris states that there is an ongoing dispute with respect to the interpretation of vital elements of the Policy and that evidence from the parties as to their reasonable expectations and expert underwriting opinion evidence is required. Iris also states that for the allegation of bad faith, a trial will be necessary to determine the factual matrix.

[24] In support of its position that summary judgment is not appropriate, Iris relies on Easy Fashion Adaptive Clothing Ltd. v. The Co-Operators General Insurance Co., 2021 NBQB 207, 2021 CarswellNB 486. In that case, the court dismissed a summary judgment motion with respect to a first party insurance claim. There was an issue as to whether the presence of mould caused the loss. The motions court judge found that both parties failed to provide an explanation for the existence of the mould. If the mould was caused by an insured peril not otherwise excluded, there may be coverage. The court held that it was a “close call” but found that summary judgment was not appropriate. The judge stated that he was not certain that the plaintiff had put its best foot forward and the plaintiff was permitted an opportunity to produce additional evidence at trial.

[25] I am of the view that the Easy Fashion case is distinguishable on the facts. Here, there is no dispute between the parties as to what happened or how. I am satisfied that the Plaintiff has put its best foot forward with respect to both the coverage and bad faith issues.

[26] Liberty and Iris have different interpretations of the Policy. Although there are different interpretations, that does not mean the vive voce evidence of the parties, or expert underwriting evidence is admissible or required to interpret the Policy. Both parties agree that the test to be applied when interpreting insurance policies is set out in Ledcor Construction Ltd. v. Northbridge Indemnity Insurance Co., 2016 SCC 37. Citing the authority of Progressive Homes Ltd. v. Lombard General Insurance Co. of Canada, 2010 SCC 33, at para. 22, the Court stated, “the primary interpretive principle is that when the language of the insurance policy is unambiguous, effect should be given to that clear language, reading the contract as a whole.” Resort is to be made to the reasonable expectations of the parties only if there is a finding of ambiguity.

[27] I am of the view that the policy is unambiguous and as a result, the Policy can be interpreted based on the clear wording used, without having to resort to expert underwriting evidence or consideration of the reasonable expectations of the parties. As stated by Estey J. in Consolidated-Bathurst v. Mutual Boiler, 1979 10 (SCC), [1980] 1 SCR 888, at pp. 899,

There is no just reason for applying any different rule of construction to a contract of insurance from that of a contract of any other kind and there can be no sort of excuse for casting doubt upon the meaning of such a contract with a view to solving it against the insurer, however much the claim against him may play upon the chords of sympathy, or touch a natural bias. In such a contract, just as in all other contracts, effect must be given to the intention of the parties, to be gathered from the words they have used.

[28] I am also of the view that the underlying facts are not in dispute. There is no issue with respect to the fact that the Plantronics ZTP software allowed Iris customer accounts to be used for fraudulent calls. The amount paid to customers and vendors is not in dispute. The date Iris paid the customers and vendors, and the date Iris reported the claim to Liberty is also not in dispute.

[29] With respect to the bad faith claim, there is no conflicting evidence with respect to Liberty’s response to the claim. The claim was submitted on January 21, 2022 and Liberty provided its initial coverage position on February 9, 2022. The Iris affiant, Mr. Wanis testified on cross-examination that Liberty’s denial of the claim is the reason he believes Liberty acted in bad faith.

[30] I am satisfied that in the circumstances of this case, summary judgment is appropriate to determine both the coverage and bad faith issues.

Do the claims fall within the insuring agreements in the Policy?

[31] The insured has the onus of establishing that the claim falls within the insuring agreements of the Policy. The policyholder must establish each element of the insuring agreement. If the onus is satisfied, the onus shifts onto the insurer to establish that an exclusion applies. If the insurer is successful, the onus then shifts back to the policyholder to prove an exception to the exclusion applies: Ledcor Constructions Ltd. v. Northbridge Indemnity Insurance Co., at paras. 26-29 and 51.

[32] Iris argues that the loss falls within at least one of three insuring agreements in the Policy; Technology Professional Liability, Data Breach Liability and Privacy Breach Expenses.

Technology Professional Liability (A.1) and Data Breach Liability (A.3)

[33] The wording of the insuring agreements for the Technology Professional Liability and Data Breach Liability coverage are similar. Both provide liability coverage for claims made against the insured:

A. INSURING AGREEMENTS

1. TECHNOLOGY PROFESSIONAL LIABILITY

Liberty will pay on behalf of an Insured all Loss resulting from a Technology Wrongful Act occurring before or during the Policy Period which an Insured becomes legally obligated to pay as a result of a Claim first made against an Insured, or any organization for whom the Insured is legally responsible, during the Policy Period or Extended Reporting Period.

3. DATA BREACH LIABILITY

Liberty will pay on behalf of an Insured all Loss resulting from a Data Breach Wrongful Act occurring before or during the Policy Period which an Insured becomes legally obligated to pay as a result of a Claim first made against an Insured, or any organization for whom the Insured is legally responsible, during the Policy Period or Extended Reporting Period. …

Does the claim fall within insuring agreements A.1 and A.3?

[34] I am satisfied that the claims advanced by Iris do not fall within the insuring agreements A.1 and A.3.

Claim

[35] The technology and data breach insuring agreements are liability policies. Coverage is triggered by a claim made against the insured. “Claim” is defined in the Policy as a written demand for money or non-monetary relief. It is not necessary for an action to be commenced against the insured to trigger coverage, but there must be a written demand.

[36] Iris filed as exhibits several e-mails received from their customers notifying Iris of the disputed amounts and requesting refunds. It does not appear that all the Customers Fees that were reimbursed are accounted for in the e-mails that were filed as exhibits. In some cases, Iris reimbursed customers who may not have been aware that the fraudulent calls had been made.

[37] Although some e-mails from customers were filed as exhibits, there was no written demand for money from the vendors. This is because the vendors received payment for the fraudulent calls. The vendors did not suffer a loss and therefore did not make a demand for money or non-monetary relief.

[38] The amount Iris paid to its vendors was not in response to a claim. The amount was paid to the vendors when the disputed calls were made. Iris is seeking reimbursement for the amounts it had already paid to the vendors for the disputed calls.

[39] As noted above, insuring agreements A.1 and A.3 provide liability coverage to defend and indemnify the insured for claims made against it by third parties. Here no claim was advanced by the vendors. Iris may have sustained a direct loss for the amounts it paid the vendors for the disputed calls, however those losses are in the nature of a first party claim under a business interruption or property policy. I am of the view that because there was no written demand made by the vendors there was no claim made for the Vendor Expenses. In the absence of a claim, coverage is not triggered for the Vendor Expenses.

Loss/Damages

[40] The insuring agreement provides that Liberty will pay on behalf of the insured all loss arising from a wrongful act which an insured becomes legally obligated to pay. “Loss” is defined in the Policy as damages and claims expenses. “Damages” are defined in the Policy as a compensatory monetary amount for which the insured is legally liable, including judgments (inclusive of any pre- or post-judgment interest), awards, or settlements negotiated with the approval of Liberty. The definition of damages does not include profit or other charges. The definition of damages also does not include, “liquidated damages or service credits pursuant to a written contract, except to the extent that the Insured would otherwise be legally liable for such damages.” By endorsement, the definition of damages also does not include charge backs.

[41] Iris claims two sets of “damages”; the reimbursement of the Customers’ Fees related to the disputed calls and the Vendors’ Expenses that were paid to the vendors to place the disputed calls. As stated above, the amounts paid to the vendors was not in response to a claim and therefore coverage is not triggered. With respect to the Customers’ Fees, Iris argues that these monetary payments are compensatory damages that Iris was legally obligated to pay because of the contracts with its customers.

[42] Iris reimbursed its customers for the fees Iris charged for the disputed calls. The customers’ claims were “settled” by Iris without the approval of Liberty. The payments to the customers were made before Liberty was advised of the claim by Iris. Settlements negotiated without the approval of Liberty do not fall within the definition of damages.

[43] I am also of the view that the amounts paid to customers by Iris to reimburse them for the disputed calls are not damages but instead are charge backs or service credits to refund the customers for the disputed charges. If the disputed calls had not been made, Iris would not have received the fees in the first place. Customers’ accounts were credited in the amount of the charges for the disputed calls. Charge backs and service credits are excluded from the definition of damages.

Privacy Breach Expenses (A.6)

Does the claim fall within insuring agreements A.6?

[44] The Privacy Breach Expenses insuring agreement provides as follows:

A. INSURING AGREEMENTS

6. PRIVACY BREACH EXPENSES

If an Insured first discovers a Privacy Breach or Unauthorized Access during the Policy Period Liberty will pay Privacy Breach Expenses on behalf of the Insured, or on behalf of an independent contractor for which the Insured is legally responsible via a written contract.

If, pursuant to a written contract, the Insured agrees to indemnify or reimburse a third party for covered costs under this Insuring Agreement A.6., then Liberty will pay on behalf of the Insured all such costs as if such costs were incurred by the Insured.

[45] Under insuring agreement A.6, there is no requirement that there be a loss resulting from a wrongful act for which the insured becomes legally obligated to pay. There is also no requirement that the legal obligation to pay is as a result of a claim made against an insured. Coverage under the privacy breach expenses is in the nature of a first party policy rather than a liability policy.

[46] In its coverage denial letter dated February 7, 2022, Liberty acknowledged that there had been unauthorized access, and that the unauthorized access occurred during the policy period. However, Liberty took the position that the claim does not fall within the insuring agreement because there was no claim for privacy breach expenses.

[47] “Privacy breach expenses” are defined in the Policy as follows:

37. “Privacy Breach Expenses” means the following reasonable and necessary expenses incurred by a Data Breach First Responder and/or Data Breach Service Provider, and/or the Entity Insured when required:

(a) Computer Forensic Costs following a Privacy Breach or Unauthorized Access;

(b) Costs to provide legally required notification in compliance with any local, provincial, territorial, state, federal rule or regulation, or foreign laws following a Privacy Breach or Unauthorized Access;

(c) fees charged by lawyer(s) to determine the applicability of and actions necessary to comply with the laws referenced in (b) above;

(d) costs to provide voluntary notification to those affected individuals if in the reasonable opinion of a Senior Executive such voluntary notification is necessary in order to mitigate the effects of a Privacy Breach or Unauthorized Access but only to the extent that their Personally Identifiable Information was disclosed or reasonably believed to have been disclosed due to a Privacy Breach or Unauthorized Access;

(e) costs to notify federal, provincial, territorial, state, local and foreign regulatory bodies as required by law, including the Office of the Privacy Commissioner of Canada, the Competition Bureau, the media, the United States Federal Trade Commission, the Secretary of Health and Human Services, the Office of Civil Rights and European Union Supervisor Authorities in order to mitigate the effects of a Privacy Breach or Unauthorized Access;

(f) costs to set up a call centre and manage responses to individual enquiries following notification; or

(g) credit, identity monitoring and restoration services to those affected individuals notified pursuant (b) and/or (d) above, but only to the extent that their Personally Identifiable Information was disclosed or could reasonably be believed to have been disclosed due to a Privacy Breach or Unauthorized Access.

[48] The definition of “privacy breach expenses” includes the reasonable and necessary expenses incurred to provide notification to persons possibly affected by the breach of privacy and the costs associated with notifying the regulatory bodies. The types of expenses listed under definition of privacy breach expenses relate to notifying those affected, including setting up a call centre to manage responses, and to provide credit, identity monitoring and restoration services to those affected individuals.

[49] Iris claims the amounts it paid in Customers Fees and Vendor Expenses with respect to the disputed calls. Iris argues it “credited” its customers the amounts they paid for the disputed calls and therefore these payments are credits that fall within (g) of the definition of privacy breach expenses.

[50] It is my view that when (g) is read as a whole, the reference to “credit” relates to “credit services”. The credit services are for those affected individuals who the insured was required to notify of a privacy breach or who the insured voluntarily notified of the privacy breach. In my view, the ordinary meaning of credit services is that it refers to services to assist customers whose credit rating was affected by the privacy breach. It does not apply to all credits the insured may provide to its customers. If that were the case, it would not have been necessary to include “credit” with “identity monitoring” and “restoration services”. In addition, the credit services are limited to affected individuals who received notice of the privacy breach. Here, there was no notification of customers of a privacy breach.

[51] The payments made to the vendors were the fees charged for the disputed calls. These expenses were owing once the calls were made. There is no suggestion that the payments to the vendors was in response to a privacy breach or would fall within “privacy breach expenses”.

[52] Iris has not submitted any evidence that it incurred privacy breach expenses. I find that the claim does not fall within the insuring agreement at A.6.

Does exclusion 10 “Contractual Liability” oust liability coverage in any event?

[53] If the insured fails to establish all elements of the insuring agreement, there is no need to go any further; there is simply no coverage. Although I am of the view that the claims do not fall within the insuring agreements, for completeness I will go on to consider the effect of the contractual liability exclusion.

[54] The Policy excludes claims arising from any liability or obligation under an agreement:

E. EXCLUSIONS

This Policy does not apply to, and Liberty shall not be liable for Loss and all other payments pursuant to any Insuring Agreement or Supplemental Payments resulting from any Claim, … …

10. based upon, or arising from any liability or obligation of an Insured under any contract or agreement, either oral or written, including but not limited to all warranties, representations or guarantees. However, this exclusion shall not apply to:

(a) the extent an Insured would have been liable in the absence of such contract or agreement;

(d) The Insured’s agreement under a written contract to indemnify or reimburse a third party for covered costs, resulting from a Privacy Breach or Unauthorized Access by the Insured as specifically stated in Insuring Agreement A. 6.; [....]

[55] Mr. Wanis testified that the loss was as a result of the breach of the Plantronics ZTP system. He stated that matter was out of Iris’ control, and that because the breach was on the Plantronics system and not Iris’ software, Iris could not prevent or mitigate the ZTP vulnerability. There is no evidence to support a finding that Iris is liable to its customers or vendors in tort. The basis for the payments was in contract. This is confirmed by Mr. Wanis. He testified that Iris was “contractually obligated” to refund the customers the fees associated with the calls they did not make. He also testified that Iris was contractually obligated to pay the Vendor Expenses for connecting the disputed calls.

[56] Exclusion 10 applies to exclude coverage for any claims arising under any contract or agreement. The insurer has the onus of establishing that the exclusion applies. Liberty takes the position that paying refunds to customers for disputed calls or paying vendors for placing the disputed calls arise only out of the contracts.

[57] I am satisfied that the claim made by Iris for the amount paid to reimburse its customers and for the amounts paid to its vendors falls within the contractual exclusion. The payments arose out of the contracts Iris had with its customers and vendors. There is no evidence that Iris committed a wrongful act or tort which would require it to make a payment to its customers or vendors. There would be no claim without the contracts: Panasonic Eco Solutions Canada Inc. v. XL Specialty Insurance Company, 2021 ONCA 612, at para. 46.

[58] Iris does not dispute that the contractual exclusion applies. However, Iris takes the position that exceptions to the exclusions apply to bring the claim back within coverage. The onus is on the insured to establish the applicability of an exception to an exclusion.

[59] Exception (a) to the exclusion provides that the exclusion does not apply for claims for which the insured would be liable in the absence of the contract or agreement. As noted above, there is no evidence to suggest that Iris is liable to the customers or vendors in tort. The only basis for the payment is in contract. This is confirmed by Mr. Wanis who testified that Iris was “contractually-obligated” to pay the Customer Fees and Vendor Expenses. I am satisfied that the exception at 10 (a) of the exclusion does not apply.

[60] Iris relies on exception (d) to the exclusion. Iris states that the exception to the exclusion applies because as a result of an unauthorized access, it was required to indemnify or reimburse its customers for covered costs.

[61] It is my view that exception (d) only applies to covered costs as “specifically stated” in insuring agreement A.6. Insuring agreement A.6 relates to privacy breach expenses. As noted above, it is my view that the Customers Fees and Vendor Expenses are not payments that relate to the mandatory or voluntary notification of a privacy breach. There is no allegation that Iris was required to incur costs to notify customers of a possible privacy breach or to comply with government regulations when faced with a privacy breach. There is also no allegation that Iris was required to indemnify another party for privacy breach expenses under a written contract.

[62] I conclude that the contractual liability exclusion applies to the claims advanced by Iris with respect to the reimbursement of its Customers Fees related to the disputed calls and for payment of the Vendor Expenses. I also conclude that the exceptions to the exclusions at (a) and (d) do not apply.

Did Iris breach the Assumption of Liability/Voluntary Payments clause to eliminate coverage?

[63] Although I have concluded that there is no coverage under the Policy for the claims advanced by Iris, I will go on to address the assumption of liability/voluntary payments clause in the Policy.

[64] The Policy includes the following clause with respect to defence and settlement of claims:

C. DEFENCE AND SETTLEMENT OR CLAIMS OR PRIVACY REGULATORY PROCEEDINGS

1. … The Insured shall not admit or assume liability for any Claim, Privacy Regulatory Proceeding, Technology Wrongful Act, Professional Services Wrongful Act, Data Breach Wrongful Act, or Media Injury or settle any Claim or Privacy Regulatory Proceeding or incur any Claims Expenses without the prior written consent of Liberty, except when the Insured must take all reasonable action to prevent or mitigate any Claim or Privacy Regulatory Proceeding which would be covered under this Policy.

[65] A claim is defined in the Policy as any written demand for monetary or non-monetary relief. Iris argues that it received written claims from its customers for reimbursement of the fees related to the disputed calls. Iris settled the claims of its customers with the payment of $171,440. Iris also claims for the amount paid in Vendor Expenses. As noted above, the vendors did not make a claim for payment of these fees. The payments to the vendors were not made in response to a claim but were for payments made to connect the disputed calls. Iris paid $178,931 in Vendor Expenses.

[66] Iris settled the claims of its customers and paid the Vendor Expenses before Iris reported the claim to Liberty. The payments were made without the prior written consent of Liberty.

[67] A similar clause was considered in Sky Solar (Canada) Ltd. v. Economical Mutual Insurance Company et al, 2019 ONSC 4165, aff’d Sky Clean Energy Ltd. v. Economical Mutual Insurance Co., 2020 ONCA 558. In that case, the policy included a condition which provided that, “no insured will, except at their own cost, voluntarily make a payment, assume any obligation, or incur any expenses other than for first aid, without our consent”. The insured admitted liability, and voluntarily paid the injured party its remediation costs and loss of revenue without the consent of the insurer. The court held that the insured’s settlement of the claim was not done with the insurer’s consent and that, by making these payments, the insured failed to comply with the condition: at para. 100.

[68] Having found a breach of the condition, the court considered whether relief from forfeiture was available. Relief from forfeiture is available if there has been imperfect compliance with a condition; it is not available in the case of a complete absence of compliance: Lloyds Underwriters v. Colliers McClocklin Real Estate Corp., 2004 SKCA 66, at para. 34.

[69] In my view, the reimbursement of the Customer Fees and payment of the Vendors Expenses before the claim was reported to Liberty was a complete absence of compliance with the terms of the Policy. The payments were made before the claim was reported to Liberty. As a result, the payments were made without the prior written approval of Liberty. Liberty did not have the opportunity to investigate the claims, or to negotiate a settlement. Because there was a complete absence of compliance, relief from forfeiture is not available.

[70] Even if relief from forfeiture was available, I am of the view that it is not applicable in the circumstances of this case. As noted in Sky Solar:

In circumstances where Sky Solar settled and paid Firelight’s claim before giving notice to Economical of its claim for coverage under the Policy, I am unable to conclude that Sky Solar has proven that Economical would not have taken any different actions and that it would not have suffered prejudice from non-compliance with condition 4. Sky Solar has not shown that Economical clearly suffered no prejudice as a result of the settlement of Firelight’s claim. It is not necessary for me to decide whether relief from forfeiture is unavailable as a result of non-compliance with condition 4 because, on the facts of this case, I would not have granted relief to Sky Solar from forfeiture of coverage under the Policy: at para. 110.

[71] In summary, it is my view that even if there was coverage under the Policy, Iris forfeited coverage by making the payments to its customers and vendors before reporting the claim to Liberty. As a result, the claims were paid without the prior written approval of Liberty. There is no evidence that the payment was made to prevent or mitigate a claim. On the contrary, the evidence is that the claims were paid in full. I find that there was a complete absence of compliance with this clause in the Policy, and as a result, Iris is not entitled to relief from forfeiture.

Conclusions

Coverage

[72] For the reasons set out above, I am satisfied that there is no coverage under the Policy for the Customers Fees or Vendor Expenses claimed by Iris.

[73] With respect to insuring agreements A.1 and A.3, I find that the vendors did not make a written demand for money or non-monetary relief. The vendors did not make a “claim” and therefore the Policy is not triggered with respect to the Vendor’s Expenses. Although a written demand was made by some of the customers for reimbursement of the fees related to the disputed calls, the settlement of the customers’ claims was not negotiated with the approval of Liberty and therefore the Customers Fees paid by Iris, do not fall within the definition of damages.

[74] With respect to insuring agreement A.6, I find that the Customers Fees and Vendors Expenses are not privacy breach expenses as that term is defined in the Policy. The type of expenses listed under the definition of privacy breach expenses, relate to the mandatory or voluntary notification of persons affected by a policy breach. Iris has not submitted any evidence that it incurred expenses related to the notification of persons of the privacy breach.

[75] I conclude that the claims brought by Iris for the Customers Fees and Vendors Expenses do not fall within the insuring agreements of the Policy. Had I found that the claims fell within the insuring agreements, I would have found that coverage was excluded. The Policy excludes from coverage claims based on any liability or obligation of the insured under any contract or agreement. Mr. Wanis confirmed that there was a contractual obligation to pay the Customers Fees and Vendors Expenses. There is no suggestion that Iris would have been liable to the customers in the absence of the contract and therefore the exception to the exclusion at 10(a) does not apply. I also find that there were no privacy breach expenses incurred by Iris and therefore the exception to the exclusion at 10(d) does not apply.

[76] I would have also found that there was no coverage under the Policy because Iris was in breach of the voluntary payment provisions of the Policy. The payments were made to customers and vendors before notice of the claim was provided to Liberty. As a result, the payments were made without the prior written approval of Liberty. There was a complete absence of compliance with this clause in the Policy and as a result, Iris is not entitled to relief from forfeiture.

Bad Faith

[77] I also conclude that Iris failed to prove a claim in bad faith.

[78] An insurer is required to deal with the insured in good faith. The fact a claim is denied by an insurer is not, on its own, sufficient to prove the insurer acted in bad faith. In Fidler v. Sun Life Assurance Co. of Canada, [2006] 2 S.C.R. 3, [2006] S.C.J. No. 30 (QL), 2006 SCC 30, the Supreme Court quoted from the decision of O'Connor J.A. in 702535 Ontario Inc. v. Non-Marine Underwriters Members of Lloyd’s London, England, 2000 5684 (ON CA), as follows:

The duty of good faith also requires an insurer to deal with its insured's claim fairly. The duty to act fairly applies both to the manner in which the insurer investigates and assesses the claim and to the decision whether or not to pay the claim. In making a decision whether to refuse payment of a claim from its insured, an insurer must assess the merits of the claim in a balanced and reasonable manner. It must not deny coverage or delay payment in order to take advantage of the insured's economic vulnerability or to gain bargaining leverage in negotiating a settlement. A decision by an insurer to refuse payment should be based on a reasonable interpretation of its obligations under the policy. This duty of fairness, however, does not require that an insurer necessarily be correct in making a decision to dispute its obligation to pay a claim. Mere denial of a claim that ultimately succeeds is not, in itself, an act of bad faith: at para. 63.

[79] Here, Liberty considered the claim submitted by Iris and determined there was no coverage. It provided its response to the insured within three weeks of first receiving notice. After the initial denial, it considered additional material provided by the insured. After the review of the additional material, it maintained its denial on March 22, 2021. Mr. Wanis confirmed in cross-examination that the claim in bad faith was advanced because Iris does not agree with the denial of coverage. There is no evidence that Liberty acted in an unreasonable manner.

DISPOSITION

[80] For the reasons set out above, I conclude that there is no coverage under the Policy with respect to the claims advanced by Iris, and that there is no evidence of bad faith on the part of Liberty. I find that Liberty is entitled to the relief sought. I grant summary judgment in favour of Liberty and dismiss the action.

[81] At the conclusion of the oral hearing, I directed counsel to attempt to arrive at a fixed costs amount in the event of a party’s success. The parties agreed to fix costs in the amount of $28,750 if summary judgment is granted, disposing of both the motion and action in favour of either party. Liberty was successful with respect to the summary judgment motion and is entitled to its costs. I therefore award costs to Liberty fixed in the amount of $28,750 inclusive of counsel fee, disbursements and H.S.T.

Chalmers J

Re-Released: June 13, 2023

COURT FILE NO.: CV-21-00663486-0000

DATE: 20230613

ONTARIO

SUPERIOR COURT OF JUSTICE

BETWEEN:

IRIS TECHNOLOGIES INC.

Plaintiff/Responding Party

– and –

LIBERTY MUTUAL INSURANCE

Defendant/Moving Party

REASONS FOR DECISION

Chalmers J

Released: June 13, 2023