Recently, the Ontario Court of Appeal released a decision which opined on the novel interpretive issue of data exclusion clauses. In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 159, the appellate court unanimously allowed for the appeal of an application judge’s decision requiring an action be brought in order to deny the duty to defend.

In this case, the respondent, Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”), hired the respondent, Laridae Communications Inc. (“Laridae”), to provide communication and marketing services, namely updating FCS’s website. Laridae obtained and was insured under both a professional liability policy and a commercial general liability policy (“CGL”) from the appellant, Co-operators General Insurance Company (“Co-operators”). FCS was an additional insured under the CGL.

In April 2016,  a password-protected portal on FCS’s website was hacked. After which, a hyperlink to a confidential report, which contained numerous clients’ personal information, was posted on a social media platform.

Subsequently, a class action was brought against FCS and others. As a result, FCS commenced a third-party claim against Laridae for breach of contract and negligence.

Both FCS and Laridae brought applications seeking a declaration that the appellant had a duty to defend them against the class action and third-party claim after their request was denied.

On the application, the appellant argued that coverage was excluded under both policies for any personal injury arising from the distribution or display of data (“data exclusion clause”). The respondents took the position that the data exclusion clause did not exclude all the claims against them. Moreover, the respondents argued that this was an important issue that should not be determined on an application

The application judge agreed with the respondents concluding that coverage should not be determined on an application. The judge also found that there is the possibility of coverage in this case. Lastly, the application judge concluded that the appellant would be obligated to fund both defences, if there was a conflict of interest between the two respondents and neither of which would report to appellant.

The appellant successfully appealed.

The Ontario Court of Appeal held that a determination regarding the appellant’s duty to defend could be made based on the application materials before the court. Through a coverage analysis, the court found that the exclusion clauses are clear and unambiguous. Moreover, the appellant court disagreed that some of the claims could be covered by the policy. Based on the substance of the claims pleaded in the class action, the allegations would fall directly within the policy exclusions. Therefore, the appellant owes no duty to defend either respondent.

Lastly, Appellate Court affirmed that the onus would be on the insured to establish a reasonable apprehension of a conflict of interest on the part of the insurer in order to remove their right to participate in the defence.

The post Hacking, Data Exclusion Clauses and the Duty to Defend appeared first on FCL LLP.

Privacy Law Reform and Greater Corporate Accountability Towards Protection of Personal Information

On November 17, 2020, the proposed Digital Charter Implementation Act, 2020, (the “Act”) was introduced. If passed, it will introduce massive changes to the way in which personal information is used, collected, and stored.

The proposed framework seeks to accomplish these goals by strengthening the powers of the Privacy Commissioner to impose harsher penalties for violations of privacy rights and by creating incentives for companies to comply with privacy legislation, specifically regulating the way in which personal information is collected through meaningful consent.

The new framework envisioned by the Act empowers the Privacy Commissioner with order-making powers to recommend that fines be imposed, which can account for up to 5% of global revenues (at the ultimate determination of a new administrative tribunal, the Personal Information and Data Protection Tribunal) or to request that companies delete information improperly obtained or withheld. These fines are the strongest among G7 countries for privacy laws.

The purpose of this legislation is not necessarily to impose harsher penalties, but rather, to use these mechanisms among others as a way to incentivize corporations to work with the Privacy Commissioner to develop policies that are compliant with and demonstrates a respect for privacy rights.

For individuals, the Act means that corporations collecting personal information will be required to obtain meaningful consent; in other words, individuals must have plain-language information about the proposed collection, use, and disclosure of personal information. The Act also proposes that individuals will have greater control over their personal information whether it is to withdraw consent for use of their information or it is to direct the transfer of their personal information from one organization to another. What is clear is that this new legislation aims to give individuals greater decision-making power over how their information is used, stored, collected – before and after the information has been disclosed.

If passed, corporations should review their privacy policies with a fine-toothed comb to ensure that this level of transparency and flexibility is available to individuals when relying on the use of personal information.

The post Privacy Law Reform and Greater Corporate Accountability Towards Protection of Personal Information appeared first on FCL LLP.

All Canadian workplaces are obligated under Canadian Privacy Laws to secure the use, collection, retention, disclosure or disposal of sensitive data. In the legal world, this obligation is doubly compounded by our professional duty to protect the confidentiality of our clients. Law firms therefore, invest in all precautions necessary to secure against risks of unauthorized use of data. This often translates into strict technical and organizational measures to insulate against privacy breaches in practice.

With the rapid spread of COVID-19, the world has witnessed an extraordinary turn of events that could not have been anticipated. To keep operational, law firms have had to promptly adapt to a remote workplace model where employees are working from home. However, given the speed at which this arrangement was implemented, many organizations may not have had systems in place to insulate against the security risks that may arise.

Many employees working from home share equipment and spaces with other family members. Such settings can present situations of unattended documents and notes with sensitive information recorded. Additionally, electronic information may be accessed on devices that are not exclusively for the use of the authorized person. The device itself, may not be equipped with passwords and technical guards that are offered at an office. Employees are now presented with the challenge of discharging the same duties to secure confidential material, but without the infrastructure in place to do so. Therefore, the current climate of mass disruption, has made organizations particularly susceptible to privacy breaches or cyber attacks.

It is important for organizations to take immediate steps to ensure the protection of sensitive information. These steps include:

Updating and implementing security measures

• Employers need to update their privacy policies and procedures to reflect the current needs, issues, and solutions surrounding a remote workplace;
• Employers need to consider the risks of cyber attacks and have measures in place to respond to any security breaches;
• Employers need to invest in revamping their IT infrastructure to ensure employees have access to a secure remote platform. These measures may include providing a protected VPN connection to employees which encrypts confidential communication;
• Employers should utilize access-based security features such as a multi-factor authentication protocol to protect their employees’ accounts; and,
• Employers should closely monitor network-related activities to flag security breaches.

Training employees

• Employee training should focus on how to manage security risks from home. Some of these measures include the use of a secure location such a locked cabinet to limit the exposure of confidential information to family members;
• Employees should password protect all devices, and access confidential documents through a centralized and secured device; and,
• Employees should use electronic platforms enabled by the organization so they are connecting to the workplace network through a secure VPN connection that is protected by firewalls and antivirus software.

It is imperative to maintain the integrity of this profession by ensuring that the duty of confidentiality owed to our clients is not compromised under any circumstance. It is incumbent on the prudent organization and employee to jointly make best efforts to conduct our business as securely as possible.

The post Curbing Privacy Risks When Working From Home appeared first on FCL LLP.