Recently, the Ontario Court of Appeal released a decision which opined on the novel interpretive issue of data exclusion clauses. In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 159, the appellate court unanimously allowed for the appeal of an application judge’s decision requiring an action be brought in order to deny the duty to defend.

In this case, the respondent, Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”), hired the respondent, Laridae Communications Inc. (“Laridae”), to provide communication and marketing services, namely updating FCS’s website. Laridae obtained and was insured under both a professional liability policy and a commercial general liability policy (“CGL”) from the appellant, Co-operators General Insurance Company (“Co-operators”). FCS was an additional insured under the CGL.

In April 2016,  a password-protected portal on FCS’s website was hacked. After which, a hyperlink to a confidential report, which contained numerous clients’ personal information, was posted on a social media platform.

Subsequently, a class action was brought against FCS and others. As a result, FCS commenced a third-party claim against Laridae for breach of contract and negligence.

Both FCS and Laridae brought applications seeking a declaration that the appellant had a duty to defend them against the class action and third-party claim after their request was denied.

On the application, the appellant argued that coverage was excluded under both policies for any personal injury arising from the distribution or display of data (“data exclusion clause”). The respondents took the position that the data exclusion clause did not exclude all the claims against them. Moreover, the respondents argued that this was an important issue that should not be determined on an application

The application judge agreed with the respondents concluding that coverage should not be determined on an application. The judge also found that there is the possibility of coverage in this case. Lastly, the application judge concluded that the appellant would be obligated to fund both defences, if there was a conflict of interest between the two respondents and neither of which would report to appellant.

The appellant successfully appealed.

The Ontario Court of Appeal held that a determination regarding the appellant’s duty to defend could be made based on the application materials before the court. Through a coverage analysis, the court found that the exclusion clauses are clear and unambiguous. Moreover, the appellant court disagreed that some of the claims could be covered by the policy. Based on the substance of the claims pleaded in the class action, the allegations would fall directly within the policy exclusions. Therefore, the appellant owes no duty to defend either respondent.

Lastly, Appellate Court affirmed that the onus would be on the insured to establish a reasonable apprehension of a conflict of interest on the part of the insurer in order to remove their right to participate in the defence.

The post Hacking, Data Exclusion Clauses and the Duty to Defend appeared first on FCL LLP.

Data Breach v. Data Hack – What is the difference?

We often conflate the terms ‘data breach’ and ‘data hack’ to describe risks associated with computer security. In reality, each encompasses its own space in the cyber security world and delineate distinct protective measures.

What is a Data Breach?

A data breach speaks to an inadvertent release of sensitive data from a secure space to an untrusted environment. This often occurs when data is unintentionally left unsecured allowing unauthorized individuals to access it. This form of breach does not occur as a result of malicious intent, but instead due to negligence, incompetence, or human error. An example of this is the Cambridge Analytica scandal, where Facebook released confidential user data to a third party. While some classified this is as a hack, it is technically considered a breach given that Cambridge Analytica did not attempt to break through Facebook’s security screens; it took advantage of a pre-existing privacy oversight.

What is a Data Hack?

A hack on the other hand, is a calculated alteration to a computer’s hardware or software for a purpose other than that originally intended by the developer. Unlike a data breach, a data hack is intentional. It is usually conducted by cyber criminals with malicious intent for adverse purposes such as data theft or fraud. An example of a cyber hack was evidenced in 2018 when Marriot International revealed that cyber criminals had hacked their system to steal confidential data of 500 million customers.

Understanding the Difference:

It is important to understand the distinction between intentional versus inadvertent cyber threats, so we can take measures to protect against all security breaches. The Office of the Privacy Commissioner of Canada has compiled a guide on preventing and responding to both privacy breaches and hacks. This guide is summarized below:

Understand the Threats:

1. Know what personal information you have, where it is, and what you are doing with it.
2. Know your vulnerabilities by conducting risk and vulnerability assessments and/or penetration tests to ensure that threats to privacy are identified.
3. Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations.

Thinking Beyond the Hacker:

1. Encrypt laptops, USB keys and other portable media.
2. Limit the personal information you collect, as well as what you retain.
3. Protect personal information throughout its lifecycle.
4. Train your employees.
5. Limit, and monitor, access to personal information.
6. Maintain up-to-date software and safeguards.
7. Implement and monitor, intrusion prevention and detection systems.

Containing Breaches

1. Take immediate steps to limit the breach:
   • Designate an appropriate individual to lead the initial investigation.
   • Determine the need to assemble a team which could include representatives from appropriate parts of the business.
   • Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage.
   • Do not compromise the ability to investigate the breach.
2. Prevent future breaches:
   • Conduct a security audit of both physical and technical security.
   • Review policies and procedures.
   • Review employee training practices.
   • Review service delivery partners (e.g., dealers, retailers, etc.).

The complete guideline summarized above can be found here:

https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/c-t_201809_pb

The post Data Breach v. Data Hack – What is the difference? appeared first on FCL LLP.

All Canadian workplaces are obligated under Canadian Privacy Laws to secure the use, collection, retention, disclosure or disposal of sensitive data. In the legal world, this obligation is doubly compounded by our professional duty to protect the confidentiality of our clients. Law firms therefore, invest in all precautions necessary to secure against risks of unauthorized use of data. This often translates into strict technical and organizational measures to insulate against privacy breaches in practice.

With the rapid spread of COVID-19, the world has witnessed an extraordinary turn of events that could not have been anticipated. To keep operational, law firms have had to promptly adapt to a remote workplace model where employees are working from home. However, given the speed at which this arrangement was implemented, many organizations may not have had systems in place to insulate against the security risks that may arise.

Many employees working from home share equipment and spaces with other family members. Such settings can present situations of unattended documents and notes with sensitive information recorded. Additionally, electronic information may be accessed on devices that are not exclusively for the use of the authorized person. The device itself, may not be equipped with passwords and technical guards that are offered at an office. Employees are now presented with the challenge of discharging the same duties to secure confidential material, but without the infrastructure in place to do so. Therefore, the current climate of mass disruption, has made organizations particularly susceptible to privacy breaches or cyber attacks.

It is important for organizations to take immediate steps to ensure the protection of sensitive information. These steps include:

Updating and implementing security measures

• Employers need to update their privacy policies and procedures to reflect the current needs, issues, and solutions surrounding a remote workplace;
• Employers need to consider the risks of cyber attacks and have measures in place to respond to any security breaches;
• Employers need to invest in revamping their IT infrastructure to ensure employees have access to a secure remote platform. These measures may include providing a protected VPN connection to employees which encrypts confidential communication;
• Employers should utilize access-based security features such as a multi-factor authentication protocol to protect their employees’ accounts; and,
• Employers should closely monitor network-related activities to flag security breaches.

Training employees

• Employee training should focus on how to manage security risks from home. Some of these measures include the use of a secure location such a locked cabinet to limit the exposure of confidential information to family members;
• Employees should password protect all devices, and access confidential documents through a centralized and secured device; and,
• Employees should use electronic platforms enabled by the organization so they are connecting to the workplace network through a secure VPN connection that is protected by firewalls and antivirus software.

It is imperative to maintain the integrity of this profession by ensuring that the duty of confidentiality owed to our clients is not compromised under any circumstance. It is incumbent on the prudent organization and employee to jointly make best efforts to conduct our business as securely as possible.

The post Curbing Privacy Risks When Working From Home appeared first on FCL LLP.