Serving Canada's Legal Community Since 1983  
RSS Feed RSS Feed
This Week's Issue:

Want to learn more about this week's issue?

Legal Update Services

Click on the links above to view recent decisions from the Supreme Court of Canada and summaries for noteworthy cases from across the country.

Cyber risks & liability insurance
By Gordon Hilliker

August 19 2011 issue

[Illustration by Peter Bono for The Lawyers Weekly]
Click here to see full sized version.

Please contact us at
Please include your name, your law firm or company name and address.

Very few organizations operate today without taking advantage of the benefits of cyber technology. Yet a remarkable number fail to adequately address the liability insurance needs that arise as a result of simply accessing the Internet.

Any organization with a website, online storage facilities or even just an email account is vulnerable to a claim that it has caused damage to another’s computer software or data, whether through the inadvertent distribution of malevolent code, inadequate protection against hacking or otherwise. The Internet also provides a ready forum for the commission of various other torts, such as defamation, breach of privacy and infringement of copyright.

For liability insurance protection, most organizations purchase a commercial general liability (CGL) policy, which is a one-size-fits-all insurance product that was originally created to protect against claims for bodily injury or damage to tangible property. Cyber risks do not generally fall into either category. A data breach from a hacking incident or an errant email does not involve tangible property. Tangible property may be involved in the case of a careless erasure of a hard drive but whether there has been physical injury is open to debate. Although, as a matter of physics, there has been a magnetic alteration to the hard drive, the fact remains that the drive can nevertheless still serve its intended purpose and the claim is for the loss of the data itself rather than any possible alteration to the physical structure on which the data resides. As might be expected, American authority can be found in support of either side in this debate.

In response to this issue, the Insurance Bureau of Canada, an insurance industry association that, among other things, publishes recommended policy forms, revised its CGL form so as to specifically exclude electronic data from the definition of property. An electronic data exclusion was also introduced and excludes coverage for damages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data.

These policy revisions appear to have effectively removed coverage for a data breach. There are other features of the modern CGL policy, however, which provide limited coverage for certain types of claims which are more prevalent as a result of the Internet. The “personal injury” coverage feature of the CGL policy, which is not to be confused with “bodily injury,” extends coverage for certain “offences” against the person, including the publication of defamatory material and material that violates a person’s right of privacy. The “advertising injury” feature of a CGL policy specifically extends to advertisements placed on the Internet.

These are valuable coverage features in the Internet age. The nature of email is such that it is unfortunately far too easy to accidentally send a message to the wrong recipient or even an ill-advised message to the correct recipient. Cyber libel suits are now commonplace. A recent example is provided by the British Columbia Supreme Court in Wright v. Van Gaalen, [2011] B.C.J. No. 1004.

Privacy concerns are also paramount. Many jurisdictions have enacted legislation establishing privacy rights for the collection and use of personal information and providing for damages for a person harmed by an organization’s breach of the statutory requirements.

There are, however, a number of limitations to the personal injury and advertising injury coverage provided under the CGL form. Coverage is not extended to insureds in media and Internet businesses. Nor is coverage provided for the insured’s hosting of an online chat room or bulletin board. Moreover, coverage is provided only for the enumerated offences. Coverage for invasion of privacy, for example, does not necessarily apply to a case simply involving the theft of confidential data.

The recent incident involving the hacking of Sony’s Playstation network neatly illustrates not only the potential for cyber liability but also the insurance issues that may arise under a CGL policy. The names, birth dates, addresses, email addresses, phone numbers and passwords of millions of people who had entered contests promoted by Sony were apparently stolen by hackers. Financial information may also have been obtained. As a result of this intrusion, 55 class action suits have been brought in the U.S. to date and three in Canada. Damages claimed are in the billions of dollars.

The response of Sony’s CGL carriers has been to deny coverage and bring declaratory proceedings for a judgment supporting the denial. According to the insurers, the class actions do not present claims for bodily injury, property damage, personal injury or advertising injury. It remains to be seen whether this position will be upheld.

As a result of the CGL policy’s limited coverage for cyber risks, a market has developed for insurance products that specifically address the various risks that arise as a result of carrying on business activities in cyberspace. To date, these policies do not exhibit the more or less uniform wordings that are common in the CGL world.

Organizations are well-advised to seek professional advice both as to their exposure to third party cyber liability risks and the insurance products that are available to address these risks.

Gordon Hilliker, who practises law in the coastal rainforest village of Belcarra, B.C., is the author of Liability Insurance Law in Canada (5th ed., LexisNexis Canada, 2011) and Insurance Bad Faith (2nd ed., LexisNexis Canada, 2009).

Click here to see this article in our digital edition (available to subscribers).

Back      Print This Article