Recent treatment of the duty to defend in Ontario courts
Where there is a dispute between an insurer and an insured over the insurer’s duty to defend a claim being made against an insured, the insured will ordinarily need to bring an application for a court to conduct a preliminary assessment of the issues given that the insured will otherwise have to pay for their own defence costs, often at considerable expense.
A number of principles have been established to address such disputes, including that (a) the duty to defend is to be determined by the allegations pleaded in the underlying lawsuit read together with the terms of coverage provided in the insurance policy; and (b) an insurer has a duty to defend where, on the facts as pleaded, there is a possibility that a claim within the policy may succeed. The overarching principle is that a duty to defend is broader than the duty to indemnify, meaning that the court is required to make a determination based on the possibility of the claim succeeding as pleaded. The focus is on whether the pleadings allege facts which, if true, would require the insurer to indemnify the insured for a claim. If so, the insurer is generally obliged to provide a defence, even though the actual facts may differ from the allegations in the statement of claim.
Within this basic framework, however, litigation frequently arises over the terms and exclusions in a policy relating to the duty to defend.
Court of Appeal confirms the test for duty to defend: Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company
In Family and Children’s Services of Lanark, Leeds and Grenville v. Co-operators General Insurance Company, 2021 ONCA 159 (CanLII), the Court of Appeal addressed a duty to defend application arising from someone hacking into a password-protected portal managed by the Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”). The hacker took a confidential report containing details about the case files and investigations of 285 people. A hyperlink to the report was posted on two Facebook pages. This resulted in a $75 million class action brought against FCS in which the representative plaintiff alleged that the leaked document contained defamatory material, and that FCS was negligent in securing its website.
Both FCS and Laridae Communications Inc. (“Laridae”) were insured by Co�operators General Insurance Company (“Co-operators”). FCS and Laridae claimed that Co-operators had a duty to defend the class action brought against FCS and a third-party claim in that proceeding brought by FCS against Laridae for negligence and breach of contract.
Co-operators denied having any duty to defend FCS or Laridae, relying on policy exclusion clauses in the policies that excluded claims arising from the distribution or display of data by means of an internet website.
At first instance, the application judge found that Co-operators had a duty to defend both claims. The application judge reasoned that the applicability of the data exclusion clauses was a “novel interpretation issue” and the duty to defend should only be denied on a full record, not on an application. The application judge further determined that the exclusion clauses relied on by Co-operators’ did not apply. Lastly, the application judge ruled that neither FCS nor Laridae had any ongoing reporting obligations to Co-operators, in light of the conflict of interest between the two insured and the insurer.
The Court of Appeal overturned all of the application judge’s findings. Firstly, it was an error to conclude that the duty to defend could not be determined based on the materials filed on the application. The agreements describing the services that Laridae was to provide FCS, were in the record as were the policies. There were no material facts requiring a trial. In the Court of Appeal’s view, the policy provisions were clear and unambiguous and an application judge is presumed to know the law – even if the law is unclear or novel.
The Court of Appeal undertook its own analysis and confirmed that the test to be applied to determine possible coverage is as follows (para 57):
a) When the policy language is unambiguous, the court should give effect to that language, reading the policy as a whole;
b) Where the language of the policy is ambiguous, general rules of contract construction apply and the court should prefer interpretations of the policy that are consistent with the reasonable expectations of the parties. Courts should avoid interpretations that would give rise to a result that is unrealistic; and,
c) Only when the rules of contract construction fail to resolve the ambiguity, courts will construe the policy against the insurer who drafted the policy. This means that coverage provisions are interpreted broadly, and exclusion clauses narrowly: Progressive Homes Ltd., at paras. 22-24; Simpson Wigle Law LLP v. Lawyers’ Professional Indemnity Co., 2014 ONCA 492, 120 O.R. (3d) 655, at para. 54.
Laridae and FCS were insured under a policy which provides coverage for compensatory damages for personal injury caused by an offence that arises out of the conduct of the insured’s business. However, the applicable policies contained specific exclusion clauses for (i) claims “arising out of the distribution or display of ‘data’ by means of an Internet Website, the Internet, an intranet, extranet, or similar device or system designed or intended for electronic communication of ‘data’”; and (ii) any claims that arise “directly or indirectly” from the distribution or display of data. “Data” was defined as “representations of information or concepts in any form.”
Because these exclusions were clear and unambiguous, the court need not consider the reasonable expectations of the parties in interpreting the exclusion provision in the policy, nor does the court need to make recourse to extraneous sources: Allstate Insurance Co. of Canada v. Aftab, 2015 ONCA 349, 335 O.A.C. 172, at para. 19.
Nevertheless, the Court of Appeal addressed the second step, by ascertaining the substance and true nature of the claims pleaded to see if there was a possibility that some of the claims may be covered by the policy.
In the class action, the claim was that someone hacked the portal, which was not secure, and made the report public by posting it on Facebook and/or other public websites, thereby disclosing personal and highly sensitive information of the plaintiff and class members. As a result, the personal information of the class members has now been made readily available to any unauthorized third party who accessed the information, bought the information, or found the information posted on the internet, resulting in damages.
In the Court of Appeal’s view, the alleged damages resulted from hacking the portal using the hyperlink to connect one electronic document to another. This is a “system designed or intended for the electronic communication of ‘data’”. As such, the link to the Report is a display of data within the meaning of the policy exclusion. Both a hyperlink and an image of a hyperlink constitute “representations of information” within the meaning of the policy exclusions. It is the representation of the source of the electronic file containing personal information.
Accordingly, there was no claim in the class action that there was a physical display or distribution of the confidential personal information. Rather, the claim is that the confidential report was made public by posting it on Facebook and/or other public websites, thereby disclosing personal and highly sensitive information of the plaintiff and class members. Since the pleading was that the damages arose from posting the report on the internet, this was sufficient to conclude that there was no duty to defend as the allegation fit squarely within the policy exclusion for distribution or display of ‘data’ on an internet website.
The Court of Appeal further held that even if the class action alleged that physical copies of the report were taken or created (which it did not), the “substance and true nature of the claim for damages” arises from the wrongful appropriation of confidential personal information and posting it on the internet. The data exclusion clause excludes claims that arise from the display and distribution of the confidential personal information on the internet. All of the injuries pleaded arise, ultimately, from the distribution of the report on the internet. There is only one chain of causation. The claim for damages arises from the wrongful appropriation of confidential personal information and posting it on the internet, and falls under the exclusion.
Lastly, although not necessary for the result, the Court of Appeal noted that if Co-operators did have a duty to defend, then it should receive reports from counsel who have been acting for FCS and Laridae for the last four years, and have the ability to jointly instruct counsel. In general, when there is a duty to defend, it would be appropriate to establish a joint protocol for the management of documents and the litigation: Markham (City) v. AIG Insurance Company of Canada, 2020 ONCA 239, 445 D.L.R. (4th) 405, leave to appeal refused,  S.C.C.A. No. 170.
The threat of cybersecurity breaches is a risk that is no longer novel and should be carefully considered in the drafting of insurance contracts and exclusions. In September 2017, Equifax announced that thousands of Canadians were affected by a cybersecurity breach. Hackers stole personally identifiable information from consumers such as names, social insurance numbers, credit card numbers, driver's licences and addresses. In the U.S., 145.5 million consumers were affected. An analysis of Canada's cyber security regulatory framework demonstrates that these risks are growing rapidly and it is unclear whether they are being addressed sufficiently by statutes, regulations or internal risk management processes. The current cyber security legal framework should be modernized by combining ex ante, rules-based federal legislation with ex post, principles-based regulations.
Claims-based reporting obligations and duty to defend: Backyard Media Inc. v. HDI Global Specialty SE
Another recent decision demonstrates how the timing of the underlying circumstances and the subsequent reporting of the claim to the insurance company may impact whether or not there is a duty to defend.
In Backyard Media Inc. v. HDI Global Specialty SE, 2021 ONSC 2341 (CanLII), Justice F.L. Myers addressed whether a claim under the applicant’s insurance policy was excluded because it arose from circumstances and a demand known to the insured but not reported to the insurer in the prior policy year.
On March 4, 2020, the applicant received a demand letter asserting that it was liable on numerous grounds to a former business partner. The applicant’s counsel responded to the demand letter on March 25, 2020, but did not report the matter to the applicant’s insurer. On April 18, 2020, the term of the insurance policy that was in effect when the applicant received the demand letter, expired, and the policy was renewed for another year. On April 24, 2020, the applicant was served with a statement of claim by the former business partner. The claim was reported to the respondent insurer a few weeks later.
There was no dispute that the claim against the applicant by its former business partner would have been covered under the prior year’s policy had the applicant reported the claim before April 18, 2020. As the policy was a “duty to defend” policy, the insurer was required to provide a defence for the insured if there is a possibility that the insurance policy will have to respond to the substantive claims against the insured in that litigation: Progressive Homes Ltd. v. Lombard General Insurance Co., 2010 SCC 33, at para. 51. The insurer had the burden to establish that its exclusion clearly and unambiguously excludes its duty to defend the applicant in the litigation that has been commenced against it.
In that regard, the insurer attempted to rely on an exclusion in the current year’s policy for any claim that the insured was aware of as of the “inception date” of the policy, or of any fact, circumstance or situation which could reasonably give rise to any claim. The insurer argued that this excluded all claims of which the insured was aware before the renewal date of the current policy year. More than that, it excluded all claims that are based on “any fact, circumstance or situation which could reasonably give rise to any ‘Claim’” where those facts were known to the insured prior to the renewal of the policy for the current policy year.
At issue was the interpretation of the phrase “inception date of this ‘Policy’”. “Inception Date” was not a defined term (although capitalized) in the policy. The insurer argued that “the inception date” was April 18, 2020 – the renewal date of the current policy term. The insured argued that “the inception date” of “this Policy” was the date that the policy initially incepted or began, which was April 18, 2017 (having been renewed on an annual basis thereafter).
There was a reasonable argument in favour of the insurer’s position. There was no question that the applicant could have provided notice of the demand letter before April 18, 2020, and the policy wording required that “as soon as the ‘Insured’ becomes aware of a ‘Claim’”, it must “immediately notify the ‘Insurer’”.
Further, in Jesuit Fathers of Upper Canada v. Guardian Insurance Co., 2006 SCC 21, para. 25 the Supreme Court of Canada accepted that claims-made policies generally provided more restricted coverage (and are less expensive as a result). A consequence of a strict “claims-made” policy is that in a situation where an insured knows of a claim while insured by a previous insurer, but did not report the matter, the new insurer would be left off the hook for claims discovered but not reported under the prior policy. “The insured will fall between two stools” in such situations, as the insured may be left without insurance on numerous prior matters of which it had knowledge but which had not yet blossomed into claims.
The Ontario Court of Appeal has followed the same reasoning, with seemingly harsh consequences for the insured: e.g. Stuart v. Hutchins, 1998 CanLII 7163 (ON CA). However, there must be no ambiguity that the policy is strictly restricted to claims “first made” in a particular policy year. In the case at hand the business partner’s claim was first made in the prior policy year (April 18, 2019 – April 18, 2020), but the exclusion relied on by the insurer did not contain the “first made” restriction. In addition, Justice Myers noted that had the applicant been changing insurance companies rather than simply renewing the existing policy, it could have acquired additional coverage for unreported claims that were based on circumstances under the prior policy period in order to avoid falling between two stools.
In the result, Justice Myers found in favour of the applicant as the law requires exclusions from coverage to be clearly stated and unambiguous is not new. It was completely within the power of the insurer to exclude from coverage the circumstance before the court but in the context of the policy, read as a whole, the wording was unclear and did not fairly put the insured on notice of the limitation on coverage advanced by the insurer.
Monetary amounts do not determine the duty to defend: Distillery S.E. Development Corp. v. Temple Insurance Company
In Distillery S.E. Development Corp. v. Temple Insurance Company, 2021 ONSC 1908 (CanLII), the insurer attempted to argue that the “duty to defend” a property damage claim was not engaged since the damages particularized in the claim amounted to $8,507.66, which was less than the $10,000 deductible. Justice P.M. Perell had little regard for this argument, reasoning that had the applicant simply pleaded that there was property damage without monetary quantification, or that such damage was $10,001, everyone would have been spared the duty to defend application and the interminable arguments regarding the monetary amount at issue. In Justice Perell’s view it was commercially unreasonable to interpret the policy so that before there is a trial, there is no duty to defend because the Property Damages pled in the Statement of Claim arguably did not exceed $10,000:
 Through a fluke of pleading, the court has been asked to undertake a forensic analysis that went far beyond the interpretation of the terms of the insurance policy measured against the Statement of Claim and would have taken the court into territory better and best explored at the trial. It is to be remembered that the duty to defend is engaged by the mere possibility that there may be coverage for Property Damage.
Intentional and illegal conduct may negate duty to defend: Demme v. Healthcare Insurance Reciprocal of Canada
The “mere possibility” that there will be coverage depends on the nature of the claim being made against the insured, and in cases of intentional torts the very intentionality which gives rise to the cause of action may vitiate coverage under a policy which is intended to cover accidental harm.
In Demme v. Healthcare Insurance Reciprocal of Canada, 2021 ONSC 2095 (CanLII), the court addressed whether the duty to defend applied to a breach of privacy claim. The applicant, a former registered nurse at the Brampton Civic Hospital, had accessed patient records in order to show that the patient received a Percocet tablet when, in fact, the nurse dispensed the pills for herself. From 2006-2016, the nurse accessed the records of 11,358 patients, which allowed her to obtain 23,932 Percocet tablets. When the Hospital discovered the nurse’s activities, it sent form letters to the patients whose medical records had been improperly accessed.
Eight civil actions were brought against the nurse and the Hospital thereafter, essentially alleging that the nurse wrongfully accessed patient files and thereby committed the tort of intrusion upon seclusion.
The nurse sought a declaration that the Healthcare Insurance Reciprocal of Canada (“HIROC”) owed her a duty to defend the civil actions in which she was named. HIROC had issued a policy of insurance to Hospital which provided coverage to the Hospital and its employees in the course of their employment. HIROC denied the nurse’s claim and relied on exclusions for injury “expected or intended from the standpoint of the Insured”, and for injury “arising out of the performance of a criminal act”.
The court agreed with HIROC and concluded that there was no duty to defend the claims against the nurse.
The HIROC policy provided coverage for claims for “bodily injury” which the insured shall become legally obligated to pay as damages because of bodily injury, sickness or disease, including death at any time resulting therefrom, by any person or persons and arising from an “occurrence.” While the definition of “bodily injury” included injury arising out “invasion or violation of the right to privacy,” this was in turn limited to an “occurrence,” which was defined to mean “an accident, including continuous or repeated exposure to substantially the same general conditions, which results in bodily injury or property damage neither expected nor intended from the standpoint of the Insured.”
Justice Chalmers reasoned that the claim did not arise from an “occurrence” as defined in the policy since the tort of intrusion upon seclusion is based upon intentionality or deliberate invasions of personal privacy. For the tort to succeed, there can be no liability unless there is a finding that the defendant intended to intrude upon the seclusion of another. While the nurse argued that she did not intend any injury to the plaintiffs as a result of breaching their privacy, Justice Chalmer’s view was that the true nature of the claims was the intentional tort of intrusion upon seclusion.
Further, there were no independent claims to which the duty to defend might apply. While there were claims for negligence alleged, they were based upon the intentional access of the patients’ private medical records. If the plaintiffs succeed in the intrusion claims, then the nurse must be presumed to have intended to injure the plaintiffs. If the plaintiffs do not establish the tort of intrusion upon seclusion, their actions will have no chance of success and there will be no possibility for a claim for indemnity under the Policy. Accordingly, Justice Chalmer’s concluded that the claims in negligence were entirely derivative of the true nature of the claims, which is the intentional tort of intrusion upon seclusion.
Lastly, while not necessary given the above conclusions, Justice Chalmers would have concluded that the claims were excluded pursuant to the intentional act and criminal act exclusions in the policy. The intentional act exclusion applies if the insured intended the harm that resulted. The tort of intrusion upon seclusion results in an injury to patients whose records are accessed because there is a loss of control over their personal information. The injury is the access. As a result, an intention to access the records is an intention to injure the patients. Justice Chalmers concluded that the intentional tort of intrusion upon seclusion is not covered under the occurrence-based policy issued by HIROC. Even if the court had found that the claims fell within the insuring agreement, they would be excluded on the basis that Ms. Demme intended or expected the damages that resulted from her actions, and that the injuries to the plaintiffs arose out of the performance of a criminal act.
In June 2022, the Court of Appeal dismissed the applicant’s appeal, concluding that motion judge’s analysis properly focused on considering the nature of the claims asserted against the applicant within the terms of coverage provided by the Policy, rather than on her pleaded explanations for what she did or why she did it: 2022 ONCA 503 (CanLII). The Court of Appeal rejected the applicant’s argument that her conduct was unintentional and agreed with the motion judge that the pleading of intrusion upon seclusion took the claims outside the policy’s definition of “occurrence”.
The trend in the recent cases reviewed underscores the importance of risk allocation in insurance contracts. Recollection bias is the phenomenon whereby people who observe a highly unexpected event hold current risk beliefs about a similar event that are no higher than their recollection of their prior beliefs regarding the risks. Viscusi and Zeckhauser found that over 60% of respondents in a national U.S. sample of over 900 adults believe that the current risk of a future terrorist attack by either an airplane or in a public setting is no higher than they recall having believed respectively before the 9/11 attack and before the Boston Marathon bombing. By contrast, a rational Bayesian model would update to a higher currently assessed risk of these previously uncontemplated events.
The cases reviewed in this article demonstrate that Courts will generally respect the risk allocation in insurance contracts. It is therefore worth some time for both insurance companies and their clients to dust off those policies and review them carefully with an eye to renewal and future risk allocation. A PDF version is available to download here.
(This blog is provided for educational purposes only, and does not necessarily reflect the views of Gardiner Roberts LLP).
 Danica Kathryn Bennewies, “An Analysis of Canada's CyberSecurity Regulatory Framework”, submitted to U of T Faculty of Law “Financial Crimes and Corporate Compliance” (2019).
 Viscusi and Zeckhauser, “Recollection Bias and Its Underpinnings: Lessons from Terrorism-Risk Assessments” (2017), 37:5 Risk Analysis 969–981.