By: Dylan J. Cox, Litigation Associate

An Ontario judge recently interpreted a data exclusion in favour of the insureds, ordering the insurer to defend claims arising out of an alleged website security breach.[1] A website owned by Family and Children’s Services of Lanark, Leeds and Grenville (“FCS”), was breached when an unauthorized party downloaded and published documents stored in a secured section of the website, which contained personal information about individuals who had been the subject of FCS investigations. A broadly worded claim was subsequently brought against FCS, alleging damages resulting from defamation, breach of privacy and other causes of action. Laridae Communications Inc. had provided advice to FCS on the design and security of FCS’s website. FCS issued a third-party claim against Laridae.

FCS and Laridae both sought coverage under a CGL policy, Laridae as named insured and FCS as additional insured. Laridae also sought coverage under an E&O policy. There was no dispute that the damages claimed against FCS and Laridae fell within the grant of coverage under these policies, which contained an unqualified duty to defend. The issue was whether these obligations were negated by the policies’ respective data exclusions. The CGL policy excluded “‘Personal Injury’ [which included injuries arising out of defamation and violations of privacy] arising out of the distribution or display of ‘data’ by means of an Internet Website, the Internet … or similar device or system designed or intended for electronic communication of ‘data’”. The E&O policy contained a similar exclusion.

Neither party cited any prior cases interpreting data exclusion clauses. This worked to the insurer’s disadvantage. Noting that these exclusions were broadly worded and raised complex issues, the judge was concerned about the consequences of denying the relief sought by the insureds on the record before her.

In the end, the judge ruled in favour of FCS and Laridae, finding there was a possibility that at least some of the damages claimed would not be captured by the data exclusions. The claims against FCS and Laridae alleged damages resulting from electronic and non-electronic (i.e., physical) distribution of information. Damages resulting from physical distribution were not captured by the data exclusions, which only applied to distribution through electronic systems.

This case reaffirms the principle that exclusions are to be read narrowly, not broadly. Particularly where the relevant policy provisions engage complex issues not yet judicially considered, the court may err on the side of finding for the insured. While the judge properly focused on the broad nature of the claim, she did not discuss the scope of the use of the term “distribution or display of data” in both exclusions.


[1] Laridae v Co-Operators, 2020 ONSC 2198.

Dylan J. Cox is an associate at Theall Group LLP and maintains a broad commercial litigation practice. Prior to joining Theall Group LLP, Dylan articled at a prominent litigation boutique in downtown Toronto where he worked on commercial litigation, appellate, class actions and insurance law files. Dylan graduated from the University of Toronto law school and was called to the Ontario bar in 2016.

Photo Credit: Christoph Scholz on VisualHunt