The Canadian insurance market is awakening to the need for cyber-insurance against data loss and privacy breach events. Although there is clearly room for this market to grow, Canadian insurers are routinely issuing cyber coverage to protect against these risks. While insurers have developed loss-experience with first party data breach expense, ransomware and business interruption claims in recent years, knowledge and understanding of third-party risks caused by covered breaches remains limited. This article reviews the status of emerging third-party claim experience.
Class actions seeking damages arising out of data loss and privacy breaches are becoming increasingly common. However, all of the actions to date either remain at the certification stage or have been resolved through settlements. As a result, we have yet to see judicial analysis at a common issues trial of the causes of action being advanced and a final determination of damages. Nevertheless, three recent cases are instructive about the potential indemnity obligations of Canadian insurers under the cyber policies they have issued.
Author’s note: This article was drafted prior to the release of the Ontario Superior Court of Justice’s decision in Kaplan v. Casino Rama (2019 ONSC 2025), otherwise that decision also would have been referenced extensively. We are pleased to say that the Kaplan decision reflects much of what is written below. However, for those interested, we recommend reviewing that decision, as well as monitoring its progress as appellate review is undertaken.