By now, anyone who is remotely interested in insurance coverage for technology-related risks in Canada has probably heard or read about The Brick Warehouse LP v. Chubb Insurance Company of Canada[1], an Alberta decision involving social engineering fraud (a type of fraud involving psychological manipulation: the goal of the fraudster is to devise a scenario where the otherwise innocent person is tricked into unknowingly helping the fraudster to obtain money or confidential information). While this type of social engineering can happen outside the realm of technology, it is often a mode of theft used by online fraudsters.
In The Brick[2], a fraudster contacted The Brick’s accounting department, pretending to be a new employee of Toshiba, one of The Brick’s suppliers. The fraudster persuaded the employee to provide certain payment information. A few days’ later, another employee of The Brick received a call from another, related fraudster, purporting to be one of Toshiba’s controllers. The fraudster advised that Toshiba had changed its bank, and provided new account details. The fraudulent controller then sent The Brick an email confirming the new banking details. The Brick accepted the revision, and never took steps to verify the information. The Brick then proceeded to transfer $338,322.22 to the new account. It was not until a valid representative of Toshiba requested payment from The Brick that the fraud was discovered.
The Brick was able to recover $113,847.18, and made a claim to Chubb, its insurer, for the amount of $224,475.14, pursuant to certain coverage that was purportedly available under Chubb’s crime policy.
The crime policy provided coverage for “funds transfer fraud”, which was defined as:
… the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.
Chubb denied coverage, and The Brick sued. The court found the relevant American case law to be persuasive, and held that “funds transfer fraud” covers situations where a bank’s transfer of funds was due to a third party impersonating an employee of the insured. As such, there can be no coverage where the employee knew about and consented to the transfer of funds, even where they were tricked by a third party into doing so. Accordingly, the court upheld Chubb’s denial.
Since this decision was released in July 2017, several pundits have hailed it as ground-breaking in terms of cyber risks in Canada. However, there are at least three reasons why it is not all that significant to the Canadian cyber insurance market:
1. A cyber insurance policy was not at issue
The policy at issue was a crime-coverage policy, not a cyber insurance one.
A cyber insurance policy is typically aimed at covering loss of data and related risks. A crime policy, on the other hand, typically covers employee dishonesty and related fraud. Sometimes, these risks overlap, for example, when data is lost due to employee dishonesty or fraud. However, the claim for indemnification, or, in the case of liability insurance, for defence and indemnification, must be considered in the context of the terms and conditions of the policy at issue.
This is because each type of policy, whether property, commercial liability, directors’ and officers’, errors and omissions, or crime/fidelity, cyber etc., is written to cover certain risks and exclude others. For instance, there have been instances where insureds have sought coverage for data breaches under commercial general liability and other liability policies, only to discover that the policies do not cover that type of loss.
The Brick decision does not answer the question of how a Canadian court would interpret policy wording of the relatively new cyber insurance products on the market. While we do not have precedent-setting case law in Canada, there are ways of predicting how a court may find, based on the usual principles of interpretation and analogous case law.
2. The Court relied on well-established insurance interpretation principles
In The Brick, the court relied on well-established first principles of contract interpretation. For example,
- unambiguous language should be interpreted in accordance with its plain and ordinary meaning
- ambiguous language should be construed reasonably, to give effect to the parties’ intentions
- ambiguities, which cannot be resolved, should be read against the drafting party
One would expect a Canadian court to consider these basic principles as a starting point. In fact, one could say that The Brick decision is wholly unremarkable, as the court simply gave effect to the plain, ordinary meaning of the words “funds transfer fraud” in the insuring agreement.
In turn, when a Canadian court is asked to construe a coverage claim made pursuant to an actual cyber insurance policy, these first principles should be applied.
3. The Court considered American case law
Another way in which The Brick is wholly unremarkable is that the court considered American case law. In fact, Fraser J. found it persuasive, as he ruled in a similar fashion as recently decided US case law on similar policy wording and facts.
Canadian courts have previously considered American jurisprudence when interpreting insurance policies. This is especially true where the policy wording and underlying facts of the claim are similar. This largely occurs for two reasons:
- there is a plethora of American case law, thus, it is often relatively easier to find relevant cases, and
- the contractual interpretive principles are similar in both the U.S. and Canada, save for some unique State laws.
All things being equal, courts have found American insurance coverage case law to be persuasive where the logic of those rulings aligns with Canadian law.
So, when a Canadian court is asked to consider a cyber insurance coverage claim, one would expect American case law to be considered and likely followed, provided the policy wording and facts are similar enough, and there is no inherent distinction between the laws in the respective jurisdictions.