The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/1149701
FEATURE 26 www.lawtimesnews.com ". . . once you have seen a coverage dispute down to the end, it's not entirely clear where the court is going to side." Sean Lewis, Lenczner Slaght Much uncertainty on insurance coverage after cyberattacks TWO RECENT cases have highlighted issues around cybersecurity insurance coverage, and lawyers say clients need to take a close look at their policies to see if they're covered should a problem arise. Sean Lewis, an associate with Lenczner Slaght Royce Smith Griffin LLP in Toronto, says there are policies that exist to address social engineering fraud, which he describes as "identity theft and fraudulent schemes perpetrated online." This can include email phishing, he says. "We have them, but what's not clear is what it all means from a coverage standpoint once you actually get into one of these situ- ations," says Lewis, who says case law in the area is "sparse." For example, in Dentons Canada LLP v. Trisura Guarantee Insurance Company, 2018 ONSC 7311, the law firm became embroiled in a dispute with its insurance company. This came after an associate was misled by fraudsters and transferred $2.5 million into a Hong Kong bank account. The firm managed to get $800,000 back and made a claim for the remaining amount from Trisura, but the insurer said it wouldn't pay out. "Trisura denied coverage for the loss on November 13, 2017, on the ground that the Computer Fraud Rider does not respond to the circumstances of the loss as alleged by Dentons, specifically that the transfer of Limited case law available and a need to take a close look at policies, say lawyers funds by Dentons on January 3, 2017 was not itself fraudulently caused and that no computer was used to fraudulently cause any transfer of any funds because the transfer itself was not fraudulent; that Dentons is precluded from relying on the Computer Fraud Rider because it declined a Social Engineering Fraud Rider and, as a result, had no reasonable expectation of coverage for social engineering fraud losses . . .," said the ruling. However, Dentons said the "plain language of the policy provides coverage in the circumstances." Dentons applied for a declaration that the insurer had breached it policy and had a duty to pay, later narrowing the application to obtain an advisory opinion on the fraud rider. Justice Carole Brown ultimately ruled that the application had to be converted into an action. "I am of the view that all evidence neces- sary to make a full determination of the issues is not in the record and is not before the Court on this application," said the ruling. Meanwhile, in the Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413, the Brick transferred more than $330,000 to a fraudster after they called the company and pretended to be an employee of Toshiba and followed up by email. The Brick became involved in a legal dispute with its insurer. The Brick argued that "the policy provi- sion states that Chubb will pay for direct loss resulting from funds transfer fraud by a third-party, and the focus should be on the fraud itself and not on the fraudulent instructions." However, the court said the company was not entitled to recover its financial losses from Chubb. "Certainly, the emails with the fraudulent instructions were from a third party. The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instruc- tions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster's scheme. Therefore, the transfer was not done by a third party," said the ruling. Eric Charleston, a senior associate with Miller Thomson LLP in Toronto, says that, despite an organization's best efforts, human error is inescapable. In a recent article Charleston co-authored, he cited a statistic from the Canadian Survey of Cyber Security and Cybercrime, stating that Canadian busi- nesses have spent an estimated $14 billion on cybersecurity. "Organizations can mitigate the impact of a cyberattack by purchasing comprehensive standalone cyber-insurance tailored to the specific risks." FOCUS ON INSURANCE LAW