The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/732387
48 O C T O B E R 2 0 1 6 w w w . C A N A D I A N L a w y e r m a g . c o m and commercial litigation practice group. And while litigation around policies in Canada is currently scarce, some firms have channelled Wayne Gretzky, develop- ing expertise in the area in anticipation of the eventual arrival of that particular puck. "We feel that for any insurance defence firm, you have to start being part of the cyber-insurance world, because it's going to become more and more of an issue," says Kadey Schultz, co-founder of Toronto boutique Schultz Frost LLP. As the sector matures, "it will become a core area of practice for a number of lawyers going forward," predicts David Mackenzie, a partner at Blaney McMurtry LLP with a focus on insurance litigation. Greg Markell, president of Ridge Can- ada Cyber Solutions, says coverage under policies is typically divided into first party, relating to expenses incurred in the imme- diate aftermath of a security breach, and third party, which applies to losses or damages caused to customers as a result of the incident. Lawyers are already establishing them- selves as "breach coaches" appointed under first-party claims, to quarterback the response effort following a cyberat- tack. They co-ordinate a team that can include systems engineers, IT companies and public relations specialists working to recover lost data, notify regulators and affected customers and get the company back up and running as quickly as pos- sible. "Breach coaches should always be lawyers. I'm of the opinion that your first call after a breach should be to a lawyer, so that they can help protect privilege. After that, they're helping to triage the process," Markell says. Jill Shore, a lawyer with Vancou- ver insurance boutique Dolden Wallace Follick LLP who has acted as a breach coach for companies, says someone at the firm is always on call for insured businesses facing a cyber-emergency. "They get a 1-800 number in their policy, where we provide them with some limited free advice if it's needed on an urgent basis. If they choose to retain us to proceed further, then they have the benefit of knowing that we have been pre-approved by the insurance company in the event there is coverage," she says. Shore also carries out more tradi- tional work for insurance companies in the cyber realm, drafting policies and advising them on the implications of amendments or enhancements made to them. According to Davis, parties to cyber- insurance policies face "enormous chal- lenges on the drafting front" thanks to the disconnect between ancient tradi- tional policy terms and language and the modern cyber-risks to which they are being applied. In addition, no two cyber-insurance policies are alike, according to Bourk. At this early stage in their evolution, they tend to be bespoke products, changing depending on the specific needs and attributes of individual clients. "The exposures of a retailer are often different to those of a municipality, a hospital, a manufacturer, a hi-tech com- pany or a professional firm such as a law firm," he says. "Coverage and premium negotiations, depending on the client, can be nuanced." Underwriters, too, are facing strug- gles thanks to the lack of data and loss history needed to make reliable actuarial calculations about exposure. Meanwhile, the level of competition in the market has prevented them from taking too conservative an approach to premiums levels. With as many as 60 insurers offer- ing cyber-insurance products of one sort or another, competitors can easily price themselves out of the market. "It's an interesting time to be an under- writer. To a great extent, they're operating in the dark. Nobody knows if they're tak- ing in enough premiums to cover the risk," Mackenzie says. "That's why policies are drafted the way they are: There are some fairly broad exclusions and some very carefully crafted agreements." When the current wave of new cus- tomers advances to the next phase in the life cycle of an insurance policy and the claims start rolling in, light will be shed on some of the unknowns troubling under- writers. According to Davis, the current emphasis on exclusions could also mean a spike in coverage disputes. "There are a plethora of exclusions, which may take away more coverage than the insured anticipates in some of these types of polices," Davis says. For example, he says some cyber- insurance policies could be interpreted as excluding claims for breaches that occurred due to human error, an argu- able factor in the vast majority of cyber- breaches. "You may find exclusions for mechani- cal failures, errors in design or incompat- ibility of software, and we don't really know how they are going to be treated," Davis says. According to Schultz, some case law on point will prove extremely valuable to the cyber-insurance policy drafters of the future, since virtually none exists yet in Canada. Although there are some deci- sions that give guidance on privacy rights and potential damages when those rights are violated, she says there are still a lot of gaps in the jurisprudence. "I have said in the past that it feels almost like the Wild West in Canada, because the way our system works is that IT'S AN INTERESTING TIME TO BE AN UNDERWRITER. TO A GREAT EXTENT, THEY'RE OPERATING IN THE DARK. NOBODY KNOWS IF THEY'RE TAKING IN ENOUGH PREMIUMS TO COVER THE RISK. DAVID MACKENZIE, Blaney McMurtry LLP L E G A L R E P O RT \ I N S U R A N C E L AW