CONTRACTUAL LIABILITY FOR BREACH OF DATA SECURITY NOT COVERED BY INSURANCE POLICY

Aldo Group Inc. c. Chubb Insurance Company of Canada 2013 QCCS 2006 (CanLII)

A general insurance policy that covered “any …act, omission, neglect or breach of duty …allegedly committed…” contained an exclusion for liability “as a result of any…contract…”. The court held that a dispute about liability under a Processing Agreement for breach of the PCIDSS (Payment Card Industry Data Security Standards) was a purely contractual dispute within the exclusion, and the insurance company was not obliged under the terms of the policy to defend the action. In addition, the contractual requirements incorporated from the MasterCard Security Rules and Procedure Manual altered the rights to defend against a MasterCard/payment processor claim, in breach of the terms of the insurance policy, thus also disqualifying the insurance claim.

Drafters should ensure that the provisions of confidentiality agreements, privacy policies and payment processing contracts do not contain provisions related to liability and defences which breach the terms of any relevant insurance contract. Parties seeking insurance coverage for breaches of security, data, and confidentiality should ensure that the terms of a proposed policy are consistent with their existing contracts, and will provide the expected level of insurance protection. Full disclosure of relevant terms of existing agreements should be made to the insurer, (if this can be done without breaching the confidentiality obligations to others) with consent obtained in writing to the agreement terms. Parties that handle credit card information should ensure that they comply with the PCIDSS rules and requirements. Failure to do so can result in direct debits to their account by the credit card company/bank, as well as exposure to liability to cardholders.

Details of the case:

In Aldo Group Inc. c. Chubb Insurance Company of Canada, 2013 QCCS 2006 (CanLII), Aldo entered into a Processing Agreement with a payment processor, Moneris. The agreement incorporated the terms of the MasterCard Security Rules and Procedure Manual. This required compliance with the PCIDSS (Payment Card Industry Data Security Standards). The Processing Agreement permitted MasterCard (and the relevant bank) to debit Aldo’s account for a breach of PCIDSS rules and stated that “MasterCard determinations with respect to the occurrence of and responsibility for ADC Events or Potential ADC Events are conclusive and are not subject to appeal or review with MasterCard”. Aldo was in breach of various PCIDSS rules, including failure to install adequate firewalls; assign a unique ID to each person with computer access; monitor all access to network and cardholder data; and regularly test security systems and processes. MasterCard/Moneris debited Aldo’s account for USD $4.9 M pursuant to the terms of the Processing Agreement. Aldo filed an action claiming a return of the money, and making a claim for a defence under the insurance contract.

The CHUBB insurance contract excluded liability “as a result of any…contract…”, provided however that this exclusion shall not apply to Loss for which the Insured Organization would be liable in the absence of such a contract or agreement.” The court held that the dispute was solely about the interpretation of the Processing Agreement, which fell within the exclusion. Despite Aldo’s efforts to argue otherwise, the possibility that additional liability might arise based on its non-contractual obligations did not cause the insurance contract to apply to this claim, as no other liability had arisen, and no non-contractual matters were raised in the statement of claim. The CHUBB insurance contract also excluded coverage “for any settlement, Defence Costs, assumed obligation or admission to which it has not consented.” Because there was no appeal from MasterCard’s determination of a breach of the Processing Agreement, this deprived CHUBB of a right to defend, in breach of the insurance policy. Since CHUBB had not consented to this term of the Processing Agreement, it was not obliged to defend the action. Furthermore, the actions taken with respect to the dispute were taken without CHUBB’s knowledge or consent. The timing of which agreement was entered into first by Aldo was irrelevant. This decision was upheld on appeal (Aldo Group Inc. c. Chubb Insurance Company of Canada, 2016 QCCA 554 (CanLII)).

To read the full case on CanLII, click here.