The court was required to consider the coverage provided by the insurer’s cyber insurance policy for a claim of damage to a third party “for a security breach”. A “security breach” was defined as “a failure of computer security to prevent unauthorised access or use of [the insured’s] computer systems”. Both the trial and appeal court concluded that the phrase “for a security breach” was ambiguous and construed the phrase to provide coverage under the policy for injury to a third-party “because of” or “resulting from” a security breach.
There was no dispute about the meaning of the term “security breach” but rather of the meaning of the preposition “for” in the phrase “for a security breach”.
The insurer argued that cover was not triggered because it had not been alleged that, as a result of the security breach, information relating to the third-party account was stolen or compromised. The insurer said that cover was only provided for a loss directly connected to the security breach. The result of that construction would be to narrow the policy’s coverage to third-party claims to recover damages to the loss or disclosure of private, third-party data from the insured’s computer system.
The insured successfully argued that the phrase included the third-party claim for damages where a security breach was causally but indirectly connected to the loss. and the word “for” meant “because of”, “arising out of” or “as a result of”.
The court said that the other terms of the policy did not resolve the question of ambiguity, acknowledged that the dictionary definition of “for” had multiple commonplace definitions, and noted a lack of interpretive consensus among courts as indicative of ambiguity.
The court said that because every one of the aids it looked to for assistance in determining whether a phrase or word in a policy is ambiguous supported multiple reasonable meanings of the phrase at issue , held that the phrase is ambiguous and construed the ambiguity in the policy in the insured’s favour. The court held that the policy coverage includes claims of loss “because of”, “resulting from” or “on account of” as security breach. The court also dismissed reliance on two policy exclusions.