On May 11, 2015, the U.S. District Court of Utah denied an insured’s motion for partial summary judgment in Travelers Property Casualty Company of America et al. v. Federal Recovery Serv.et al. The court found there was no duty to defend under a CyberFirst Policy issued by Travelers. The Defendants, Federal Recovery Services, Inc. and Federal Recovery Acceptance, Inc., provided electronic data and information handling for its customer, Global Fitness Holdings, LLC, who in the underlying action, Global Fitness alleged Defendants withheld this information and data.
Pursuant to its contract with Global Fitness, the Defendants were responsible for processing and retaining account information for Global Fitness’ gym members. As part of a sale of Global Fitness to L.A. Fitness, Global Fitness was required to transfer its members’ data, which was held by Defendants, to L.A. Fitness. Global Fitness claimed the Defendants refused to provide the information “until Global Fitness satisfied several vague demands for significant compensation.”
Travelers issued a CyberFirst Policy to the Defendants. The cyber policy at issue included a Network and Information Security Liability Form and Technology Errors and Omissions Liability Form, which provides coverage for “damages” caused by an insured’s “errors and omissions wrongful act.” The Travelers’ Policy defined “Errors and omissions wrongful act” as “any error, omission or negligent act.”
When Global Fitness sued the Defendants, the Defendants tendered their defense under the Travelers’ CyberFirst Policy. Travelers issued a reservation of rights letter and initiated this declaratory judgment action.
The central issue before the District Court was “whether the Global Fitness action triggered Travelers’ duty to defend under the Technology Errors and Omissions Liability Form.” Specifically, there would only be coverage under the Travelers’ policy “if the loss [was] caused by an ‘errors and omissions wrongful act.’” Travelers argued the Policy was not triggered because the Global Fitness action was not based on allegations falling into the definition of an “error, omission or negligent act.” On the other hand, the Defendants took the position that Travelers’ denial was improper because Travelers “ignores the potential that [Defendants] may be found liable for an error, omission or negligent act relating to the holding, transferring or storing of data.” In particular, Defendants asserted “Global’s claim that [Defendants] ‘withheld’ the data is broad enough to encompass possible error, omission or negligent act by [Defendants].”
Based on the following reasoning, the District Court rejected the Defendants’ argument and denied their partial motion for summary judgment:
“Global does not allege that Defendants withheld the data because of an error, omission, or negligence. Global alleges that Defendants knowingly withheld this information and refused to turn it over until Global met certain demands. Defendants allegedly did so despite repeated requests from Global to provide the data. Instead of alleging errors, omissions, or negligence, Global alleges knowledge, willfulness and malice.”
While the Federal Recovery ruling held that intentional conduct is not insurable may not be significant or groundbreaking for insurance coverage cases as whole, it is indicative of the fact that cyber policies are becoming more common in the marketplace. Additionally, the Federal Recovery decision offers one of the earliest glimpses of how courts may analyze cyber coverage in future litigation.