PRACTICAL POLICYHOLDER ADVICE

On its face, a recent decision by the Federal District Court for the District of Utah might appear to threaten the duty-to-defend rights of policyholders owning cyber risk insurance. Travelers Property Casualty Co. of America v. Federal Recovery Services, Inc., No. 2:14-cv-170 TS, slip op. (D. Utah May 11, 2015). But if the word “cyber” were removed from the opinion altogether, the decision would likely read no differently. Put simply, cyber risk insurance policyholders should feel comfortable that this opinion does not define any kind of trend as to the availability of coverage under cyber risk policies, and that this ruling is, ultimately, much ado about nothing.

In Federal Recovery Services, Judge Ted Stewart held Travelers’ cyber risk insurance policy—called CyberFirst®—did not afford a duty to defend against several claims made against the policyholder for intentional torts, including conversion and tortious interference. Slip op. at 8. The decision pitted Travelers against two data processing companies, Federal Recovery Services (FRS) and Federal Recovery Acceptance, Inc. (FRA), which had purchased Travelers’ CyberFirst® coverage. The CyberFirst® policy included a Network and Information Security Liability Form and a Technology Errors and Omissions Liability Form (Tech E&O). The Tech E&O provided for Travelers’ duty to defend for “an errors and omissions wrongful act,” which was defined as “any error, or omission or negligent act.” Slip op. at 2-3.

The underlying suit for which FRA and FRS were seeking coverage involved Global Fitness, a company owning a chain of fitness stores in several states. Global Fitness provided FRA with customer information, including credit card and bank account information. FRA would then process the information, transferring the members’ fees to Global Fitness. Slip op. at 3.

Global Fitness subsequently entered into an Asset Purchase Agreement (APA) with L.A. Fitness. Slip op. at 3. Global Fitness informed FRA of the APA, and, according to the decision, FRA willingly agreed to transfer the member information back to Global Fitness. Slip op. at 3. While FRA apparently produced some of the data, however, it withheld critical pieces of information, including “credit card, checking account, and savings  account information.” Slip op. at 4. Instead, FRA sought “’demands for significant compensation’” in exchange for transferring the remaining customer data. Slip op. at  4.

Global Fitness responded by filing claims against FRA for “conversion, tortious interference, and breach of contract” and requesting “injunctive relief, punitive damages, and attorney fees.” Slip op. at 4. In its amended complaint, joining FRS in the action, Global Fitness also alleged FRA and FRS “willfully interfered with Global Fitness’s property and refused to return Global Fitness’s property without cause or justification.” Slip op. at 5. FRA and FRS tendered defense of the Global Fitness action to Travelers, which accepted the tender under a reservation of rights letter. Slip op. at 5-6.

Ultimately, Travelers refused to defend FRA and FRS on the grounds that neither the original nor the amended complaints alleged damages from an “error, omission or negligent act.” Slip op. at 7. FRA and FRS, for their part, responded that Travelers’ argument rested on an “improper inference” that their refusal to turn over the data was rooted in an “intent to injure” and “ignore[d] the potential” that they “may be found liable for an error, omission or negligent act relating to the holding, transferring or storing of data.” Slip op. at 7.

In ruling for Travelers, the Court applied black letter insurance law: “an insurer’s duty to defend is determined by comparing the language of the insurance policy with the allegations in the complaint.” Slip op. at 6 (citing Fire. Ins. Exch. v. Estate of Therkelsen, 27 P.3d 555, 560 (Utah 2001)). FRA’s coverage extended to “any error, or omission or negligent act.” Slip Op. at 2-3. Global Fitness’s complaint, however, alleged not that FRA erred or was negligent in handling customer information; rather, Global Fitness argued FRA acted with “knowledge, willfulness, and malice” in withholding the information, reducing the value of the APA.  The Court saw no potential for coverage in these allegations and, thus, ruled against the policyholder.

Policyholders may want to consider asking whether their Tech E&O policies might afford coverage for  situations such as these at the time of placement or whether the policy fits their business model. But at  bottom, the court applied a fairly basic black letter analysis, comparing the scope of the coverage with the allegations in the complaint for which coverage was being sought.  There was no analysis of whether the Tech E&O policy’s terms afforded coverage for any form of “cyber loss” or “cyber event.” The Court seemed   satisfied that this was a run-of-the-mill conversion and tortious interference claim that simply did not trigger   the duty to defend. Given the Tech E&O policy extended only to errors, omissions or negligence, and because there were no allegations in the complaint alleging such potentially covered claims, or even facts pled that would support such claims, it should have come as no surprise that the court found no duty to defend.