In Travelers Property Casualty Co. of America v. Federal Recovery Servs., Inc., Case No. 2:14-CV-170 TS (D. Utah May 11, 2015), the United States District Court for the District of Utah held that where a cyber liability policy’s insuring agreement requires “any error, omission or negligent act,” a claimant’s allegations that the policyholder purposefully withheld data belonging to the claimant did not trigger the insurer’s duty to defend.
In Federal Recovery, the policyholder entered into a contract with a fitness company to maintain the fitness company’s customers’ credit card and banking account information so that the fitness company could bill monthly membership dues. The fitness company subsequently entered into negotiations with a competitor under which the fitness company would transfer the customers’ member agreements, including the credit card and banking account information, to the competitor. The fitness company advised the policyholder about the transfer, and the policyholder agreed to cooperate.
The policyholder initially provided some of the customers’ data, but refused to provide the credit card and banking account information until it had received additional compensation. The fitness company filed suit against the policyholder for conversion, tortious interference and breach of contract, contending that the policyholder purposefully withheld data the fitness company owned, and that the policyholder refused to provide the credit card and banking account information until it received compensation above and beyond that contemplated in the contract.
The policyholder tendered its defense of the fitness company’s claims to its insurer, which agreed to defend subject to its right to initiate a declaratory relief action.
The cyber liability policy included several forms, including a Network and Information Security Liability Form and a Technology Errors and Omissions Liability Form. The insuring agreement of the Technology Errors and Omissions Liability Form required “any error, omission or negligent act” to trigger coverage.
The policyholder argued that the fitness company’s allegations were broad enough that the policyholder could potentially be held liable for an error, omission or negligent act relating to the holding, transferring or storage of data.
The Utah federal district court rejected the policyholder’s argument, reasoning that the fitness company did not allege that the policyholder withheld the customers’ data because of an error, omission or negligent act. Rather, the fitness company alleged that the policyholder knowingly withheld the data and refused to turn it over unless the fitness company met certain demands. Further, the fitness company alleged knowledge, willfulness and malice. Accordingly, the court concluded the insurer did not have a duty defend.
The Federal Recovery decision is significant because it is one of the first decisions to address coverage under a cyber liability policy. Reports of data breaches that result from hackers or lost or stolen technological equipment are commonplace; however, if the policyholder is not acting intentionally, there may be coverage for such events. In contrast, the Federal Recovery decision demonstrates that when a policyholder acts purposefully with respect to cyber liability issues, coverage may be compromised.
Wilson Elser’s Data Privacy & Security practice provides pre- and post-cyber-crisis services to clients, including data breach response, privacy litigation, cyber risk management and coverage. In addition, Wilson Elser attorneys constantly monitor and address emerging data security and cyber liability developments so that our clients are able to quickly respond to cyber events.