A recent Federal Court decision examines the importance of an insurer’s timely claims handling   procedures in the context of cyber insurance policies.  The case reveals that courts, when interpreting duties under cyber insurance policies, may be inclined to apply a heightened standard of care to an insurer’s delay in investigating cyber insurance claims even when the insurer is found to not owe coverage under the policy.  The decision supports the need for diligence in an insurer’s investigation of claims under cyber insurance policies.

In recent years, insurance companies have issued cyber insurance policies that provide coverage for, among other things, wrongful acts stemming from the use of electronic data or other technology.  Whether such policies provide coverage for claims that implicate electronic data misuse depends on the specific language of the policies.  Some policies may specifically exclude intentional or willful acts from coverage, while others may limit coverage to only errors based in negligence.  Regardless, courts may be inclined to require heightened diligence and care in an insurer’s investigation of claims made under cyber insurance policies due to the nature of such claims.

In the latest ruling from Travelers v. Federal Recovery Services, Inc., No. 2:14-CV-170, 2016 WL 146453 (D. Utah Jan. 12, 2016), the United States District Court for the District of Utah issued one of the first written opinions addressing whether a claim implicating electronic data misuse is covered by a type of “cyber” insurance policy.  While the Court determined that the policy language at issue provided coverage for errors, omissions, and negligent acts, it held that the coverage did not extend to claims of intentional or willful misconduct.  Id. at *3.  Further, the Court touched upon an insurer’s separate – and apparently heightened – duty to abide by the inherent covenant of good faith and fair dealing, which may be breached regardless of whether the insurer has a duty to defend under the policy.  Id. at *5-6

The insured, Federal Recovery Acceptance, Inc. (“FRA”), was in the business of providing processing, storage, transmission, and other handling of electronic data for its customers.  Id. at *3.  Travelers insured FRA under a “CyberFirst Technology Errors and Omissions Liability Form Policy.”  The Cyber First Policy afforded coverage for losses caused by an “errors and omissions wrongful act,” which was defined in the policy as “any error, omission or negligent act.”  Id. at *3.

FRA provided services, including processing and transferring of member fees and account information, to Global Fitness, a company that operates fitness centers in several states.  Global Fitness filed a lawsuit against FRA claiming that FRA retained possession of member data and knowingly interfered with its business dealings.  As a result of this suit, FRA sought coverage from Travelers based on the CyberFirst Policy.  Id. at *1.  After denying FRA’s claim for coverage for the Global Fitness lawsuit, Travelers sought declaratory relief against FRA regarding Traveler’s duty to defend the Global Fitness lawsuit.  Id. at *2.  Thereafter, FRA filed counterclaims against Travelers for its denial of coverage, including (1) breach of contract, (2) breach of the implied covenant of good faith and fair dealing, and (3) breach of fiduciary duty, and also filed a motion for partial summary judgment seeking the Court's determination regarding Travelers’ duty to defend.  Id. at *1-2.

On May 11, 2015, the Court denied FRA’s motion for summary judgment, holding that Travelers did not owe FRA a duty to defend FRA in the Global Fitness action under the CyberFirst Policy.  Id. at *2.  Thereafter, Travelers moved for summary judgment on FRA’s counterclaims.  In January of this year, the Court granted Travelers motion in part, dismissing FRA’s counterclaims of breach of contract and breach of fiduciary duty,  but denied Traveler’s motion based on FRA’s claim regarding breach of the implied covenant of good faith and fair dealing.  Id. at *2-7.  In granting Traveler’s motion in part, the Court relied upon its earlier May 11, 2015 ruling.

Most interesting are the reasons for the Court’s denial of Travelers motion for summary judgment on FRA’s claim for breach of the implied covenant of good faith and fair dealing.  In denying, the Court focused on the inherent covenant that exists in every contractual relationship, wherein “the contracting parties each impliedly promise not to intentionally or purposely do anything that will destroy or injure the other party's right to receive the fruits of the contract, and to comply with the covenant, a party must act consistently with the agreed common purpose and the justified expectations of the other party.” Id. at *5 (citations, alterations, and internal quotations omitted).  The Court reasoned that “[a]t the very least, the covenant contemplates that the insurer will diligently investigate the facts to enable it to determine whether a claim is valid, will fairly evaluate the claim, and will thereafter act promptly and reasonably in rejecting or settling the claim.”  Id. at *6 (citations omitted).  The Court also reasoned that while an insurer cannot be held to have breached this covenant by denying a claim for coverage that is debatable but later is found to be proper, an insurer may still breach its covenant for separate reasons, such as the mishandling of a claim.  Id. at *5-6.

With respect to FRA’s specific counterclaim and allegations, the Court cited to FRA’s allegations that Travelers required copies of the Global Fitness filings and pleadings before it would initiate an investigation into FRA’s claim and also failed to “diligently investigate, fairly evaluate, and promptly and reasonably communicate with FRA since the claim was initially tendered [almost six months after FRA informed Travelers of the lawsuit].” Id. at *6.  These allegations of improper claims handling, the Court found, raised issues of material fact to be determined by a jury.  Id.

In allowing FRA’s claim for breach of the implied covenant of good faith and fair dealing to stand despite finding no coverage under the CyberFirst Policy, the Court may have been inclined to apply a heightened standard of care to an insurer’s delay in investigating cyber insurance claims.  Depending on the circumstances and the type of cyber coverage at issue, such claims could be extremely time-sensitive, and any delays could have a significant negative impact on an insured’s losses.  Thus, the decision reflects the importance of an insurer’s diligent claims investigation when its insured submits a cyber insurance claim, even when coverage ultimately may not be due.