With the growing number of data breaches impacting both small and large businesses, demand for cyber risk insurance will continue to grow in the coming years. However, even if one were to obtain a cyber risk insurance policy, there is no case law in Australia yet that may assist us in its interpretation. This is understandable, given its genesis has only occurred in the past couple of years, and that its uptake (though increasing) has yet to enter the mainstream like professional indemnity and business interruption policies.

Given the lack of judicial guidance, one needs to cast their net further to find cases that relate to existing cyber risk insurance policies. One such case was recently determined by the District Court of Utah in the US. In Travellers Property Casualty Company of America v Federal Recovery Services Inc (Travellers), the defendant (FRS) was issued with a cyber risk insurance policy that became the subject of proceedings.

In this matter, an organisation called Global Fitness operated a number of fitness centres. In running these centres, it contracted with FRS to compile and store its members' personal data. When Global Fitness went to sell its fitness centres, it requested that FRS provide it with all its members' data. FRS eventually provided most of the information, but held back the members' credit card and bank account details, making "several vague demands for significant compensation" before it would release such information.

As is common to many insurance policies, the insurer was only liable for the conduct of an insured that arose out of "any error, omission or negligent act". Because FRS' conduct was done with "knowledge, wilfulness and malice", the policy simply did not respond.

Cyber risk insurance is a brave new world for the business community and this case highlights the importance of understanding the scope and limitations on coverage provided when taking out any insurance policy.

This article was written by Andrew Sharpe and Mark Slaven, to view Mark's profile please click here.