Out of the Box: Federal Court in Utah Denies Duty to Defend under Cyber Policy

Policyholder Insurance Coverage News

Client Alert

Cyber coverage may be the hottest topic in the insurance industry. More carriers are offering cyber coverage, and more consumers are coming to the market, trying to figure out what to buy with their premium dollars. And those questions (What policy do I need? What terms should it include? What exclusions should I avoid?) can be tough to answer when few, if any, courts have issued decisions applying cyber policies to real facts.

That void is now starting to fill. In what may be the first substantive cyber coverage opinion, a federal court in Utah ruled in Travelers v. Federal Recovery Services Inc. that the insurer had no obligation to defend its policyholders.

The policyholder was a data processing company, Federal Recovery Acceptance Inc. (FRA). FRA purchased cyber coverage from Travelers under a policy known as CyberFirst. That policy included E&O coverage arising from “any error, omission or negligent act.” FRA sought coverage related to allegations brought by Global Fitness, a fitness store chain with locations in several states. Global Fitness provided customer information, including credit card information, to FRA for processing. When Global Fitness entered into a sale transaction with another company, FRA returned some of the data but allegedly withheld other information, demanding additional compensation before it would be returned. Global Fitness sued FRA on a number of grounds, alleging that it acted with “knowledge, willfulness, and malice.”

The U.S. District Court for the District Court of Utah (Judge Ted Stewart) found that the allegations made by Global Fitness did not fall within the scope of the cyber policy. More specifically, none of those allegations related to an error, omission, or negligent act. Instead, Global Fitness alleged intentional acts with full knowledge. Because the allegations did not fit within the policy, there was no duty to defend.

We should start to see more and more decisions that provide guidance on the meaning of the terms in cyber policies. While this decision is not groundbreaking and relies on well-established law in other coverage arenas, future cases will no doubt cover stickier questions. It will be interesting to see how this relatively new market develops in the face of a growing body of case law. And if you are concerned about a particular policy term in a cyber policy that you are considering, it may soon be worth your while to see what the courts have said.