Deconstructing Cyberinsurance Coverage: Lessons From the Travelers Case

15 June 2015 Health Care Law Today Blog

The American Health Lawyers Association last week published an analysis of one of the first cases involving a cyber liability insurance policy. The e-alert is republished below. Please note that any further reproduction of this work requires the advance written permission of the American Health Lawyers Association.

On May 11, the U.S. District Court for the District of Utah handed down what may be the first decision in a cyber liability policy coverage dispute. The case involved a conflict between the insurer Travelers Property Casualty Company of America (Travelers) and Federal Recovery Services Inc. and Federal Recovery Acceptance Inc. (Federal) over whether Federal’s intentional conduct fell within the scope of the Technology Errors and Omissions policy and therefore triggered Travelers’ duty to defend under Utah law. The court took a narrow view, denying Federal’s motion for partial summary judgment and holding that intentional conduct did not fall within the policy, which covered “any error, omission, or negligent act.”

The Policy Language

Federal, an organization that provides processing, storing, transmission, and other handling of electronic data, purchased a “CyberFirst” insurance policy from Travelers, which included a Technology Errors and Omissions Liability Form. The policy covered “‘damages’ because of loss . . . caused by an ‘errors and omissions wrongful act’ . . . .” The key term, “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” The policy also provided defense coverage and required Travelers to defend the insured against any claim to which the cyber liability policy applied. Because the duty to defend did not reach claims that were not covered by the cyber liability form, the critical question in this case was whether claims made against Federal by a third party, Global Fitness, were covered by the cyber liability insurance policy and would therefore trigger Travelers’ duty to defend.

The Dispute

Global Fitness owned and operated fitness centers. It contracted with Federal Recovery Acceptance Inc. to hold members’ credit card or bank account information and process their monthly membership payments. When Global Fitness entered an agreement to sell its assets to L.A. Fitness, it asked Federal Recovery Acceptance Inc. to return its member accounts data. Global Fitness alleged that Federal Recovery Acceptance Inc. refused to return the data unless Global Fitness paid it significant compensation. Subsequently, Global Fitness asserted claims under theories of tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing.

Federal took the position that Travelers was obligated to defend against these claims under the terms of the cyber liability policy Federal had purchased. Travelers, however, argued that the claims were not covered by the Errors and Omissions Liability Form, because they alleged intentional misconduct by Federal rather than merely negligent conduct.

The Decision

The court sided with Travelers, holding that Travelers did not have a duty to defend because the claims made by Global Fitness were not covered by the policy’s cyber liability forms.

The court explained that the policy’s errors and omissions coverage was limited to wrongful acts that involve negligent conduct. It agreed with Travelers that Global Fitness’ claims, which were based on the theory that Federal Recovery Acceptance Inc. deliberately withheld data to coerce payments, did not allege “any error, omission or negligent act.” Finally, the court flatly rejected the defendants’ argument that Global Fitness’ claims were broad enough to at least potentially encompass errors, omissions, or negligent acts, explaining that “the Court must compare the policy language to the allegations in [Global Fitness’s] Complaint and Amended Complaint,” and there are no allegations “that sound in negligence.”

Although not all court cases involving the scope of errors and omissions coverage have resulted in such a narrow interpretation, this decision highlights the importance of the precise language of an insurance policy. As requirements for insurance coverage are increasingly being imposed on entities who operate in the health care field, this ruling emphasizes the importance of obtaining the best possible terms of coverage at the time of purchase or upon renewal. Moreover, given that data breaches often result from intentional misconduct of employees or criminal acts such as identity theft or hacking, this case provides a stark warning that not all policies will protect the insured’s interest. Although the Travelers case turned on traditional principles of coverage interpretation rather than any new law related to cyber liability insurance, its principles are important to keep in mind given the likelihood that cyber liability disputes will become increasingly common.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services

Insights

CMS Proposes Enhanced Scrutiny over Medicaid Supplemental Payments
20 November 2019
Health Care Law Today
The Purpose of a Corporation
November 2019
Legal News: Business Law
Should This Be a "Mobility" Industry Blog?
19 November 2019
Dashboard Insights
Data Processing Patent Eligibility: Federal Circuit Finds Claims Eligible in KPN v. Gemalto
19 November 2019
IP Litigation Current
PATH Summit 2019
18-20 December 2019
Arlington, VA
Madison CLE Days
18-19 December 2019
Madison, WI
MedTech Impact Expo & Conference
13-15 December 2019
Las Vegas, NV
HFMA MA-RI Annual Compliance Update
12 December 2019
Boston, MA