The American Health Lawyers Association last week published an analysis of one of the first cases involving a cyber liability insurance policy. The e-alert is republished below. Please note that any further reproduction of this work requires the advance written permission of the American Health Lawyers Association.
On May 11, the U.S. District Court for the District of Utah handed down what may be the first decision in a cyber liability policy coverage dispute. The case involved a conflict between the insurer Travelers Property Casualty Company of America (Travelers) and Federal Recovery Services Inc. and Federal Recovery Acceptance Inc. (Federal) over whether Federal’s intentional conduct fell within the scope of the Technology Errors and Omissions policy and therefore triggered Travelers’ duty to defend under Utah law. The court took a narrow view, denying Federal’s motion for partial summary judgment and holding that intentional conduct did not fall within the policy, which covered “any error, omission, or negligent act.”
The Policy Language
Federal, an organization that provides processing, storing, transmission, and other handling of electronic data, purchased a “CyberFirst” insurance policy from Travelers, which included a Technology Errors and Omissions Liability Form. The policy covered “‘damages’ because of loss . . . caused by an ‘errors and omissions wrongful act’ . . . .” The key term, “errors and omissions wrongful act” was defined to include “any error, omission or negligent act.” The policy also provided defense coverage and required Travelers to defend the insured against any claim to which the cyber liability policy applied. Because the duty to defend did not reach claims that were not covered by the cyber liability form, the critical question in this case was whether claims made against Federal by a third party, Global Fitness, were covered by the cyber liability insurance policy and would therefore trigger Travelers’ duty to defend.
Global Fitness owned and operated fitness centers. It contracted with Federal Recovery Acceptance Inc. to hold members’ credit card or bank account information and process their monthly membership payments. When Global Fitness entered an agreement to sell its assets to L.A. Fitness, it asked Federal Recovery Acceptance Inc. to return its member accounts data. Global Fitness alleged that Federal Recovery Acceptance Inc. refused to return the data unless Global Fitness paid it significant compensation. Subsequently, Global Fitness asserted claims under theories of tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing.
Federal took the position that Travelers was obligated to defend against these claims under the terms of the cyber liability policy Federal had purchased. Travelers, however, argued that the claims were not covered by the Errors and Omissions Liability Form, because they alleged intentional misconduct by Federal rather than merely negligent conduct.
The court sided with Travelers, holding that Travelers did not have a duty to defend because the claims made by Global Fitness were not covered by the policy’s cyber liability forms.
The court explained that the policy’s errors and omissions coverage was limited to wrongful acts that involve negligent conduct. It agreed with Travelers that Global Fitness’ claims, which were based on the theory that Federal Recovery Acceptance Inc. deliberately withheld data to coerce payments, did not allege “any error, omission or negligent act.” Finally, the court flatly rejected the defendants’ argument that Global Fitness’ claims were broad enough to at least potentially encompass errors, omissions, or negligent acts, explaining that “the Court must compare the policy language to the allegations in [Global Fitness’s] Complaint and Amended Complaint,” and there are no allegations “that sound in negligence.”
Although not all court cases involving the scope of errors and omissions coverage have resulted in such a narrow interpretation, this decision highlights the importance of the precise language of an insurance policy. As requirements for insurance coverage are increasingly being imposed on entities who operate in the health care field, this ruling emphasizes the importance of obtaining the best possible terms of coverage at the time of purchase or upon renewal. Moreover, given that data breaches often result from intentional misconduct of employees or criminal acts such as identity theft or hacking, this case provides a stark warning that not all policies will protect the insured’s interest. Although the Travelers case turned on traditional principles of coverage interpretation rather than any new law related to cyber liability insurance, its principles are important to keep in mind given the likelihood that cyber liability disputes will become increasingly common.