A judge in the United States District Court for the District of Utah denied Defendants’, Federal Recovery Services and Federal Recovery Acceptance, Inc. (collectively “Defendants”), Motion for Partial Summary Judgment seeking a determination that Plaintiff, Travelers Property Casualty Company of America (Travelers), owed a duty to defend under a cyber liability policy. (Travelers Property Casualty Company of America, et al. v. Federal Recovery Services, et al., Case No. 2:14-CV-170 TS). Defendants tendered defense of the underlying action brought by Global Fitness Holdings, LLC (Global Fitness) to Travelers. Travelers accepted tender of defense under a full and complete reservation of rights.
Defendants are in the business of providing processing, storage, transmission, and other handling of electronic data for its customers. Travelers issued a cyber liability insurance policy to Defendants which provided, “Travelers has a duty to defend the insured against any claim or suit seeking damages for loss to which the insurance provided under one or more of ‘your cyber liability forms’ applies.” The cyber liability policy included a Technology Errors and Omissions Liability Form. The Form states that insurance applies only to a “loss caused by an ‘errors and omissions wrongful act’ committed in the ‘coverage territory’.” An “errors and omissions wrongful act” is defined as “any error, omission or negligent act.”
In October 2012, Global Fitness brought suit against Defendants asserting claims for conversion, tortious interference, and breach of contract. Global Fitness owns and operates fitness centers in several states. It entered into a contract with Defendants that required Defendants to process Member Accounts and transfer members’ fees to Global Fitness. Global Fitness subsequently entered into an Asset Purchase Agreement with LA Fitness whereby it agreed to transfer all of its account data to LA Fitness. Global Fitness informed Defendants of the need to return Member Accounts data to Global Fitness; but Defendants withheld certain parts of the data, along with funds it received in servicing Member Accounts, until Global Fitness satisfied vague demands for significant compensation. Defendants’ refusal to return the Member Account information is the basis of the underlying action that Defendants tendered to Travelers for defense.
The issue before the Court was whether the underlying Global Fitness action triggered Travelers’ duty to defend under the terms of the cyber insurance policy it issued to Defendants. Travelers argued that it had no duty to defend under the terms of the cyber liability policy because Global Fitness did not allege damages from an error, omission or negligent act. Under Utah law, an insurer has a duty to defend when the insurer ascertains facts giving rise to potential liability under the insurance policy. The cyber insurance policy covered errors, omissions and negligent acts, but Global Fitness did not allege that Defendants withheld data because of any error, omission or negligence. Rather, Global Fitness alleged that Defendants knowingly withheld information, exhibiting knowledge, willfulness and malice. Based on these allegations contained in Global Fitness’ complaint, the Court denied Defendants’ Motion for Partial Summary Judgment.
This case is one of the few judicial decisions interpreting the terms of a cyber insurance policy. It demonstrates one of the many ways the terms of these policies will be challenged in the future. However, the Court’s decision should not be seen as an indicator of a future trend denying coverage under cyber liability policies. This case is a straightforward application of insurance law, and the facts of the case did not present any novel issues for the Court to deal with in the cyber insurance context.