Cyber Insurers Draw First Blood

By Amy Stewart Law

May 2015 produced one of the first published cases interpreting a cyber insurance policy—in Travelers Prop. Cas. Co. of Am. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah). Granting Travelers’ motion for partial summary judgment, the district court on May 11 decided the cyber policy was not triggered and the insurer had no duty to defend its insured.

The insured, Federal Recovery Services, Inc. (FRS), is a data processing vendor that handles electronic payment transactions. In connection with these services, FRS stores and transmits electronic data, including personal identification information, used to process payments. FRS purchased a Travelers CyberFirst Policy, which provided technology errors and omissions coverage.  

The underlying plaintiff, Global Fitness Holdings LLC, owned and operated fitness facilities in several states and contracted with FRS to handle customer payments. As part of an asset purchase agreement with LA Fitness, Global Fitness asked FRS to surrender the payment data for inclusion in the asset purchase. FRS allegedly withheld the data, refusing to turn it over until Global Fitness met certain demands. Global Fitness sued FRS for withholding the data, asserting claims for conversion, tortious interference, and breach of contract. 

According to the district court, none of the allegations against FRS “sound[ed] in negligence” as required to trigger coverage. Rather, the underlying lawsuit alleged only “knowledge, willfulness and malice”— not “errors, omissions, or negligent acts,” as required by the technology errors and omissions liability form. (Note the placement of the word “negligence,” which modifies only “act”—not “error” or “omission”.) This narrow interpretation of the coverage has policyholders scratching their heads. We’ll be watching closely.