• Cullen and Dykman LLP Blogs

  • Archives

  • Federal Court in Utah Finds No Duty to Defend Under Cyber Insurance Policy

    Cybersecurity has become a very hot topic with more and more reports of cyber-attacks on U.S. companies and governmental agencies. In one of the first cases to discuss cyber insurance coverage, Travelers v. Federal Recovery Services Inc.,[1] the U.S. District Court for the District of Utah ruled a “CyberFirst Policy” issued by Travelers does not provide coverage for alleged willful and malicious conduct by the insured.

    By way of brief background, the insured, Federal Recovery Services, Inc. (“FRS”), was a data processing company that purchased cyber coverage from Travelers under a policy known as “CyberFirst.” The policy included the Technology Errors and Omissions Liability Form (“TEOLF”), which granted coverage for losses caused by error, omission, or negligent conduct. FRS sought coverage related to allegations brought by one of its customers, Global Fitness, who provided customer information, including credit card information of its members, to FRS for processing and maintaining. When Global Fitness entered into a sale transaction with another company, FRS allegedly returned some of the data but purposely withheld other information.  As a result, Global Fitness sued FRS alleging that it acted with “knowledge, willfulness, and malice.”

    Global Fitness brought claims against FRS for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing. In response, FRS provided formal written notice of its tender of the defense to Travelers, who accepted under a full and complete reservation of rights. Travelers then filed an action for declaratory relief and FRS moved for partial summary judgment requesting a determination that Travelers owed them a duty to defend.

    The issue before Senior U.S. District Court Judge Ted Stewart was whether Global Fitness’s action triggered Traveler’s duty to defend FRS under the TEOLF. Travelers argued that it was not under a duty to defend FRS because the complaints from Global Fitness did not allege damages from an “error, omission or negligent act.”

    Judge Stewart applied Utah law, which states that an “insurer’s duty to defend is determined by comparing the language of the insurance policy with the allegations in the complaint,” and agreed with Travelers that it had no duty to defend. He explained that because the customer’s complaint alleges that FRS “knowingly withheld this information and refused to turn it over until [Global Fitness] met certain demands,” and does not claim that FRS’s actions were done because of error, omission, or negligence, the allegations are not covered by the TEOLF, and therefore, Travelers does not have a duty to defend.

    This case demonstrates that even though these cyber insurance policies are new to the market and to the courts, at the end of the day fundamental insurance principles will be applied to settle disputes. Policyholders are advised to review their coverage forms to determine what types of claims their cyber risk policy covers before tendering an offer of defense to its insurer.

    If you or your institution has any questions or concerns regarding commercial litigation or cybersecurity related issues, please email Cynthia A. Augello at caugello@cullenanddykman.com or call her at (516) 357-3753.

    A special thank you to Lauren Dwarika, a law clerk at Cullen and Dykman LLP, for her assistance with this blog post.


    [1] D. Utah No.2:14-CV-170 TS, 2015 U.S. Dist. LEXIS 62185 (May 11, 2015).