Yesterday, Travelers Prop. Cas. Co. of Amer. v. Federal Recovery Services, Inc., No. 14-170 (D. Utah) determined that no coverage existed under a Technology Errors and Omissions Liability Form found in a cyber insurance policy after the insured data processer had failed to return valuable personal identification information it held on behalf of the information’s owner. This case is going to get a lot of attention simply because it is the first published decision involving a cyber insurance policy form. What it shows is that, even in the cyber world, intentional misconduct is not negligence.
The facts of the case are straightforward. The underlying plaintiff, Global Fitness, owned and operated fitness centers in several states. As part of its operations, Global Fitness had numerous members who would provide credit card or bank account information through which Global Fitness could bill them (“Member Accounts Data.”). (Slip. op. at 3.) Defendants were engaged in the business of providing processing, storage, transmission, and other handling of electronic data for customers. (Id. at 1.) Global Fitness entered into a contract with Defendants to process the Member Accounts and transfer the members’ fees to Global Fitness. (Id. at 3.)
Global Fitness later entered into an asset purchase agreement with L.A. Fitness, which included as part of the sale, the transfer of Global Fitness’s Member Accounts Data. Global Fitness requested that Defendants return the Member Accounts Data to Global Fitness for inclusion in the asset purchase. Although Defendants stated that they would cooperate and transfer the data back to Global Fitness, according to the litigation that ensured, they did not. (Id. at 3-4.)
Defendants produced the Member Accounts Data, but data was missing. Defendants produced the data in an alternative format that included some, but not all of, the missing information. (Id. at 4.) According to the underlying complaint, Defendants did not produce credit card, checking account, and savings account information contained in the Member Accounts Data. (Id.) Global Fitness requested this information, and then requested that Defendants transfer the billing information back to Global Fitness.
Nevertheless, the information was not produced. Instead, according to the underlying complaint, Defendants “withheld the Member Accounts Data until Global Fitness satisfied several vague demands for significant compensation.” In addition, Defendants “refused to transfer funds it received in servicing the Member Accounts for the past week until all matters were resolved.”
Global Fitness filed a lawsuit, asserting claims against Defendants for conversion, tortious interference, and breach of contract. An amended complaint further alleged that Defendants purposefully withheld pieces of the Member Accounts Data for payment:
Global Fitness alleged that “[Defendants] withheld the Billing Data unless and until Global Fitness satisfied several demands for significant compensation above and beyond what were provided in the Agreement.” In addition, Global Fitness alleged that “[Defendants] retained possession of Member Accounts Data, including the Billing Data, which was the property of Global Fitness and was only provided to Paramount pursuant to the terms of the Agreement.” “[Defendants] willfully interfered with Global Fitness’s property and refused to return Global Fitness’s property without cause or justification.” “[Defendants] actions deprived Global Fitness of the use of its Member Accounts Data and its monies and threatened its ability to comply with its obligations under the APA with L.A. Fitness.”
(Id. at 4-5.)
The amended complaint asserted that, “[a]s a result of the delay caused by [Defendants’] actions, the purchase price of the APA decreased dramatically,” and Defendants “knowingly harmed Global Fitness’s rights under the APA with L.A. Fitness thereby causing Global Fitness irreparable harm and loss.” (Id. at 5.)
The insureds purchased a cyber insurance policy with a Network and Information Security Liability Form and a Technology Errors and Omissions Liability Form under which they sought defense coverage. (Id. at 1-2.) The insuring agreement stated as follows:
SECTION I – ERRORS AND OMISSIONS LIABILITY COVERAGE
We will pay those sums that the insured must pay as “damages” because of loss to which this insurance applies. The amount we will pay for “damages” is limited as described in Section III- Limits Of Insurance in your CyberFirst General Provisions Form.
This insurance applies to loss only if:
(1) The loss arises out of “your product” provided to others or “your work” provided or performed for others;
(2) The loss is caused by an “errors and omissions wrongful act” committed in the “coverage territory”;
(3) The “errors and omissions wrongful act” was not committed before the Errors and Omissions Retroactive Date shown in the CyberFirst Declarations or after the end of the policy period; and
(4) A claim or “suit” by a person or organization that seeks “damages” because of the loss is first made or brought against any insured . . . .
(Id. at 2.) Thus, the cyber policy provided coverage for loss caused by an “errors and omissions wrongful act.” (Id. at 7.) “Errors and omissions wrongful act” was defined as “any error, omission or negligent act.” (Id. at 7.)
In the ensuing coverage litigation, the insurer contended that the cyber policy did not apply because the underlying action did not allege damages from an “error, omission or negligent act.” Instead, the underlying complaints alleged intentional wrongdoing. (Id.). The Defendant insureds, on the other hand, contended that defense coverage existed because of the potential that they “may be found liable for an error, omission or negligent act relating to the holding, transferring or storing of data.” (Id. at 7-.8) Defendants contended that “Global’s claims that [Defendants] ‘withheld’ the data is broad enough to encompass possible error, omission or negligent act by [Defendants].” (Id.)
The Utah federal court disagreed with the insureds. Even in the cyber world, intentional misconduct is not negligence:
While the policy covers errors, omissions, and negligent acts, Global’s claims against Defendants allege far different justifications for the data to be withheld. Global does not allege that Defendants withheld the data because of an error, omission, or negligence. Global alleges that Defendants knowingly withheld this information and refused to turn it over until Global met certain demands. Defendants allegedly did so despite repeated requests from Global to provide the data. Instead of alleging errors, omissions, or negligence, Global alleges knowledge, willfulness, and malice.
(Id. at 8 (emphasis added).) The court concluded: To trigger Travelers’ duty to defend, there must be allegations in the Global action that sound in negligence. As discussed above, there are no such allegations.” (Id.) Therefore, the policy was not implicated and there was no duty to defend.
One cannot argue with that logic.