The waiting has ended. On May 11, a Utah federal court handed down one of the first coverage decisions in the country construing a so called "cyber" policy. While the case did not deal with a data breach or other cyber event of the type that companies typically have in mind when procuring cyber insurance, it nevertheless may provide guidance on the scope of coverage under such policies.

In Travelers Property Casualty Company v. Federal Recovery Services, (Case No. 2:14-CV-170 TS), the U.S. District Court for the District of Utah interpreted a cyber liability policy and found that the insurer had no duty to defend its insureds against claims including tortious interference, conversion, and breach of contract. The insureds, Federal Recovery Services, Inc. and its affiliate (together, "FRS"), were in the business of processing, storing, and transmitting electronic data for their customers. FRS performed member account servicing for Global Fitness Holdings ("Global"), an owner and operator of fitness centers; FRS retained gym members' credit card and bank account information, and processed payments, on behalf of Global. For security reasons, FRA retained the only copy of Global's member account information. Global eventually entered into asset purchase agreement under which it was to be acquired by LA Fitness, pursuant to which Global was required to transfer its members' account information to LA Fitness. Despite Global's repeated requests for the data, FRS failed to return it and retained members' credit card and bank account information. Global sued FRS.

FRS was insured under a cyber liability insurance policy issued by Travelers that included "Network and Information Security Liability" and "Technology Errors and Omissions Liability" coverage modules. The latter  provided coverage for "errors and omissions wrongful acts," defined as "any error, omission, or negligent act." After agreeing to defend FRS under a reservation of rights, Travelers filed a declaratory judgment action seeking a ruling that it did not have a duty to defend. The court found that the Global suit did not contain any allegations of an error, omission, or negligent act by FRS, but instead alleged that FRS acted with "knowledge, willfulness, and malice" by purposely retaining the data. The court noted that "[t]o trigger Travelers' duty to defend, there must be allegations in the Global action that sound in negligence." In the absence of such allegations, the Global suit did not fall within the scope of coverage of Travelers' policy, and the court granted summary judgment to Travelers, holding that it had no duty to defend FRS.

While in this case the court found that there was no coverage, it serves as an important reminder to policyholders that cyber policies, which have become increasingly popular in the wake of high-profile data breaches, may also be a source of coverage for other types of liabilities. In the case discussed above, the only "cyber" element seems to have been that the dispute between Global and FRA concerned electronic data; it was not alleged that the insured, or anyone else, wrongfully accessed or publicized that data. Indeed, the errors and omissions module in the policy at issue does not appear to have required a cyber "hook" for coverage. Yet, even though the court denied coverage, it did not base its denial on the absence of a data breach.

A further point for policyholders to keep in mind is that, to date, there is little if any judicial guidance on the interpretation of insurance policies of any type in the context of data breaches and other cyber attacks. For example, with respect to coverage triggered by negligent acts and omissions, no court has addressed the level of negligence that must be alleged with respect to an insured whose computer network was infiltrated by cyber criminals resulting in the leak of private information. Given the recent proliferation of exclusions in general liability and first-party property policies that purport to bar coverage for cyber liabilities, and the increasing sophistication of cyber criminals, it may be only a matter of time before courts have many more occasions to interpret cyber policies. However, the availability coverage for cyber events under "traditional" policies is still a relatively untested question.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.