On January 12, 2016, a federal court in Utah refused to dismiss a bad faith claim brought by Federal Recovery Services against Travelers Property Casualty Company of America, despite finding that there was no duty to defend FRS under Travelers’ “CyberFirst Policy.” Travelers Property Casualty Company of America et al. v. Federal Recovery Services et al., Case No. 2:14-cv-00170. FRS sought a defense and indemnity for a lawsuit filed against it by Global Fitness Holdings, LLC, a fitness center operator. Global Fitness had alleged that FRS intentionally misused the credit card and bank account information of Global Fitness’ customers, which consequently interfered with FRS’s business dealings.

The court found that there was no coverage under the CyberFirst Policy because FRS’s alleged misconduct consisted only of willfulness and malice, which did not qualify as an “error, omission, or negligent act” for which the Policy provided coverage. However, the court found viable and refused to dismiss the question of whether Travelers breached the implied covenant of good faith and fair dealing by (1) inappropriately requiring Defendants to first receive suit papers before initiating a claim; and (2) failing to “diligently investigate, fairly evaluate, and promptly and reasonably communicate with FRA since the claim was initially tendered in December 2012.”

The decision underscores the importance of promptly investigating and responding to claims even where there is no coverage. This is particularly so in the context of personal data and cybersecurity, where significant harm can occur in a short amount of time following the data breach. As retailers and product manufacturers continue to make customer data critical to their operations, they will look to their insurers to provide coverage for their cyber risk profile. Travelers Property Casualty Company of America v. Federal Recovery Services illustrates a potential avenue of recovery even when that coverage is in doubt.