Data breaches continue to complicate the interpretation and understanding of commercial insurance policies. But even as courts confront thorny questions presented by cyber security policies, they continue to rely on long-standing principles of insurance and contract law applicable to other types of policies. One recent case, P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, No. 15-cv-1322 (SMM), 2016 WL 3055111 (D. Ariz. May 31, 2016), sheds light on the important role that traditional commercial liability policies play in interpreting cyber security policies, while also underscoring the importance of understanding both the insuring agreement provisions and exclusions in the cyber risk insurance policy that your company is considering purchasing.
In P.F. Chang’s, a decision from the U.S. District Court for the District of Arizona, the court held that the insurance policy between P. F. Chang’s China Bistro, Inc. and Federal Insurance Company did not cover fees and assessments that P.F. Chang’s had contractually agreed to reimburse to its debit/credit card processor resulting from a data breach. The court ultimately found that certain exclusions in the insurance policy barred coverage for MasterCard’s fees and assessments.
Federal sold a cyber risk insurance policy to P.F. Chang’s parent, Wok Holdco LLC, that covered P.F. Chang’s for “direct liability, and consequential loss resulting from cyber security breaches” from January 1, 2014 to January 1, 2015. Id., at *1. Federal marketed the Policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology dependent world.” Id., at *2.
In order to facilitate a high volume of credit card transactions, P.F. Chang’s, like most restaurants and retailers, also entered into a Master Service Agreement (the MSA) with Bank America Merchant Services (BAMS) to process debit and credit card transactions. In turn, BAMS contracted with MasterCard to process these same transactions. As part of the agreement between BAMS and MasterCard, MasterCard required BAMS to pay certain fees and assessments in the event of a data breach. Likewise, as part of the MSA, P.F. Chang’s agreed to reimburse BAMS for any such fees and assessments charged by MasterCard. Id., at *3.
In June 2014, hackers obtained and posted on the internet approximately 60,000 credit card numbers belonging to P.F. Chang’s customers. In the wake of the breach, P.F. Chang’s submitted claims to Federal under the Cyber Policy. Although Federal paid P.F. Chang’s more than $1.7 million for losses associated with the data breach under the Cyber Policy, it disclaimed coverage for approximately $2 million in fees and assessments imposed by MasterCard that P.F. Chang’s was required to reimburse to BAMS under the MSA. Id., at *2.
The fees and assessments fell within three categories. The first was a flat case management fee for assessing P.F. Chang’s compliance with security standards. The second was an operational reimbursement to MasterCard, which included the cost to notify customers of the breach and to replace all compromised credits cards along with their corresponding data. The third and largest charge consisted of a fraud recovery assessment, which covered costs due to fraudulent uses of the compromised data. Despite the coverage dispute with Federal for these fees and assessments, P.F. Chang’s reimbursed BAMS for these charges in order to avoid any disruption to its use of BAMS’ credit card payment services. P.F. Chang’s sued Federal to recover the assessment charges under the Cyber Policy.
While the court held that the operational reimbursement and case management fees (two of the three fees and assessments at issue) were covered losses under the insuring agreement of the Cyber Policy. Id., at *6-7, the Court ultimately concluded that these fees and assessments were specifically excluded. In its analysis, the court “turned to cases analyzing commercial general liability policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.” Id., at *8. The court relied on the fact that cases interpreting commercial general liability policies generally hold that liability exclusions also apply to “the assumption of another’s liability, such as an agreement to indemnify or hold another harmless.” Id., at *9. Although P.F. Chang’s sought to persuade the court that the exclusion did not apply in cases where the insured had a responsibility to a third party even if it had not assumed liability, the court found that P.F. Chang’s had failed to demonstrate that it would have been liable for MasterCard’s assessments absent the MSA. Id.
Finally, the court rejected P.F. Chang’s argument that coverage existed despite the exclusions under the “reasonable expectation” doctrine. That doctrine will support a finding of coverage under Arizona law where the insured’s expectation of coverage is “objectively reasonable,” and the insurer had “reason to believe that the [insured] would not have purchased the . . . policy if they [sic] had known that it included the complained of provision.” Id. The court concluded that there was no evidence that P.F. Chang’s expected the insurance policy to cover any potential assessment charges or fees incurred by a third party. The court also emphasized that sophisticated parties such as P.F. Chang’s and Federal can bargain for provisions that cover all of the fees and assessments at issue. Because the court found that P.F. Chang’s expectation of coverage was unreasonable (the first element of the reasonable expectation doctrine), it declined to analyze the second element of the doctrine – whether Federal had reason to believe that P.F. Chang’s expected MasterCard’s assessments to be covered under the Policy. Id., at *9.
This decision is a perfect example of why companies seeking to purchase cyber insurance should take great care in working with their insurance professionals to ensure that the company is purchasing the proper cyber policy for its likely risk exposure. There are approximately 70 different insurers selling cyber insurance in the U.S. commercial market today, and nearly all of those policies are issued on a surplus lines basis. As such, the wordings used in each of these policies vary, and the differences in policy wording from one cyber policy to the next can be significant. Indeed, there are a number of cyber policies available in the U.S. commercial market that do provide coverage for the types of credit card company fees and assessments that were at issue in P.F. Chang’s. And such credit card fees and assessments are a substantial and foreseeable risk for a national restaurant chain like P.F. Chang’s. P.F. Chang’s should have paid more attention to what was covered and excluded under the particular cyber insurance policy that it purchased when it was seeking such coverage.