In one of the first published rulings on coverage under a stand-alone “cyber” insurance policy, a federal court in Arizona recently applied old-school coverage analysis to a new-school cybersecurity policy in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016).
P.F. Chang’s, an Asian-themed US casual dining restaurant chain, purchased a “CyberSecurity by Chubb” insurance policy. The policy was triggered in June 2014, when hackers stole approximately 60,000 customer credit card numbers from P.F. Chang’s computer system. P.F. Chang’s incurred investigation and remediation expenses as well as costs defending multiple class action lawsuits, all of which its insurer, Federal Insurance Co. (Federal), paid for. However, when P.F. Chang’s sought an additional $2 million to cover fees and assessments its credit card service providers had charged back to it, Federal refused to pay, citing the contractual liability exclusion in its policy.
The US District Court for the District of Arizona found that the policy’s “Privacy Injury” module did not apply to the loss, but did find coverage under the “Privacy Notification Expenses” module. However, the court also found that the contractual liability exclusion (found in virtually all commercial forms), barred recovery because PF Chang’s had agreed that its credit card acquirer could charge back against it these credit card brand imposed costs and assessments. The court stated that it was relying on precedents applying the same exclusion in standard CGL policies.
P.F. Chang’s argued that it “reasonably expected” the policy’s broad cyber coverage to apply to these fees and assessments, citing Chubb’s advertising material, which promised a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.” The court rejected this argument in favor of the plain language of the policy.
This case is notable for two reasons. First, it is a reminder that cyber policies, unlike standard CGL and property forms, are still rapidly evolving. thus producing market products and coverages that are inconsistent and varied. Second, precedents applying standard “traditional” form language are still applicable to the same language in the new forms. The more things change, the more they stay the same.