A year ago in this space, we looked at the receding wave of coverage litigation regarding whether various cyber-related exposures were covered under traditional policies, such as CGL and professional liability policies. Deemed “square peg” litigation, those cases were mostly a mixed bag. And, as predicted, since the advent of the now burgeoning cyber-specific coverage market, those cases are largely becoming irrelevant, as insurers have begun to place exclusions in traditional policies that make clear that they do not apply to cyber-exposures.
For example, in RVST Holdings, LLC v. Main Street America Assurance Co., 136 A.D.3d 1196, 25 N.Y.S.3d 712, 2016 N.Y. Slip Op. 01230 (N.Y. App. Div. 3d Dept., Feb. 18, 2016), New York’s Appellate Division recently reversed a trial court decision that failed to properly apply a cyber exclusion in a traditional commercial policy, in relation to the insured’s claim for coverage of underlying claims made against it arising from a data breach of credit card information stored in the network of certain Five Guys Burger franchises in New York. The court remanded with instructions to enter summary judgment in the insurer’s favor.
Not surprisingly, many policyholders have gotten the hint, and the market for cyber-specific coverage has been growing rapidly, as policyholders fear the rising cost of, among other things, data breach claims. But, simply purchasing this coverage is not a panacea for all that might ail a company when it comes to cyber-risk, and a recent decision from an Arizona federal court provides a stark reminder that these new policies, too, have their limits.
In PF Chang v Federal (D. Ariz. 5-31-16), No. CV-15-01322 (D. Ariz. May 31, 2016), the Court granted the defendant insurer’s motion for summary judgment on claims by its insured that it improperly denied its coverage claim for underlying liabilities arising from a data breach.
Federal sold PF Changs’ corporate parent a “CyberSecurity by Chubb” policy, which it marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.” In underwriting the policy, Federal identified PF Changs as a high risk level because it conducts more than 6 million transactions per year, the bulk of which are through credit cards. PF Changs paid an annual premium of $134,052.00 for the policy.
The data breach
On June 10, 2014, PF Changs learned that hackers had obtained and posted on the Internet some 60,000 credit card numbers belonging to its customers. It notified Federal of the data breach that same day. Federal reimbursed PF Changs for approximately $1,700,000 for certain costs, including conducting a forensic investigation into the data breach and defending litigation filed by customers and one bank that issued card information that was stolen.
Several months later, PF Changs received an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” from Bank of America Merchant Services (“BAMS”). The letter demanded reimbursement pursuant to PF Changs’ contract with BAMS for three “assessments” arising from the data breach: (1) a “Fraud Recovery Assessment” of $1,716,798.85, which reflects costs Mastercard suffered and assessed to BAMS arising from fraudulent charges; (2) an “Operational Reimbursement Assessment” of $163,122.72, reflecting notification and related costs; and (3) a “Case Management Fee” of $50,000, regarding compliance with Payment Card Industry Data Security Standards.
PF Changs sought coverage from Federal for the BAMS assessments, but Federal declined. PF Changs brought suit, and Federal moved for summary judgment, citing language in the policy’s insuring agreements, and certain exclusions.
First, the Court examined the claim for coverage under section A of the policy, which covers loss arising from “Privacy Injury.” PF Changs argued that the costs reflected in the assessments derived from underlying privacy injury to cardholders. But the Court agreed with Federal that BAMS’ assessments did not reflect that BAMS itself suffered a “Privacy Injury” as the term was defined, and held that the language used indicated that the coverage was restricted to only “such” persons who have actually suffered a privacy injury. The Court noted that Federal in fact paid that portion of the claim relating to claims brought by affected customers, who did in fact suffer an actual privacy injury. It rebuked PF Changs, noting that “if [PF] Changs, who is a sophisticated party, wanted coverage for this Assessment, it could have bargained for that coverage.”
Next, the Court examined claims under coverage B, for “Privacy Notification Expenses.” Here again, Federal made a similar argument that PF Changs itself did not incur notification expenses, but rather its vendor did. But the court disagreed, finding that the insuring agreement arguably covered the Operational Reimbursement Assessment for BAMS’s notification costs, subject, however, to its analysis of applicable exclusions.
Likewise, the Court agreed with PF Changs that the Case Management Fee came with the coverage grant of insuring agreement D.2 for “Extra Expenses” because PF Changs experienced a “Fraudulent Access” that impaired its ability to perform its regular business activities, again, subject to applicable exclusions.
The Court giveth, the Court taketh Away: the Contractual Liability Exclusion
Finally, the Court addressed exclusions in the policy for contractual liability assumed by the insured. Here, all the liabilities at issue arose pursuant to PF Changs’ contract with BAMS, and the Court found the exclusion for contractual liability unambiguously applied:
The Court finds that both Exclusions D.3.b. and B.2. as well as the definition of Loss bar coverage. In reaching this decision, the Court turned to cases analyzing commercial general liability insurance policies for guidance, becausecybersecurity insurance policies are relatively new to the market but the fundamental principles are the same. Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to “the assumption of another’s liability, such as an agreement to indemnify or hold another harmless. (emphasis added)
Indeed, the more things change, the more they stay the same. Policyholders must be wary that simply purchasing cyber-specific coverage does not mean they have purchased unlimited coverage. The Court in PF Changsutilized all the same standard presumptions with which insurers have long been familiar, including that coverage should be broadly construed in favor of the insured. But those doctrines have their limits, and so do the contours of these relatively new coverages.