In what is thought to be the first published decision in a cyber insurance coverage case, popular Chinese restaurant chain, P.F. Chang’s, was denied coverage for certain costs incurred as a result of a 2014 data breach. Unfortunate as it may be for P.F. Chang’s, this court ruling offers a valuable object lesson for others with respect to cyber policies. Namely, be aware of the full extent of potential cyber liabilities and know what your policy covers.
P.F. Chang’s initial breach occurred in June 2014, when hackers stole approximately 60,000 credit card numbers from 33 different P.F. Chang’s locations. When the breach was discovered, the restaurant chain already had a cyber policy in place. It maintained a $5 million “CyberSecurity by Chubb” policy through Federal Insurance Company.
Ultimately, Federal evaluated the cyber coverage and paid nearly $1.7 million of P.F. Chang’s claim for forensic investigation and litigation costs. However, that wasn’t the full extent of P.F. Chang’s liability. MasterCard charged P.F. Chang’s credit card service company (Bank of America Merchant Services) almost $2 million in fees and assessments, pursuant to the services agreement between the restaurant and Bank of America.
When P.F. Chang’s received notices of these charges, it promptly paid Bank of America to maintain the parties’ relationship and to maintain banking service without disruption. P.F. Chang’s then made an insurance claim for those fees and assessments with Federal. Federal analyzed the claim and determined that the policy did not cover those costs; accordingly, it denied coverage, prompting P.F. Chang’s to file suit.
The U.S. District Court for the District of Arizona granted summary judgment to Federal. The court found that, while the fees and assessments may fall within the scope of the insuring agreement, the “contractual liability” exclusion barred coverage. In the alternative, P.F. Chang’s argued that the “reasonable expectations” doctrine should apply – i.e., even not expressly covered under the policy, it “possessed the expectation that coverage existed under the Policy for the assessments.” Under the reasonable expectations doctrine, a contract term may not be enforced if one party has reason to believe that the other would not have consented to the contract’s terms had it known the term was present. Where appropriate, it provides some leeway to the general rule that contract terms trump all.
The court found that the doctrine would only apply in this case if two conditions were met: (1) the insured’s expectation as to coverage was reasonable and (2) the insurer had reason to believe that its insured would not have agreed to the policy terms if it had known of the now-challenged provision. Emphasizing that both parties (P.F. Chang’s and Federal) were experienced corporate actors, the court found no evidence that the restaurant chain believed it would be covered for such assessments following a breach and that P.F. Chang’s merely attempted “to cobble together such an expectation after the fact, when in reality no expectation existed at the time it purchased the Policy.” The court concluded, “[P.F.] Chang’s and Federal are both sophisticated parties well-versed in negotiating contractual claims, leading the Court to believe that they included in the Policy the terms they intended.”
Essentially, P.F. Chang’s got into trouble for knowing too much and too little. It was arguably ahead of the curve in its acknowledgement of risk and the need for cyber coverage. At the same time, it was not fully cognizant of the potential range of resultant breach costs nor the actual extent of its cyber policy. The takeaway here is obvious: a cyber policy is not designed to be a one-size-fits-all remedy all for every possible cost associated with a data breach. Historically, insurance policies were not designed to cover an insured’s contractual liabilities and, absent a specific policy provision or endorsement to the contrary, there is no reason to assume that a cyber policy is any different. Companies – especially those that process credit cards and are contractually bound to pay fees and assessments – should review their policies before a breach to understand what is covered and, maybe more importantly, what is not covered.