On May 31, 2016, a federal court in Arizona rejected P.F. Chang’s attempt to recover an additional $2 million it paid following a 2014 breach in which hackers obtained and posted on the Internet approximately 60,000 credit card numbers belonging to P.F. Chang’s customers. P.F. Chang’s was insured under a “CyberSecurity by Chubb Policy,” which it had purchased from Federal Insurance Company for an annual premium of $134,000. On its website, Federal marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” including “consequential loss resulting from cyber security breaches.”
After the 2014 breach, Federal agreed to reimburse P.F. Chang’s nearly $1.7 million for valid claims brought by injured customers and Issuers. However, when P.F. Chang’s sought reimbursement from Federal for an additional $2 million in fees and assessments that were charged back to P.F. Chang’s by its credit card service providers. Federal refused to pay contending, among other things, that P.F. Chang’s had no reasonable expectation of coverage for these amounts. P.F. Chang’s filed suit.
The court granted summary judgment in favor of Federal. In doing so, the court determined that the record did not support P.F. Chang’s argument that it reasonably expected the policy’s broad cyber coverage would extend to the imposed fees and assessments. But, this aspect of the decision ignores the very essence of Federal’s cyber policy, which was marketed by Federal as comprehensive coverage designed “to address the full breadth of risks associated with doing business in today’s technology-dependent world.”
The court noted that Federal had not outright denied coverage in its entirety as it had acknowledged coverage under its CyberSecurity policy for multimillion dollar losses relating to other valid claims brought by injured customers and issuers. The decision underscores, however, the critical importance of knowing the scope of your cyber coverage before purchasing the policy and before a breach occurs. The decision also serves as a reminder that unlike with standard property and general liability forms, today’s cyber products are still rapidly evolving, causing market products and coverages to be inconsistent and varied. What may be covered under one policy very well may not be covered under another – there is no “one size fits all.” Policyholders, therefore, should engage knowledgeable brokers and coverage counsel to assist with their policy procurement or reviews of coverage that is already in place.