"Cyber-insurance: latest developments" reported on a case involving the potential for a court to analyse specific cyber coverage terms relating to specific cyber coverage facts. That case has now been dismissed, as the parties pursue alternative dispute remedies. PF Chang's China Bistro Inc v Federal Insurance Co is another case that primarily addresses cyber coverage issues, but has received less recognition than 2015's Columbia Casualty.(1) The US District Court for the District of Arizona's ruling may be one of the first in the country to interpret the unique issues that arise in relation to cyber-insurance policies.
Given that many of the cyber wordings continue to evolve, many of the terms are similar, but not universal. Unlike commercial general liability (CGL) policies, which are mostly uniform, the cyber market continues to generate variations on the theme while moving towards some uniformity relative to some basic concepts (eg, breach response costs). In light of the relative lack of case law interpreting such policy forms, it may be imprudent to read too much into one specific case. That said, although the court's ruling in PF Changs's may not be controlling authority for future courts interpreting cyber policies, it does offer some useful guideposts for practitioners advising clients with respect to these types of terms.
Chang's purchased the cyber-security policy from Federal Insurance, a division of Chubb, with effective dates from January 1 2014 to January 1 2015. Chang's paid approximately $134,000 in annual premiums. Federal marketed the policy as a "flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world", which "[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches".(2) During the underwriting process, Federal specifically designated Chang's as 'high risk' because the company carried out more than 6 million credit card transactions a year. Federal also noted that there was a high risk of exposure to customer identity theft.
The breach at issue occurred between 2013 and 2014, when computer hackers obtained approximately 60,000 credit card numbers belonging to PF Chang's customers. Chang's learned of the breach on June 10 2014 and alerted its insurer, Federal, on the same day. After the breach, Federal subsequently reimbursed Chang's approximately $1.7 million in costs pursuant to the policy for conducting a forensic investigation of the breach as well as the costs of defending the litigation brought by the affected customers. Federal did not dispute these costs. At issue, instead, was the approximately $1.9 million in assessment fees imposed on PF Chang's by its merchant services provider, Bank of America Merchant Services (BAMS).
Chang's, as a merchant, was unable to process credit card payments made by customers so it entered into a master service agreement with BAMS, a merchant service provider. In turn, BAMS had a separate agreement with the issuing bank, MasterCard. This agreement was then incorporated into BAMS's master service agreement with Chang's. The MasterCard agreement stipulated that BAMS was obligated to pay certain fees and assessments to MasterCard in the event of a data breach. Under the master service agreement with BAMS, Chang's agreed to compensate or reimburse BAMS for "fees", "fines", "penalties" or "assessments" imposed on BAMS by the issuing bank.(3)
In May 2015 MasterCard issued a reimbursement report to BAMS, which consisted of:
- a fraud recovery assessment (for fraudulent charges that related to the security breach) of approximately $1.7 million;
- an operational reimbursement assessment (the costs of issuing bankcards, new account numbers and new security codes) of approximately $160,000; and
- a case management fee of $50,000.
Pursuant to the master service agreement, and so as not to lose the ability to process credit card transactions in the interim, Chang's paid BAMS the $1.9 million. Chang's submitted this payment to Federal as part of the claimed loss under the cyber policy, but Federal denied coverage for this payment. The present litigation then began.
The court addressed each fee imposed by MasterCard individually through the lens of the applicable policy provision. Chang's argued that the largest of these – the fraud recovery assessment charge – was covered under Federal's agreement to pay for a loss made against the insured for an injury, specifically under the policy's definition of 'privacy injury'. The policy defined this as an "injury sustained or allegedly sustained by a 'Person' because of actual or potential unauthorized access to such 'Person's' 'record'".(4)
Chang's argued that while it was MasterCard which actually suffered a privacy injury (the compromising of its customer data and records), it was irrelevant that the injury was first passed through BAMS. It justified this argument by noting that this is an industry standard practice and that by compensating BAMS, Chang's was effectively compensating MasterCard. Interestingly, Chang's analogised the situation to subrogation in other insurance contexts, although the court apparently did not give much weight to this argument.
Federal, on the other hand, argued that because BAMS itself did not suffer an injury, it could not claim one under the policy. Only MasterCard, whose accounts and financial information were hacked, sustained injuries that were covered under the policy. Ultimately, the court sided with Federal, holding that BAMS was not in a position to assert a privacy injury claim under the policy. According to the court, the usage of the words "such Person" in the definition of 'privacy injury' "means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury".(5) Thus, a "plain reading" of the language necessarily meant that "only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury".(6) In this case, that would be MasterCard. Importantly, the court seemed to give weight to the fact that Chang's, as a sophisticated party, could have bargained for this type of coverage.
The court next turned to the operational reimbursement assessment (the costs of reissuing bankcards, new account numbers and security codes). Chang's argued that these fees were covered under the clause that read: "[Federal] shall pay Privacy Notification Expenses incurred by an Insured resulting from [Privacy] Injury." Federal again argued that because BAMS paid the fee, it was not incurred by Chang's. However, the court sided with Chang's as, under Arizona law, an insured "incurs" an expense when the insured becomes liable for the expense, "even if the expenses in question were paid by or even required by law to be paid by other sources".(7) The court held that the case management fee was covered as an "extra expense" as contemplated by the policy, but was unable to determine as a matter of law whether the loss occurred during the period of recovery of services.
However, despite holding that both the operational reimbursement assessment and case management fee were covered under the policy, the court next found that exclusions within the policy barred coverage. The relevant exclusions stated that Federal would not be liable for "any liability assumed by any Insured under any contract or agreement" and for "any cost or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured".(8) The contract at issue was the master service agreement that Chang's had in place with BAMS, in which Chang's had agreed to pay for any fees assessed to BAMS by the issuing banks, including fines, penalties and assessments.
The court stated that cyber policies are new to the marketplace, so it turned to opinions that analysed similar CGL policy language. The court determined that because the master service agreement was clear that Chang's agreed to reimburse and compensate BAMS for any fees or assessments imposed on it by the bank, the exclusions were clearly applicable. The CGL cases held that such contractual exclusions apply to "the assumption of another's liability, such as an agreement to indemnify or hold another harmless".(9) The court determined that the agreement – in which Chang's agreed to reimburse or compensate BAMS for any "fees", "fines", "penalties" or "assessments" imposed on BAMS – met the relevant criteria. Ultimately, therefore, the exclusions were applicable and valid under the law.
Lastly, the court addressed Chang's' "reasonable expectation" argument, a legal doctrine that provides that ambiguities in a policy should be resolved in favour of the insured's reasonable expectations. For the doctrine to apply, two conditions must be met:
- The insured's expectation of coverage must be "objectively reasonable"; and
- The insurer must have had reason to believe that the insured would not have purchased the policy had it known that the complained-of provision would be present.(10)
As it turns out, the court did not have to reach the question of whether the doctrine was applicable, because it determined that Chang's did not even expect the policy to cover that for which it sought coverage.
The court stated that the starting point for the reasonable expectation inquiry is what reasonable expectations were induced in the first place. As evidence of its expectations of coverage, Chang's pointed to evidence that Federal knew about all of the risks involved in the millions of credit card transactions and its contractual relationship with BAMS, as well as Federal's marketing of the policy as an all-encompassing policy addressing the "full breadth of risks". The court rejected this argument, holding that Federal's knowledge of risks and realities did not prove Chang's expectations. Indeed, Chang's insurance agent never asked Federal's underwriter about the assessments. As the court noted, "Chang's merely attempts to cobble together such an exception after the fact" and could have bargained for the coverage.(11) Again, the court pointed to Chang's stature as a sophisticated party whose knowledge of the insurance market and negotiation power would have allowed it to bargain for coverage should it have so desired.
From a narrow viewpoint, the PF Chang's decision is applicable only to the facts of the case. Taking a step back, however, merchants which contract with merchant service providers have reason to take note. A federal court has now held that a cyber policy did not cover almost $2 million in assessment fees imposed by the insured's merchant services provider. Credit card fraud recovery assessments acutely affect merchants such as Chang's, which are unable to process their own transactions. Fees associated with fraud-related costs are an increasing burden on such companies. Avivah Litan, a financial fraud analyst at Gartner, stated that "Merchants… have no choice but to accept these dominant payment instruments, and they have no choice but to pay what seem to be unfair penalties when they suffer a card data breach".(12)
As noted multiple times by the court, Chang's and other similarly situated merchants come from a position of power at the negotiating table. The cyber-insurance market has been offering coverages for Payment Card Industry Data Security Standard 'assessments' (some use the term 'penalties') for a number of years – since at least pre-2014, the inception date for the Chang's policy. In that regard, an entity such as PF Chang's, with such a high profile in the retail space, would likely be in a better position than most to identify these risks and seek the appropriate coverage terms to mitigate its exposure. In recent years, credit card and banking companies have been more assertive in attempting to recoup losses that they have borne the brunt of in relation to identity theft and fraudulent transactions. For example, Target settled with the banks that serviced MasterCard as of December 2015 for a staggering $39 million.(13) These entities, however, are also starting to engage and inform their retail partners. In that regard, they will likewise promote cyber coverages that may help retailers – from the largest worldwide retailers down to the seasonal pop-up shop – to mitigate this exposure. In the meantime, expect to see more cases where cyber coverage terms will be under scrutiny for the scope and extent of losses that entities believe are related to cyber-security hacking and breach incidents.
For further information on this topic please contact Margaret Reetz, Allen Sattler or Douglas Giombarrese at Mendes & Mount LLP by telephone (+1 212 261 8000) or email (firstname.lastname@example.org, email@example.com or firstname.lastname@example.org). The Mendes & Mount website can be accessed at www.mendes.com.
(3) The credit card companies self-regulate security pursuant to its industry security standards council. These self-regulations are referred to as 'Payment Card Industry Data Security Standard' (PCI-DSS) and standard merchant service agreements typically reference the PCI-DSS assessment table for violations of the standards, which is in turn a breach of those agreements:
"Guidance for maintaining payment security is provided in PCI security standards. These set the technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices used in those transactions."
Read more here.
(12) Tracy Kitten, "Cyber Insurance: Is It Worth It?", Bank Info Security, June 7 2016.
(13) "Target settles for $39 million over data breach", CNNMoney.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.