Travelers Indemnity Company filed an action this month in the United States District Court for the District of Connecticut for a declaratory judgment that it is not obligated to defend or indemnify its policyholder, P.F. Chang’s, for losses arising from the restaurant’s recent data breach. P.F. Chang’s card processing systems were compromised at about 33 restaurant locations from October 2013 through June 2014, resulting in the theft of customer data from credit and debit cards, including names, card numbers and expiration dates. Customers have filed three class actions seeking damages under a variety of contract, tort and consumer fraud claims. Travelers argues that the losses are not covered under the commercial general liability policies it issued to P.F. Chang’s in 2013-14 because an electronic data breach does not constitute property damage or bodily injury under their insurance agreement, and the agreement expressly excludes “electronic media and records” from the definition of “property damage.”
P.F. Chang’s is alleged to have a separate cyber liability insurance policy with a self-funded retention requirement. With data breaches becoming more common, the number and variety of specialized cyber insurance policies have proliferated. But these cyber policies may provide substantially less coverage than general liability policies. While cyber policies typically cover costs for customer notification, crisis management, litigation defense and regulatory responses, they do not generally cover intangible losses to reputation, brand or market share. Obtaining adequate coverage is difficult because cyber-related losses are hard to quantify—intangible losses are difficult to estimate, and there may be a lack of information to calculate the probability of a data breach.
Even if the federal district court were to determine that P.F. Chang’s commercial general liability policy covers its data breach, Travelers urges the court to construe the self-funded retention requirement in the cyber policy as modifying the restaurant’s general policy, thus limiting any payouts to the terms of the cyber policy and restricting the more generous payouts of the general liability policy.
For a copy of the Declaratory Judgment Complaint in The Travelers Indemnity Company of Connecticut v. P.F. Chang’s China Bistro, Inc., 14-cv-1458-VLB, please click here.