Why it matters

Demonstrating the challenges facing policyholders seeking coverage for losses arising from data breaches under commercial general liability (CGL) policies, Travelers, the CGL insurer for P.F. Chang’s China Bistro, recently filed an action in Connecticut federal court seeking a declaratory judgment that it owes no coverage to the national restaurant chain for tort claims arising from a recent data breach. Over a 10-month period, hackers were able to access point-of-sale payment systems at 33 of P.F. Chang’s restaurant locations. After P.F. Chang’s disclosed the breach in June, plaintiffs in several states filed putative class actions. Travelers’ complaint asserts that the underlying lawsuits do not trigger coverage under its policies and, in any event, coverage is expressly precluded pursuant to a specific exclusion for violations of “consumer financial protection law.” Travelers’ response to P.F. Chang’s data breach serves as a reminder to policyholders that coverage available for data breaches may be limited under CGL policies, and that they would be prudent to explore their options for obtaining specialized cyber risk coverage.

Detailed Discussion

On June 13, 2014, P.F. Chang’s confirmed that it had suffered a major data breach dating back approximately 10 months. First tipped off to the breach by the U.S. Secret Service, the restaurant chain said its point-of-sale systems were hacked, allowing access to customers’ credit and debit card data. Three different class actions were filed not long after, alleging that P.F. Chang’s violated its obligations to abide by best practices and industry standards to protect customers’ personal information, even in light of other high-profile data breaches.

P.F. Chang’s provided notice of the lawsuits to Travelers Indemnity Company, its CGL insurer. Travelers responded with its own lawsuit, seeking a declaration that it is not obligated to defend or indemnify P.F. Chang’s under its 2013 and 2014 CGL policies.

Travelers asserts that the lawsuits do not trigger coverage under its policies because covered “property damage” does not include loss or damage to “electronic media and records.” Likewise, no covered “bodily injury” or “personal and advertising injury” were alleged in the underlying complaints. In sum, Travelers asserts, “[t]he Lawsuits fail to trigger coverage under the Policies because they do not allege ‘bodily injury’ or ‘property damage’ caused by an ‘occurrence,’ nor do they allege ‘advertising injury’ or ‘personal injury’ as the Policies expressly and unambiguously define those terms.”

Alternatively, Travelers asserts that, even if coverage was triggered, an exclusion in its policies applicable to violation of consumer financial protection laws applies. According to Travelers, its policies define “consumer financial protection laws” to include the Fair Credit Reporting Act and any of its amendments, including the Fair and Accurate Credit Transactions Act, California’s Song-Beverly Credit Card Act, and “[a]ny other law or regulation that restricts or prohibits the collection, dissemination, transmissions, distribution or use of ‘consumer financial identity information.’”

“Consumer financial identity information” encompasses “any of the following information for a person that is used or collected for the purpose of serving as a factor in establishing such person’s eligibility for personal credit, insurance or employment, or for the purpose of conducting a business transaction: (a) Part or all of the account number, the expiration date or the balance of any credit, debit, bank or other financial account.”

Finally, Travelers asserts that its policies are subject to a self-insured retention of $250,000 that P.F. Chang’s has yet to exhaust.

To read the complaint in The Travelers Indemnity Co. of Connecticut v. P.F. Chang’s China Bistro, Inc., click here.