P.F. Chang’s Bistro, Inc. (PF Chang) suffered a rude awakening when its cyberliability policy failed to cover almost $2 million dollars of fees and assessments stemming from a breach of its credit card processing system. Hackers had compromised approximately 60,000 of PF Chang’s customers’ credit cards. PF Chang had purchased its cybersecurity policy from Federal Insurance Company (Federal) prior to that breach. The policy reimbursed $1.7 million to PF Chang for costs arising from the breach, including forensic investigation of the breach and defending litigation by consumers and a bank that issued compromised credit cards. But Federal did not reimburse PF Chang for the amounts that PF Chang was obligated to pay Bank of America Merchant Services (BAMS), the company that provides PF Chang with credit card processing.
PF Chang filed a lawsuit against Federal in the District Court of Arizona, asserting that Federal was obligated to reimburse PF Chang the amounts it paid to BAMS under the cyberliability policy. P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, case number 2:15-cv-01322 (D. Ariz). The Court concluded that PF Chang’s cyberliability policy did not cover the payments to BAMS [here]. When the lawsuit was filed, those unreimbursed costs paid to BAMS represented PF Chang’s largest liability from the breach.
Under the Master Services Agreement between PF Chang and BAMS, PF Chang was obligated to reimburse BAMS for any fees, fines, penalties, or assessments issued against BAMS by MasterCard. On account of PF Chang’s credit card breach, MasterCard imposed three assessments on BAMS: 1) a Fraud Recovery Assessment of $1,716,798.85; 2) an Operational Reimbursement Assessment of $163,122.72; and 3) a Case Management Fee of $50,000, totaling $1,929,921.57. BAMS paid the assessments to MasterCard and required PF Chang to reimburse it for those funds pursuant to the Master Services Agreement. Federal refused to cover those payments, however, asserting that they were not recoverable losses under PF Chang’s cyberliability policy.
Hole in the Cyberliability Policy
While certain provisions of the cyberliability policy might have been read to cover portions of the MasterCard assessment, the Court ultimately held that Federal had no liability for the MasterCard assessments because of the policy’s exclusions. In particular, the policy included an exclusion for any loss or expense based on any liability that PF Chang assumed under a contract. In at least three sections of the Master Services Agreement, PF Chang agreed to reimburse or compensate BAMS for fees, fines, penalties, or assessments imposed by MasterCard. Further, the Court said it was unaware of any basis on which PF Chang would be liable to BAMS for the MasterCard assessments other than under the Master Services Agreement. Accordingly, the Court held that the MasterCard assessments fell within the policy’s exclusion and were not covered.
Despite the language of the insurance policy, PF Chang had argued that it reasonably expected the MasterCard assessments would be covered under the cyberliability policy. PF Chang noted that Federal’s marketing claimed that the policy “address[es] the full breadth of risk associated with doing business in today’s technology-dependent world” and that it “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.” Despite these broad claims, PF Chang produced no evidence that coverage of MasterCard assessments had been a consideration at the time it purchased its cyberliability policy or that it had asked Federal whether such costs would be covered. The Court found that had the parties intended for there to be coverage for the MasterCard assessments they would have expressly included that coverage in the policy.
There are many types of losses that can stem from a data security breach and they will vary by situation and by industry. If your company currently has cyberliability insurance, it should identify the types of predictable losses that could arise from a data breach and ensure they are covered by the policy. Any company that does not have cyberliability insurance should consider whether to obtain such coverage, and should review any potential policy carefully to assess whether it covers the material liabilities that could arise from a data breach. Even though a cyberliability policy may be marketed as comprehensive, it is important to carefully analyze the terms of the policy to ensure that it actually covers the risks anticipated in the event of a cyberliability incident for the particular business.