P.F. Chang’s China Bistro Inc., which operates over 200 restaurants in the United States, purchased a cyber insurance policy from Federal Insurance Company. Federal marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that covers “direct loss, legal liability, and consequential loss resulting from cyber security breaches.” (Emphasis supplied).
During the underwriting process, Federal classified PF Chang’s as a high-risk client because it conducts more than six million transactions per year with customer credit cards, begetting extensive exposure to customer identity theft. PF Chang’s paid an annual premium of $134,000 for the policy.
In 2014, while the policy was in effect, PF Chang’s received notification from the United States Secret Service of a potential data breach involving credit and debit card numbers stolen from its restaurants. The company immediately conducted an investigation and determined that 33 of its restaurants were potentially affected.
PF Chang’s notified its insurer, which ultimately reimbursed more than $1.7 million of costs resulting from the data breach. This reimbursement covered the cost of conducting a forensic investigation and, defending litigation filed by (a) customers who alleged their credit card information was compromised, and (b) a bank that issued credit cards that were allegedly compromised.
When PF Chang’s requested coverage for an additional $1.7 million in fraud recovery fees imposed by Bank of America Merchant Services, LLC (BAMS), its Mastercard payment processor, the insurer balked. These fees were the result of an investigation by Mastercard into the fraud losses incurred by the banks that had issued credit cards to PF Chang’s customers. Those losses resulted in chargebacks to BAMS. Under its master service agreement with PF Chang’s, BAMS was entitled to indemnification for these chargebacks.
Federal argued that the reimbursement of BAMS was not covered because of its narrow interpretation of “Privacy Injury”. That term was defined in the policy as “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record . . .” Federal argued that for the coverage to apply the injury must directly harm the person whose records were accessed improperly. Here, Federal pointed out, BAMS suffered the injury because of the chargebacks imposed by MasterCard but, the records involved were related to the credit card holders, not BAMS. Because of this mismatch, Federal said that it was not responsible for the claims.
Federal also pointed to an exclusion from coverage for contractual obligations. The indemnity of BAMS arose under PF Chang’s master agreement with BAMS and, said Federal, was thus excluded from the policy’s coverage.
On May 31, 2016, the district court judge ruled in favor of Federal, granting its motion for summary judgment. The judge wavered on the question of whether the definition of “Privacy Injury” relieved Federal of any obligation to cover the BAMS charge. But Federal won a clear victory on the exclusion for contractual indemnity obligations and the case was dismissed.
The decision is a stark reminder that companies should review cybersecurity insurance policies carefully, ask probing questions regarding the types of losses that are and are not covered, and get the answers in writing.
Finally, companies that routinely engage in credit card transactions should be especially wary of this coverage, since the fraudulent transactions that result from a data breach may not be covered even though that may be the principal reason for obtaining the policy in the first place.