As cyber attacks increase at an unprecedented pace, more and more businesses are purchasing cyber insurance to protect against that risk. The insurance
industry now faces an avalanche of claims, and those claims now are moving to the litigation phase. In one of the first decisions interpreting a cyber
insurance policy, an Arizona federal court on May 31 allowed Federal Insurance Company (“Chubb”) to escape liability under a cyber policy for
losses arising from the theft of 60,000 credit card numbers from P. F. Chang’s China Bistro, Inc.
See P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).
The Breach and Its Consequences
In 2014, a hacker infiltrated P.F. Chang’s China Bistro’s computer system and stole 60,000 credit card numbers from its customers. The hacker posted the
stolen numbers on the internet. Chubb insured Chang’s under a “CyberSecurity by Chubb Policy,” and the restaurant immediately provided notice to Chubb of
Chang’s engaged third parties to investigate the event, notify card holders and provide legal and other advice, and to help it carry out its breach
notification obligations. Unfortunately, P.F. Chang’s also had to defend class action lawsuits. Chubb provided coverage for these costs, which were
approximately $1.7 million.
Chubb refused to provide coverage for the remainder of P.F. Chang’s loss, however. Credit card holders are protected from fraudulent charges arising from
the theft of credit cards. The banks issuing the credit cards (the issuing banks) reimburse the card holders for the losses. In addition, the issuing banks
are obligated to issue new credit cards.
Issuing banks have recourse, however. The issuing banks enter into contracts with MasterCard. P.F. Chang’s (and all merchants accepting credit cards)
enters into contracts with acquiring or merchant banks to process charges, and the acquiring banks enter into contracts with MasterCard. A set of rules
published by MasterCard governs the relationships among the issuing banks, MasterCard and the acquiring banks, and these rules are incorporated into
MasterCard’s contracts with issuing banks and acquiring banks. In the event a retailer suffers a security breach resulting in unauthorized access to
account data, these rules hold the retailer’s acquiring bank liable for the fraudulent charges incurred by the issuing banks. This is accomplished through
an assessment from the payment card brand. The acquiring bank, in turn, has recourse against the retailer who experienced the breach.
Here, MasterCard issued a roughly $1.9 million assessment to the acquiring bank and processor of P.F. Chang’s credit card sales. The assessment included
several components. About $1.7 million comprised fraudulent charges; about $200,000 involved notification and card replacement costs and administrative
fees. Chang’s’ contract with the acquiring bank obligated the restaurant to pay the assessment. P.F. Chang’s demanded that Chubb reimburse the MasterCard
assessment, and Chubb denied coverage.
The Coverage Litigation
P.F. Chang’s filed suit against Chubb. Chubb moved for summary judgment, arguing the claim fell outside the policy’s insuring agreement and that the losses
were excluded. Although the court noted at the outset of the opinion that Chubb had marketed the policy as “a flexible insurance solution designed by cyber
risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world” that “[c]overs direct loss, legal
liability, and consequential loss resulting from cyber security breaches,” it nevertheless agreed with Chubb and granted its motion for summary judgment.
P.F. Chang’s argued the majority of the assessment by MasterCard (the fraudulent charges), for which Chang’s was contractually liable, fell within the
policy’s grant of coverage for Privacy Injury, which the policy defined as an “injury sustained or allegedly sustained by a ‘Person’ because of actual or
potential unauthorized access to such ‘Person’s’ ‘record’ . . . .” The court rejected the insured’s claim and held that the Privacy Injury coverage applied
only when a person suffering the privacy injury made a claim against the insured, and because the acquiring bank had not suffered a privacy injury, the
Privacy Injury coverage did not apply.
Relying on cases interpreting commercial general liability policies, the court also found that two contractual liability exclusions barred coverage for the
entire claim. These included an exclusion for “any liability assumed by any ‘Insured’ under any contract or agreement and an exclusion for “any cost or
expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any ‘insured.’” Because P.F. Chang’s had agreed to reimburse
the acquiring bank for the assessments, the court concluded the exclusions applied.
In reaching this decision, the court rejected P.F. Chang’s argument that the exclusion should not apply because Chang’s would have been liable to the
acquiring bank even in the absence of the indemnification agreement. The court also found unavailing the restaurant’s argument that its payment to the
acquiring bank was the “functional equivalent” of compensating the victims of Privacy Injury, because P.F. Chang’s failed to offer evidence that it would
have been liable for the MasterCard assessment absent the agreement with the bank.
The court finally rejected Chang’s argument that coverage existed under the reasonable expectations doctrine. Although P.F. Chang’s presented evidence that
Chubb represented that its policy afforded coverage for direct loss, legal liability and consequential loss resulting from cyber security breaches, the
court concluded that this evidence was insufficient to establish that Chang’s had a reasonable expectation of coverage for the payments it made to its
P.F. Chang’s purchased an insurance policy to protect itself from liability arising from a breach of its computer systems, but in this case, the cyber
insurance policy provided only a partial recovery for the insured. Contrary to basic principles of insurance law, the court narrowly construed the insuring
agreement and broadly construed the exclusions to find that no coverage existed for the losses arising from the claim by the acquiring bank against
Chang’s. While it is true that the acquiring bank’s own “records” were not stolen, the fraudulent charges arose from claims by customers whose card numbers
were stolen. The acquiring bank was merely a conduit to pass along those losses. Therefore, the court should have found coverage.
This case demonstrates that carriers will advertise that their policies offer broad coverage, but when faced with a claim, insurers will fight hard to
limit the coverage.
The ruling also sends a clear warning to retailers. A primary risk to a retailer following a cyber breach is an assessment from Visa or MasterCard passed
on to it by an acquiring bank, and this court found that losses arising from these assessments are not covered losses, at least under this Chubb policy.
It is important for policyholders to evaluate the purchase of a cyber insurance policy carefully, and if you have purchased a cyber policy, you should
consider carefully the coverage that is available under that policy. Property and general liability policies are standardized, but the market for cyber
insurance is dynamic, and cyber policies vary significantly. One cyber policy may cover a loss and another may not.
Risk managers and business owners should consult with coverage counsel as they evaluate the purchase of a cyber policy. McGuireWoods can assist, and for
more information, please see our Legal Alert, A Buyer’s Guide to Cyber Insurance.