Credit Card Payment Coverage Declined: Cyberinsurer Not Obligated to Reimburse P.F. Chang’s for PCI Liability

In the most significant cyberinsurance coverage decision to date, an Arizona federal district court in P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016), granted summary judgment to Federal Insurance Company, acknowledging it had no duty to reimburse P.F. Chang’s China Bistro for payment card industry liability assessments under the CyberSecurity policy issued by Federal to P.F. Chang’s corporate parent. This decision represents a significant victory for cyberinsurers insofar as it upholds insurers’ marketing strategy of making available for purchase distinct cyber products and sub-products.

As background, P.F. Chang’s suffered a data breach, resulting in approximately 60,000 customer credit card numbers falling into the hands of hackers. P.F. Chang’s notified Federal immediately. Federal reimbursed P.F. Chang’s for amounts in excess of $1.7 million as a result of the costs of responding to the breach. However, in addition to customer lawsuits and a forensic investigation, P.F. Chang’s credit card payment service, Bank of America Merchant Services (BAMS) suffered three assessments by MasterCard. The first was for approximately $1.7 million, which was the “Fraud Recovery Assessment,” i.e., costs associated with fraudulent charges relating to the breach. The second was for approximately $163,000, which was the “Operational Reimbursement Assessment,” i.e., costs to notify cardholders and reissue and deliver payment cards, account numbers, and security codes. The third was for $50,000, which was the “Case Management Fee.” BAMS demanded reimbursement from P.F. Chang’s pursuant to their contract. P.F. Chang’s sought coverage for these amounts from Federal. Federal denied coverage. P.F. Chang’s ultimately paid the amounts to BAMS and filed the subject lawsuit.

The district court analyzed each assessment individually. With respect to the Fraud Recovery Assessment, the district court considered coverage only under Insuring Clause A. Insuring Clause A provided, in essence, that Federal pay for “loss” on behalf of P.F. Chang’s for any claim for injury sustained by persons as a result of actual or potential unauthorized access to “such [p]erson’s” personally identifiable information. Federal contended Insuring Clause A was inapplicable because BAMS, itself, did not sustain any privacy injury because its records were not compromised. The district court agreed, based on a plain reading of the policy, that there could be no coverage available for P.F. Chang’s here because BAMS did not sustain any privacy injury. The district court found compelling the word “such,” which signifies that the coverage is designed to compensate only for liability to the persons whose records were unlawfully accessed.

With respect to the Operational Reimbursement Assessment, the district court considered coverage under Insuring Clause B. That coverage provided, in essence, that Federal pay the costs incurred by P.F. Chang’s of notifying those who were directly affected by the potential or actual unauthorized access of personally identifiable information. The district court, this time, sided with P.F. Chang’s, finding the assessment to, indeed, be the responsibility of P.F. Chang’s after being passed through by BAMS. Relatedly, with respect to the Case Management Fee, the district court looked to Insuring Clause D.2., which required Federal to pay for expenses incurred by P.F. Chang’s due to the actual or potential impairment or denial of operations resulting from unauthorized access to its systems. The district court reasoned that the fee fell under this coverage because as a result of unauthorized hack, P.F. Chang’s was responsible for paying the case management fee imposed by BAMS; and if it did not do so, “its ability to perform its regular business activities would be potentially impaired.”

These victories for the insured, however, were pyrrhic, as the district court ultimately found the assessments to be excluded under the various provisions applicable to liability assumed by an insured. According to the court, the three exclusions it examined “are the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.” Importantly, the district court turned to “cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.” Through this prism, the district court concluded the exclusions completely barred coverage for this loss under Insurance Clauses B. and D.2. The only reason P.F. Chang’s had to pay BAMS for these fees was because this obligation was agreed to by P.F. Chang’s and BAMS in their Master Service Agreement. The district court specifically reasoned Chang’s would not have been liable for any of the assessments but for its agreement with BAMS. Thus, the district court granted Federal’s summary judgment.

In sum, this decision is noteworthy for three reasons. First, it is the first data breach coverage case, decided under a next-generation stand-alone cyberinsurance policy, to receive a full treatment by a court. It offers meaningful guidance about how courts will analyze these cyber-coverage questions under non-traditional policies. Second and relatedly, the district court analyzed this dispute under the well-established principles of coverage jurisprudence developed for decades against the backdrop of CGL, E&O, D&O, and other liability policies. Third, the district court preserved the separateness of the coverage offerings sold by insurers. PCI liability coverage is available for purchase, yet P.F. Chang’s apparently did not avail itself of this coverage. As such, this decision reinforces the calculus that faces every policyholder — purchase the whole suite of cyber products the insurer offers or risk gaps in your coverage.