As cyber attacks increase at an unprecedented pace, more and more businesses are purchasing cyber insurance to protect against that risk. The insurance industry now faces an avalanche of claims, and those claims now are moving to the litigation phase.  In one of the first decisions interpreting a cyber insurance policy, an Arizona federal court on May 31 allowed Federal Insurance Company (“Chubb”) to escape liability under a cyber insurance policy for losses arising from the theft of 60,000 credit card numbers from P. F. Chang’s China Bistro, Inc. See P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM, 2016 WL 3055111 (D. Ariz. May 31, 2016).

The Breach and Its Consequences

In 2014, a hacker infiltrated P.F. Chang’s China Bistro’s computer system and stole 60,000 credit card numbers from its customers.  The hacker posted the stolen numbers on the internet.  Chubb insured Chang’s under a “CyberSecurity by Chubb Policy,” and the restaurant immediately provided notice to Chubb of the breach.

Chang’s engaged third parties to investigate the event, notify card holders and provide legal and other advice, and to help it carry out its breach notification obligations.  Unfortunately, P.F. Chang’s also had to defend class action lawsuits.  Chubb provided coverage for these costs, which were approximately $1.7 million.

Chubb refused to provide coverage for the remainder of P.F. Chang’s loss, however.  Credit card holders are protected from fraudulent charges arising from the theft of credit cards.  The banks issuing the credit cards (the issuing banks) reimburse the card holders for the losses.  In addition, the issuing banks are obligated to issue new credit cards.

Issuing banks have recourse, however.  The issuing banks enter into contracts with MasterCard.  P.F. Chang’s (and all merchants accepting credit cards) enters into contracts with acquiring or merchant banks to process charges, and the acquiring banks enter into contracts with MasterCard.  A set of rules published by MasterCard governs the relationships among the issuing banks, MasterCard and the acquiring banks, and these rules are incorporated into MasterCard’s contracts with issuing banks and acquiring banks.  In the event a retailer suffers a security breach resulting in unauthorized access to account data, these rules hold the retailer’s acquiring bank liable for the fraudulent charges incurred by the issuing banks.  This is accomplished through an assessment from the payment card brand.  The acquiring bank, in turn, has recourse against the retailer who experienced the breach.

Here, MasterCard issued a roughly $1.9 million assessment to the acquiring bank and processor of P.F. Chang’s credit card sales.  The assessment included several components.  About $1.7 million comprised fraudulent charges; about $200,000 involved notification and card replacement costs and administrative fees.  Chang’s’ contract with the acquiring bank obligated the restaurant to pay the assessment.  P.F. Chang’s demanded that Chubb reimburse the MasterCard assessment, and Chubb denied coverage.

The Coverage Litigation

P.F. Chang’s filed suit against Chubb.  Chubb moved for summary judgment, arguing the claim fell outside the policy’s insuring agreement and that the losses were excluded.  Although the court noted at the outset of the opinion that Chubb had marketed the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches,” it nevertheless agreed with Chubb and granted its motion for summary judgment.

P.F. Chang’s argued the majority of the assessment by MasterCard (the fraudulent charges), for which Chang’s was contractually liable, fell within the policy’s grant of coverage for Privacy Injury, which the policy defined as an “injury sustained or allegedly sustained by a ‘Person’ because of actual or potential unauthorized access to such ‘Person’s’ ‘record’ . . . .” The court rejected the insured’s claim and held that the Privacy Injury coverage applied only when a person suffering the privacy injury made a claim against the insured, and because the acquiring bank had not suffered a privacy injury, the Privacy Injury coverage did not apply.

Relying on cases interpreting commercial general liability policies, the court also found that two contractual liability exclusions barred coverage for the entire claim. These included an exclusion for “any liability assumed by any ‘Insured’ under any contract or agreement and an exclusion for “any cost or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any ‘insured.’”  Because P.F. Chang’s had agreed to reimburse the acquiring bank for the assessments, the court concluded the exclusions applied.

In reaching this decision, the court rejected P.F. Chang’s argument that the exclusion should not apply because Chang’s would have been liable to the acquiring bank even in the absence of the indemnification agreement. The court also found unavailing the restaurant’s argument that its payment to the acquiring bank was the “functional equivalent” of compensating the victims of Privacy Injury, because P.F. Chang’s failed to offer evidence that it would have been liable for the MasterCard assessment absent the agreement with the bank.

The court finally rejected Chang’s argument that coverage existed under the reasonable expectations doctrine. Although P.F. Chang’s presented evidence that Chubb represented that its policy afforded coverage for direct loss, legal liability and consequential loss resulting from cyber security breaches, the court concluded that this evidence was insufficient to establish that Chang’s had a reasonable expectation of coverage for the payments it made to its bank.

Impact

P.F. Chang’s purchased an insurance policy to protect itself from liability arising from a breach of its computer systems, but in this case, the cyber insurance policy provided only a partial recovery for the insured.  Contrary to basic principles of insurance law, the court narrowly construed the insuring agreement and broadly construed the exclusions to find that no coverage existed for the losses arising from the claim by the acquiring bank against Chang’s.  While it is true that the acquiring bank’s own “records” were not stolen, the fraudulent charges arose from claims by customers whose card numbers were stolen.  The acquiring bank was merely a conduit to pass along those losses.  Therefore, the court should have found coverage.

This case demonstrates that carriers will advertise that their policies offer broad coverage, but when faced with a claim, insurers will fight hard to limit the coverage.

The ruling also sends a clear warning to retailers.  A primary risk to a retailer following a cyber breach is an assessment from Visa or MasterCard passed on to it by an acquiring bank, and this court found that losses arising from these assessments are not covered losses, at least under this Chubb policy.

It is important for policyholders to evaluate the purchase of a cyber insurance policy carefully, and if you have purchased a cyber policy, you should consider carefully the coverage that is available under that policy.  Property and general liability policies are standardized, but the market for cyber insurance is dynamic, and cyber policies vary significantly.  One cyber policy may cover a loss and another may not.

Risk managers and business owners should consult with coverage counsel as they evaluate the purchase of a cyber policy.  McGuireWoods can assist, and for more information, please see our Legal Alert, A Buyer’s Guide to Cyber Insurance.