Federal Court Decision Underscores Need to Review Insurance Coverage for Cyber Risks
On May 31, 2016, the U.S. District Court for the District of Arizona handed down what appears to be the first opinion to rule on the merits of a coverage dispute under a cyber-security insurance policy over losses in connection with a data breach, denying the reimbursement of certain assessments and fees imposed by MasterCard. The case, P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), underscores that companies should review the exclusions and limitations in their insurance policies to ensure that the appropriate coverage is provided for the particular cyber-security risks they face.
Cybercrime has been increasing in recent years, resulting in significant losses to companies that suffer data breaches. To that end, many companies now purchase insurance policies specifically aimed at covering such losses.
In this case, Federal sold P.F. Chang’s corporate parent a cyber-security policy by Chubb, effective from January 1, 2014 through January 1, 2015. According to the opinion, Federal’s website markets the policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology dependent world that covers direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
One of the cyber-security risks faced by merchants like P.F. Chang’s is the risk of a payment card data security breach, including the risk of claims being asserted by third parties over such a breach. One type of claim that frequently is asserted in the wake of a payment card data breach is the fines, fees, and assessments imposed by the major payment card brands such as Visa and MasterCard, including amounts that purport to be designed to reimburse financial institutions that issued the compromised cards for their costs of reimbursing consumers for fraudulent charges and for measures they purportedly have taken to mitigate the risk of fraud, such as replacing cards. Merchants like P.F. Chang’s cannot process credit card transactions or payments by themselves, so they enter into contractual arrangements with third-party “servicers” or “acquirers” who facilitate the processing of those transactions. The servicer or acquirer, for its part, enters into a contract with Visa or MasterCard, which permits the servicer/acquirer to participate in the payment card system and may purport to obligate the servicer/acquirer to reimburse those fines, fees, and assessments that Visa or MasterCard might unilaterally impose on the servicer/acquirer in the wake of a data security breach at one of its merchant customers.
Here, P.F. Chang’s had entered into an agreement with Bank of America Merchant Services (“BAMS”) to serve as its servicer/acquirer, and BAMS in turn entered into an agreement with MasterCard. In its agreement with BAMS, P.F. Chang’s agreed to reimburse BAMS for any such fines, assessments and fees.
On June 10, 2014, P.F. Chang’s learned that it had experienced a data security breach in which computer hackers allegedly obtained and posted on the internet about 60,000 customers’ credit card numbers. On the same day, it notified Federal of the breach. On March 2, 2015 MasterCard imposed assessments and fees on BAMS totaling $1,929,921.57. Eight days later, BAMS sent a letter to P.F. Chang’s seeking reimbursement for the assessments and fees. After reimbursing BAMS, P.F. Chang notified Federal and sought indemnification, but Federal refused to pay. On May 21, 2015, P.F. Chang’s sued Federal for Breach of Contract and Declaratory Judgment.
U.S. District Court of Arizona Opinion
The U.S. District Court of Arizona, applying Arizona law, granted Federal’s motion for summary judgment, holding that no coverage existed. The court arrived at its conclusion through a detailed analysis of the relevant policy provisions, most importantly the exclusion provisions and the definition of loss.
According to the court, the exclusion provisions and definition of loss generally barred coverage for contractual obligations assumed by an insured with a third party outside of the policy. For example, Exclusion D.3.b stated that, “[w]ith respect to all Insuring Clauses, [Federal] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.” Despite P.F. Chang’s argument that these exceptions did not apply here, the court stated that “such contractual liability exclusions apply to the assumption of another’s liability, such as an agreement to indemnify or hold another harmless.” The court found that the agreement between P.F. Chang’s and BAMS met this requirement, thus triggering the exclusions and barring coverage for all assessments and fees imposed upon BAMS by MasterCard. It explained that P.F. Chang’s liability for these assessments and fees arose entirely from its contract with BAMS in which P.F. Chang’s had voluntarily agreed to reimburse BAMS for them.
In addition, the court held that even if the above exclusions did not completely bar coverage for the assessments and fees (which, the court held, they did), one of the assessments – an assessment that purported to be designed to reimburse banks that issued the compromised cards for fraudulent charges made on those cards – was in any event outside the insuring clauses of the policy. P.F. Chang’s had argued this assessment fell within a provision generally providing coverage for claims asserted for unauthorized access to records, but the court interpreted this provision as providing coverage only for claims brought by the entity whose records were compromised. Here, the Court held that the affected “records” were the payment cards issued by issuing banks, not the records of the entity asserting the claim against P.F. Chang’s (BAMS) that were compromised.
Last, the court considered the Reasonable Expectation Doctrine, which allows for coverage of a risk even when that risk falls outside of the policy terms, provided that two conditions are met: “First, the insured’s expectation of coverage must be objectively reasonable, [and] [s]econd, the insurer must have had reason to believe that the [insured] would not have purchased the . . . policy if they had known that it included the complained of provision.” The court concluded this doctrine did not assist P.F. Chang’s in this case, since the first condition could not be met: according to the court, no evidence in the record suggested that P.F. Chang’s had expected these assessments and fees to be included in the policy.
While several prior decisions have ruled on disputes over coverage for data breach-related losses under traditional insurance policies, such as general commercial liability policies, P.F. Chang’s appears to be the first to rule on the merits of a coverage dispute for such losses under a cyber-security insurance policy. The decision underscores that even a cyber-security policy might not be found to cover all of the cyber risks companies face, and that companies should therefore carefully review their current coverage (or any policy the company is considering purchasing) to ensure that any risks sought to be covered are included. They should particularly pay attention to the language of any exclusion provisions, such as the ones found in this case, and if they exist, consider supplementing their policy with an endorsement tailored to cover the otherwise excluded risks.
In addition, in future negotiations of cyber-security insurance policies, to the extent that companies have concerns about particular provisions or find them ambiguous, they should consider documenting their negotiations and understanding of what risks are covered under the policy. The P.F. Chang’s court’s analysis suggested that, had the court concluded that P.F. Chang’s reasonably expected coverage for the assessments and fees and that the insurer had reason to believe P.F. Chang’s would not have purchased the policy if it had known they were not covered, the court might have ruled in P.F. Chang’s favor under the Reasonable Expectation Doctrine.
For more information regarding this decision or to discuss cyber-security insurance generally, please feel free to contact Heather Egan Sussman, Doug Meal, Seth Harrington, David McIntosh, Mark Szpak, Michelle Visser, Paul Rubin, Debbie Gersh, Tim McCrystal, Laura Hoey, Marc Berger, or another member of Ropes & Gray’s leading privacy & data security team.