A Close Look at Policy Wording Is Essential to Ensure Coverage for Cyber Risks

Bradley Arant Boult Cummings LLP
Contact

Bradley Arant Boult Cummings LLP

As the demand for insurance coverage for cyber-related losses continues to grow, more insurance companies are offering cyber insurance policies and endorsements, but the market is far from mature and the available policies far from complete. Insurers have not adopted a unified approach to cyber policies, nor do they offer identical coverages. Due to the variance between available cyber insurance policies and endorsements, policyholders should carefully weigh their cyber risks against proposed cyber coverage to understand the scope of coverage actually available to address company exposures. Insureds should closely examine policy wording, rather than relying on policy labels or marketing materials.

One of the first published cases interpreting a cyber policy illustrates this point. When hackers accessed 60,000 credit card numbers in P.F. Chang’s customer database, the restaurant chain’s cyber policy covered the costs of the forensic investigation into the cause of the data breach to prevent a recurrence, as well as the costs of defense against customer lawsuits arising from the breach, to the tune of some $1.7 million (P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co.). Most cyber policies include coverage for first-party losses as well as liability to third parties. Unfortunately, P.F. Chang’s cyber policy did not cover the nearly $2 million in expenses imposed by credit card issuers such as MasterCard to pay for such items as notifications to cardholders and reissuance of credit cards compromised by the breach. Many cyber policies offer coverage for these types of fines and penalties, albeit for an additional premium.

Those expenses, including fines and penalties, were passed through to P.F. Chang’s via its Master Services Agreement with the restaurant’s third-party credit card processor, Bank of America Merchant Services (BAMS). The agreements between servicers such as BAMS and credit card associations require the servicers to abide by Payment Card Industry Data Security Standards (PCI-DSS) and pay for losses arising from a data breach. These rules and obligations were incorporated into the contract between P.F. Chang’s and BAMS, requiring P.F. Chang’s to reimburse BAMS for any PCI-DSS assessments.

P.F. Chang’s and other restaurants and retailers rely on these servicers to process credit-card transactions on a daily basis. Yet in no less than three places, P.F. Chang’s cyber policy excluded liability assumed under a contract such as the one with BAMS. The “reasonable expectations” doctrine in Arizona that favors policyholders could not save P.F. Chang’s from the court’s interpretation of the plain wording of the policy.

A contractual liability exclusion is a standard exclusion in most commercial general liability policies. However, the exclusion typically incorporates exceptions for “insured contracts.” CGL policies incorporate this exclusion because these policies are primarily intended to cover a third party’s tort claims against a policyholder, not a policyholder’s financial losses arising from a contract. CGL policies also typically exclude coverage for fines and penalties such as those imposed by credit card associations. The P.F. Chang’s decision highlights the need for contractual liability, fines and penalties coverage for policyholders who accept credit card payments.

On January 27, 2017, the Ninth Circuit granted a joint stipulation to dismiss P.F. Chang’s appeal of the district court’s decision after the parties reached a settlement. We do not know the details of this settlement, although this settlement preserved this insurer-friendly decision to the detriment of policyholders.

This watershed case is a cautionary tale. The wild world of cyber-related risks is difficult to pin down – ranging from the obvious but mundane, such as theft of a company laptop, to the worst case scenario of a system-wide hack that could cause a major disruption and loss of business and extensive liability. As P.F. Chang’s shows, it pays to assess your company’s risks and closely examine your policy to ensure you have the coverage you need.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bradley Arant Boult Cummings LLP | Attorney Advertising

Written by:

Bradley Arant Boult Cummings LLP
Contact
more
less

Bradley Arant Boult Cummings LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.