District Court Grants Summary Judgment Against P.F. Chang’s In Cybersecurity Insurance Case

King & Spalding
Contact

On June 13, 2016, the United States District Court for the District of Arizona granted summary judgment against P.F. Chang’s China Bistro, Inc. (“P.F. Chang’s”) in a cybersecurity insurance lawsuit that it brought against its insurer, Federal Insurance Company (“Federal”). On June 10, 2014, P.F. Chang’s discovered that it had suffered a data breach in which hackers improperly acquired the credit card numbers of approximately 60,000 of its customers and posted them on the Internet.  That same day, P.F. Chang’s informed its cyber security insurer, Federal, of the breach. So far, Federal has reimbursed P.F. Chang’s more than $1,700,000 pursuant to the cybersecurity insurance policy (the “policy”) that it sold to P.F. Chang’s. That reimbursement has covered various costs associated with the breach, such as a forensic investigation and defending litigation initiated by customers whose credit card numbers were improperly obtained.

On March 2, 2015, MasterCard, a credit card issuer (the “issuer”), imposed three monetary assessments on P.F. Chang’s credit card servicer, Bank of America Merchant Services (“the servicer”), for costs associated with the breach: a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72, and a Case Management Fee of $50,000. Subsequently, pursuant to a master service agreement between the servicer and P.F. Chang’s, the servicer directed P.F. Chang’s to reimburse it for the assessments that the issuer had imposed. P.F. Chang’s reimbursed the servicer for the assessments; however, P.F. Chang’s then sought coverage for the reimbursement from Federal pursuant to the cybersecurity insurance policy. Federal denied coverage and P.F. Chang’s initiated a lawsuit.

There are two critical parts of the Court’s decision. First, the Court addresses the policy’s exclusion provisions and its definition of loss. According to Exclusion D.3.b, “[w]ith respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.” Under Exclusion B.2, “[w]ith respect to Insuring Clauses B through H, [the insurer] shall not be liable for . . . any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” Moreover, according to Insuring Clause A, loss does not include “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” The Court characterized the three exclusions that Federal asserted as sharing a single function—to bar coverage for contractual obligations an insured assumes with a third party outside of the Policy. The Court agreed with Federal’s contention that the assessments for which P.F. Chang’s sought coverage arose from liability assumed by P.F. Chang’s to the servicer and, therefore, they were excluded from coverage. P.F. Chang’s argued that the exclusions do not apply to obligations that the insured is responsible for absent any assumption of liability, but this was not an express exception to the exclusions in the contract. The Court held that contractual liability exclusions apply to the assumption of another’s liability, such as an agreement to indemnify or hold harmless. It concluded that P.F. Chang’s agreement with the servicer met this criteria and triggered the exclusions because in the master services agreement between P.F. Chang’s and the servicer, P.F. Chang’s agreed to reimburse or compensate the servicer for any fees, fines, penalties, or assessments imposed on the servicer by the issuer. Finally, the Court concluded that even if the law permits an exception, the policyholder did not direct the Court to any evidence in the record that P.F. Chang’s would have been liable for the assessments but for its agreement with the servicer.

The second critical component of the Court’s decision concerned a potential source of coverage other than the policy. Specifically, P.F. Chang’s argued that coverage also existed under the reasonable expectation doctrine. According to the Court, that doctrine applies only if two prerequisites are present. First, the insured’s “expectation of coverage must be objectively reasonable.” Second, the insurer “must have had reason to believe that the [insured] would not have purchased the . . . policy if . . . [the insured] had known that it included” the disputed provision. According to the Court, the record lacked any “supporting evidence that during the underwriting process P.F. Chang’s expected that coverage would exist for Assessments following a hypothetical data breach.” On that basis, the Court determined that the first prerequisite was absent. Therefore, the Court concluded that coverage did not exist pursuant to the reasonable expectation doctrine.

The law in the area of coverage for data breaches is still evolving as companies seek coverage under commercial general liability, cyber, crime, and other policies. This decision is noteworthy because of the Court’s examination of the issue of recovering for data breach losses under provisions of a specific cyber policy.  Because these policies are all very different, companies are encouraged to examine the particular provisions of their own cyber policies and review any questions with coverage counsel.

A copy of the Court’s decision is available here.

Reporter, Barrett R. H. Young, Washington, D.C., +1 202 626 2928, bryoung@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.