[BreachExchange] Chubb scores victory in key cyber ruling

Mon Jun 6 19:02:02 EDT 2016

http://www.businessinsurance.com/article/20160602/NEWS06/160609935/chubb-scores-victory-in-key-cyber-ruling

Chubb Ltd. does not have to reimburse P.F. Chang's for costs charged the
restaurant chain by its credit card processor in connection with a 2014
data breach under its cyber policy, a federal court ruled.

Policyholder attorney Robert D. Chesler, a shareholder with Anderson Kill
P.C. in Newark, New Jersey, said he believes this is the first ruling on a
cyber insurance policy, and is important because it could signal a wave of
litigation between cyber insurers and policyholders.

Chubb Ltd. unit Federal Insurance Co. sold a Cybersecurity by Chubb policy
to Scottsdale, Arizona-based P.F. Chang's China Bistro Inc. corporate
parent Wok Holdco L.L.C. with effective dates from Jan. 1, 2014, to Jan. 1,
2015, according to the Tuesday ruling by the U.S. District Court in Phoenix
in P.F. Chang's China Bistro Inc. v. Federal Insurance Co.

Chubb marketed the policy as covering “direct loss, legal liability, and
consequential loss resulting from cyber security breaches,” according to
the ruling by Judge Stephen M. McNamee.

Chang's and other merchants are unable to process credit card transactions
themselves and must enter into agreements with third parties, said the
ruling.

In this case, Chang's entered into a master service agreement with
Charlotte, North Carolina-based Bank of America Merchant Services L.L.C. to
process credit card payments made by Chang's customers, according to the
ruling.

On June 10, 2014, Chang's learned that computer hackers had obtained and
posted on the internet about 60,000 credit card numbers belonging to its
customers, and the company notified Federal Insurance of the breach that
same day.

To date, Federal has reimbursed Chang's more than $1.7 million under the
cyber policy for costs incurred as a result of the breach, the ruling said.

In March 2015, Bank of America sent Chang's a letter stating it was
obligated to reimburse it a total of $1.9 million in connection with the
breach. Chang's reimbursed Bank of America in April 2015. Federal denied
coverage for this amount, which is separate from the $ 1.7 million it has
already paid, and Chang's filed suit.

Judge McNamee's technical opinion closely analyzes the Chubb policy, and
concludes on several counts that Federal is not obligated to reimburse the
charges.

One of its clauses, for instance, says Chubb will pay for a claim which it
defines as “a written request for monetary damages … against an insured for
an injury.” Injury is a broad term that encompasses many types of injuries,
including privacy injury, says the ruling.

Federal argued this clause is inapplicable because Bank of America itself
did not sustain a privacy injury because its records were not compromised
during the data breach, and Judge McNamee agreed.

“The court agrees with Federal; (Bank of America) did not sustain a privacy
Injury itself, and therefore cannot maintain a valid claim for injury
against Chang's,” said the ruling, in granting Chubb's motion for summary
judgment.

In April, a federal appeals court reinstated a putative class action
lawsuit filed by two customers of P.F. Chang's who said they were damaged
by the data breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160606/7f991de3/attachment.html>