[BreachExchange] P.F. Chang’s Arizona District Ruling Highlights Potential Pitfalls of Cyber Insurance

[Audrey McNeil]

http://www.natlawreview.com/article/pf-chang-s-arizona-district-ruling-highlights-potential-pitfalls-cyber-insurance

Data breaches suffered by retailers and other businesses that handle
payment cards can result in substantial assessments by card brands such as
MasterCard and Visa. Retailers typically do not process payment card
transactions directly with the banks that issue their customers’ cards.
Instead, they contract with an intermediary—called an acquiring or
servicing bank—to process their customers’ card transactions with the
card-issuing banks. In the event of a payment card data breach, the card
brands typically impose assessments on the retailer’s acquiring bank, which
in turn pursues indemnification under its service contract with the
retailer.

That was the situation in P.F. Chang’s v. Federal Insurance Co., in which a
federal district court in Arizona recently held that Chang’s had no cyber
coverage for over $1.9 million in credit card assessments that it had to
pay as a result of a data breach. The Chang’s court found that the Federal
cyber policy’s “Privacy Injury” coverage did not respond to an acquiring
bank’s claim against Chang’s for reimbursement of card brand assessments,
because the Federal policy’s definition of “Privacy Injury” required that
the compromised confidential records at issue be the claimant’s. As is
typical, the payment card information stolen by the hackers belonged to
Chang’s customers and the card-issuing banks, not the acquiring bank that
made the actual claim for reimbursement by Chang’s.

To make matters worse for Chang’s, the court found that Federal’s
contractual liability exclusion applied to otherwise covered aspects of the
acquiring bank’s underlying claim. The exclusion lacked customary
carve-outs, and the court hewed strictly to the policy language excluding
liability that the insured “assumed . . . under any contract or agreement.”
The court ruled that this language barred coverage because Chang’s
liability arose from an indemnification agreement with its acquiring bank.

Notably, Chang’s policy did not include Payment Card Industry (“PCI”)
coverage, a common coverage option found in cyber policies for retailers
and other entities that handle payment card data. PCI coverage expressly
insures amounts assessed by the card brands in the event of a data breach.

Although Federal had marketed its cyber policy as “a flexible insurance
solution designed by cyber risk experts to address the full breadth of
risks associated with doing business in today’s technology-dependent world”
that “[c]overs direct loss, legal liability, and consequential loss
resulting from cyber security breaches,” the Chang’scourt was unmoved by
arguments based upon the insured’s reasonable expectations of coverage.
Because Chang’s and Federal were deemed to be “sophisticated parties well
versed in negotiating contractual claims,” the court held that Chang’s
reasonable expectations were confined to what was spelled out in the actual
policy.

Cyber insurance has become an essential line of coverage for many
businesses, particularly those that handle payment card transactions. But
the Chang’s case is a cautionary tale: a cyber insurance purchase requires
both expertise and care. Cyber policy language is not standardized and
requires expert scrutiny for hidden booby traps or coverage gaps. Indeed,
the adverse decision in Chang’s might have been avoided if the insured had
purchased PCI coverage and negotiated appropriate carve-outs to an
unusually broad contractual liability exclusion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160616/31c461e4/attachment.html>