[BreachExchange] District Court Grants Summary Judgment Against P.F. Chang’s In Cybersecurity Insurance Case

[Audrey McNeil]

http://www.jdsupra.com/legalnews/district-court-grants-summary-judgment-63551/

On June 13, 2016, the United States District Court for the District of
Arizona granted summary judgment against P.F. Chang’s China Bistro, Inc.
(“P.F. Chang’s”) in a cybersecurity insurance lawsuit that it brought
against its insurer, Federal Insurance Company (“Federal”). On June 10,
2014, P.F. Chang’s discovered that it had suffered a data breach in which
hackers improperly acquired the credit card numbers of approximately 60,000
of its customers and posted them on the Internet.  That same day, P.F.
Chang’s informed its cyber security insurer, Federal, of the breach. So
far, Federal has reimbursed P.F. Chang’s more than $1,700,000 pursuant to
the cybersecurity insurance policy (the “policy”) that it sold to P.F.
Chang’s. That reimbursement has covered various costs associated with the
breach, such as a forensic investigation and defending litigation initiated
by customers whose credit card numbers were improperly obtained.

On March 2, 2015, MasterCard, a credit card issuer (the “issuer”), imposed
three monetary assessments on P.F. Chang’s credit card servicer, Bank of
America Merchant Services (“the servicer”), for costs associated with the
breach: a Fraud Recovery Assessment of $1,716,798.85, an Operational
Reimbursement Assessment of $163,122.72, and a Case Management Fee of
$50,000. Subsequently, pursuant to a master service agreement between the
servicer and P.F. Chang’s, the servicer directed P.F. Chang’s to reimburse
it for the assessments that the issuer had imposed. P.F. Chang’s reimbursed
the servicer for the assessments; however, P.F. Chang’s then sought
coverage for the reimbursement from Federal pursuant to the cybersecurity
insurance policy. Federal denied coverage and P.F. Chang’s initiated a
lawsuit.

There are two critical parts of the Court’s decision. First, the Court
addresses the policy’s exclusion provisions and its definition of loss.
According to Exclusion D.3.b, “[w]ith respect to all Insuring Clauses, [the
insurer] shall not be liable for any Loss on account of any Claim, or for
any Expense . . . based upon, arising from or in consequence of any . . .
liability assumed by any Insured under any contract or agreement.” Under
Exclusion B.2, “[w]ith respect to Insuring Clauses B through H, [the
insurer] shall not be liable for . . . any costs or expenses incurred to
perform any obligation assumed by, on behalf of, or with the consent of any
Insured.” Moreover, according to Insuring Clause A, loss does not include
“any costs or expenses incurred to perform any obligation assumed by, on
behalf of, or with the consent of any Insured.” The Court characterized the
three exclusions that Federal asserted as sharing a single function—to bar
coverage for contractual obligations an insured assumes with a third party
outside of the Policy. The Court agreed with Federal’s contention that the
assessments for which P.F. Chang’s sought coverage arose from liability
assumed by P.F. Chang’s to the servicer and, therefore, they were excluded
from coverage. P.F. Chang’s argued that the exclusions do not apply to
obligations that the insured is responsible for absent any assumption of
liability, but this was not an express exception to the exclusions in the
contract. The Court held that contractual liability exclusions apply to the
assumption of another’s liability, such as an agreement to indemnify or
hold harmless. It concluded that P.F. Chang’s agreement with the servicer
met this criteria and triggered the exclusions because in the master
services agreement between P.F. Chang’s and the servicer, P.F. Chang’s
agreed to reimburse or compensate the servicer for any fees, fines,
penalties, or assessments imposed on the servicer by the issuer. Finally,
the Court concluded that even if the law permits an exception, the
policyholder did not direct the Court to any evidence in the record that
P.F. Chang’s would have been liable for the assessments but for its
agreement with the servicer.

The second critical component of the Court’s decision concerned a potential
source of coverage other than the policy. Specifically, P.F. Chang’s argued
that coverage also existed under the reasonable expectation doctrine.
According to the Court, that doctrine applies only if two prerequisites are
present. First, the insured’s “expectation of coverage must be objectively
reasonable.” Second, the insurer “must have had reason to believe that the
[insured] would not have purchased the . . . policy if . . . [the insured]
had known that it included” the disputed provision. According to the Court,
the record lacked any “supporting evidence that during the underwriting
process P.F. Chang’s expected that coverage would exist for Assessments
following a hypothetical data breach.” On that basis, the Court determined
that the first prerequisite was absent. Therefore, the Court concluded that
coverage did not exist pursuant to the reasonable expectation doctrine.

The law in the area of coverage for data breaches is still evolving as
companies seek coverage under commercial general liability, cyber, crime,
and other policies. This decision is noteworthy because of the Court’s
examination of the issue of recovering for data breach losses under
provisions of a specific cyber policy.  Because these policies are all very
different, companies are encouraged to examine the particular provisions of
their own cyber policies and review any questions with coverage counsel.

A copy of the Court’s decision is available here (
https://kslawemail.com/84/1096/uploads/p.f.chang-sv.federalinsuranceco.pdf).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160622/f6e99cd1/attachment.html>