[BreachExchange] Does Your Company Have Coverage for PCI Fines & Penalties in its Cyber Policy?

Fri Jun 24 14:59:02 EDT 2016

http://www.natlawreview.com/article/does-your-company-have-coverage-pci-fines-penalties-its-cyber-policy

Payment Card Industry fines and penalties are fines charged by payment card
brands like Mastercard and Visa to merchants’ acquiring banks for violation
of their industry rules and regulations, which often occurs when there is a
data breach. PF Chang thought it had coverage for PCI Fines & Penalties,
that it was ultimately responsible for paying, in its cyber policy. The
District Court of Arizona recently ruled that it did not. P.F. Chang’s
China Bistro, Inc. v. Federal Insurance Company, 2016 U.S. Dist. LEXIS
70749 (D. Ariz. May 31, 2016). PF Chang suffered a data breach in 2014
after a hacker obtained and posted 60,000 of its customers’ credit card
numbers on the internet. Its cyber insurer, Federal Insurance Company,
initially paid out more than $1.7 million toward the covered cost of
forensic investigation and costs to defend underlying litigation filed
against PF Chang by its impacted customers and a bank that issued credit
card information.

PF Chang then sought additional coverage of $1.9 million for reimbursement
of PCI Fines & Penalties that it was obligated to reimburse its merchant
acquiring bank Bank of America Merchant Services (BAMS) pursuant to a
Master Services Agreement (MSA) entered into between BAMS and PF Chang.
Federal denied coverage for this additional $1.9 million PCI Fines and
Penalties.

The District Court agreed with Federal’s position, finding that there was
only explicit coverage in the policy for less than 10% of the $1.9 million
of Fines & Penalties under the first party privacy notification expense
coverage (for the $163,000 ADC Operational Reimbursement portion of the
total PCI Fines & Penalties being sought), given that PF Chang was
ultimately liable for this cost pursuant to the MSA.

However, the court went on to analyze whether any exclusions applied that
would preclude coverage for this covered amount. It concluded that no
coverage exists for PCI Fines & Penalties here due to the liability assumed
by contract exclusions (as well as the definition of “Loss”) because PF
Chang explicitly assumed the liability in the MSA to pay any PCI Fines &
Penalties assessed against BAMS.

The takeaways from this case: (1) If your company’s cyber policy does not
already explicitly cover PCI Fines & Penalties in its coverage grants,
particularly in the first party privacy notification or event management
coverages and any extra expense coverage, you should negotiate this
coverage in to the coverage grants explicitly right away. (2) In addition,
you must also make sure your coverage carves back the exclusions relating
to liability assumed under contract and any fines and penalties exclusions
(both in the exclusions and in the definition of “loss”), such that PCI
Fines & Penalties are explicitly excepted from these exclusions. (3) Last,
you need to make sure you have adequate explicit limits for PCI Fines &
Penalties. Many carriers only offer minimal sublimits of coverage for this
issue. However, be aware that additional limits may be available, perhaps
at an additional premium if you ask and negotiate for them. As you can see
from PF Chang’s lawsuit, the PCI Fines & Penalties ($1.9 million) can be
more than the rest of the loss related to the claim ($1.7 million). Make
sure that your company has explicit coverage and carvebacks to standard
exclusions as well as sufficient limits under your company’s cyber policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160624/d68ead98/attachment.html>