Whether it is Russian election hacking or the major data breaches that have made headlines recently, it is difficult to think of a day in recent memory in which we haven’t heard about hacking or data breaches. In light of this climate, it is no surprise that the market of insurance against cyber risks and data breaches is growing rapidly. Because of the novelty of cybersecurity insurance policies, there appears to be very little judicial guidance as to what types of losses are covered and what losses may be properly excluded from coverage. However, the case of P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co. may provide insight into how courts may address coverage of losses common to data breaches as similar cases are litigated in the future.
In 2014, Federal Insurance Company (“Federal”) sold a “CyberSecurity Policy” (“the Policy”) to P.F. Chang’s, parent company, which it marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.” The majority of P.F. Chang’s customer transactions were made with credit cards and it contracted with Bank of America Merchant Services (“BAMS”) to service all of its credit card transactions. Under that agreement, P.F. Chang’s agreed to compensate BAMS for all “fees, fines, penalties, or assessments” imposed on BAMS by credit card associations.
On June 10, 2014, P.F. Chang’s learned that hackers had breached their systems and stolen approximately 60,000 customer credit card numbers, and it notified Federal the same day. Federal paid more than $1,700,000 to P.F. Chang’s for covered losses incurred as a result of the data breach. However, on March 2, 2015, BAMS requested that P.F. Chang’s pay, pursuant to their agreement, an assessment of $1,716,908.85, which the credit card companies claimed was the total cost that they incurred as a result of the data breach for issuing new cards, changing account numbers, paying fraud protection, etc. P.F. Chang’s submitted the assessment to Federal for payment under the Policy. Federal denied the claim and P.F. Chang’s filed suit for breach of contract.
On Federal’s Motion for Summary Judgment, it argued that the loss was not covered by the applicable insuring agreements, and was otherwise excluded by the Policy. Federal argued that the primary insuring agreement did not cover the loss because it only applied to “Privacy Injury”, which was defined as “injury sustained or allegedly sustained by a person because of actual or potential unauthorized access to such person’s record.” Federal argued that the BAMS assessment was not a “Privacy Injury” because none of BAMS’s or the credit card companies’ records were breached. The Court agreed.
However, the Court did find that the Policy covered the BAMS assessment under two other provisions. First, the “Privacy Notification Expenses” clause provided that Federal would pay all costs incurred by P.F. Chang’s to notify “those persons who may be directly affected by the potential or actual [data breach] and changing such person’s account numbers, other identification numbers and security codes.” Federal argued that because the costs were “incurred” by the credit card companies and BAMS, rather than P.F. Chang’s directly, the Policy did not cover them. The Court disagreed finding that the term “incur” included P.F. Chang’s contractual obligations to pay such costs. Second, Federal argued that the loss was not covered under the catch-all “Extra Expenses” provision, because the loss was paid after the “Period of Recovery Services.” The Court flatly rejected that argument because P.F. Chang’s contended that it’s recovery from the breach was ongoing.
Nonetheless, the Court granted summary judgment in favor of Federal because two exclusions and the definition of “Loss” in the Policy did not allow P.F. Chang’s to recover for contractual losses. The Policy defined loss broadly but specifically did not include “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any insured.” Similarly, one provision excluded coverage for “any loss on account of any claim, or for any expense based upon, arising from or in consequence of any…liability assumed by any insured under any contract or agreement.” Another provision excluded coverage for “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any insured.” P.F. Chang’s argued that the loss was common to data breaches and that it could be liable for the costs of the assessment under a number of theories.
In making its decision, the Court acknowledged that “because cybersecurity insurance policies are relatively new to the market,” it looked to cases analyzing commercial general liability policies in order to interpret the Policy. Ultimately, the Court ruled that the only conclusion a jury could reach was that the assessment was contractual and that it was excluded under the Policy.
While we have yet to see much litigation of these coverage issues, this case may provide meaningful insight for the future. The important takeaways here are that the Court interpreted coverage broadly, but upheld the contractual damages exclusions by relying on existing cases interpreting commercial general liability policies. It seems likely that Courts will continue to rely on interpretations of existing policy types when analyzing the relatively new category of cybersecurity policies.
 P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., 2016 U.S. Dist. LEXIS 70749, 2016 WL 3055111 (May 31, 2016, D. Ariz.)