On May 31, 2016 the US District Court in Arizona held that a cyber insurance policy issued by Chubb does not cover liabilities to credit card issuers arising from a 2014 data breach at P.F. Chang’s China Bistro. The decision (available here) is important because it highlights an ongoing challenge companies face to get such losses covered under cyber policies.
The Data Breach
P.F. Chang’s discovered the data breach in June 2014. The breach involved 33 restaurants and compromised the credit card data of roughly 60,000 customers. On learning of the breach P.F. Chang’s reported it immediately to Federal Insurance Company (Chubb).
The Covered Losses
As is typical in a breach like this, P.F. Chang’s engaged third parties to investigate the event, to provide legal and other advice, and to help it carry out its breach notification obligations. Unfortunately P.F. Chang’s also had to defend class action litigation from customers affected by the breach. All of these costs (roughly $1.7 million) were covered and paid under the Chubb policy.
The Losses Not Covered
To understand P.F. Chang’s losses that aren’t covered under the Chubb cyber policy, it is important to understand how those losses arise.
When a credit card data breach takes place, stolen card data is used in fraudulent transactions. Payment cardholders are largely shielded from having to pay the fraudulent charges. The banks that issue the credit cards involved (known as issuing banks) are responsible for them instead. Not only are they stuck with the fraudulent charges (known as incremental counterfeit fraud loss), they also incur costs to reissue new cards (known as operational reimbursement).
The banks are not without recourse though. Through a web of contracts between issuing banks, the payment card brands, the banks that merchants use to handle credit card transactions (known as acquiring or merchant banks), and merchants like P.F. Chang’s, the issuing banks can recover some of their losses indirectly from the merchant that had the breach. This is accomplished through an assessment (commonly called a PCI DSS assessment) from the payment card brand.
In 2015 MasterCard issued a roughly $1.9 million PCI DSS assessment to Bank of America Merchant Services (BAMS), P.F. Chang’s credit card processor and acquiring bank. In addition to incremental counterfeit fraud loss and operational reimbursement, the assessment included a $50,000 “case management fee,” essentially a fine for P.F. Chang’s noncompliance with payment card industry data security standards. P.F. Chang’s’ contract with BAMS made P.F. Chang’s liable for the assessment.
P.F. Chang’s sent BAMS’ letter demanding reimbursement for the MasterCard assessment to Chubb. Chubb refused to pay the assessment amount. P.F. Chang’s then filed suit against Chubb.
In the lawsuit P.F. Chang’s argued that the policy’s Cyber Liability insuring clause covered the assessment’s incremental counterfeit fraud loss component. Chubb took the position that the coverage did not apply because (a) the insuring clause requires the claimant’s data to have been compromised, and (b) BAMS’s data was not compromised. The court agreed.
P.F. Chang’s asserted that the operational reimbursement part of the assessment was covered under the Chubb policy’s Privacy Notification Expenses insuring clause. The company argued that MasterCard’s Security Rules made it clear that the operational reimbursement “fee” is used to notify affected individuals and to reissue credit cards. Although it isn’t clear from the decision, I suspect P.F. Chang’s may have argued that the act of sending a new card operated to notify individuals of a data breach. Somewhat surprisingly, the court agreed. The court also rejected an argument by Chubb that BAMS, and not P.F. Chang’s, incurred the expense. The judge found that P.F. Chang’s incurred the expense because it was liable to BAMS for the operational reimbursement amount.
With respect to the $50,000 case management fee, P.F. Chang’s argued that it was covered as “Extra Expenses” under the policy’s E-Business Interruption and Extra Expenses insuring clause. That clause covers “Extra Expenses” and other loss incurred during a defined period of time specified in the policy during which P.F. Chang’s business activities are impaired as a result of fraudulent access to its computer system. The policy defines “Extra Expenses” to include reasonable expenses above normal operating costs that are incurred to continue business activities. P.F. Chang’s maintained that its business operations would be substantially impaired if it did not pay the MasterCard case management fee and therefore could not accept its customers’ credit cards. The court agreed. (The court also declined to make a definitive ruling on an argument by Chubb that P.F. Chang’s did not pay the case management fee during the time period specified in the policy.)
It was all downhill for P.F. Chang’s after that.
Although P.F. Chang’s persuaded the court that two out of three components of the assessment were potentially covered, Chubb argued that various policy terms, particularly the policy’s exclusion for claims based on liability under any contract or agreement, precluded all coverage for the claim. Chubb pointed to the fact that P.F. Chang’s liability for the assessments arises from its contract with BAMS. Although P.F. Chang’s made some creative arguments to establish that it would have liability for the assessment in the absence of the contract with BAMS (which would trigger an exception to the contractual liability exclusion), the court found that the exclusion applied to the entire assessment.
Game over for P.F. Chang’s.
How could this have happened? Isn’t a loss like this the reason why companies buy cyber policies? P.F. Chang’s certainly thought so. They argued in vain to the court that the company reasonably expected that assessments would be covered under its cyber policy.
While there are legal reasons why the court didn’t accept it, I have a lot of sympathy for P.F. Chang’s argument. Assessments are often the largest losses companies incur as a result of a payment card data breach. It is reasonable to suppose that an insurer selling a cyber policy to a company like P.F. Chang’s would understand that assessments are what the company is most concerned about covering, and that the insurer would not exclude coverage for assessments without making it exceedingly clear that they were doing so.
P.F. Chang’s obviously didn’t get the cyber policy it needed. There are a few possible reasons for that.
Because the court decision is silent on the placement of the Chubb policy, I can’t dismiss the possibility that Chubb made its intentions clear before binding the policy. That seems unlikely though as Chubb certainly would have raised that fact in the litigation with P.F. Chang’s. Similarly, Chubb may have offered PCI DSS assessment coverage by optional endorsement, and P.F. Chang’s decided not it buy it. That also seems doubtful given the prevalence of payment card transactions in the company’s restaurants.
I think what may have happened is that no one at P.F. Chang’s, their insurance broker, and perhaps even at Chubb, understood the PCI DSS assessment process well enough to ensure that the policy clearly covered, or didn’t cover, assessments. I know from my own experience that many underwriters and others only gained a full working knowledge of PCI DSS assessments as a result of the many breaches faced by retailers in 2013 and 2014. It may be that no one fully appreciated how the policy would perform when a breach like this took place.
What lessons should we draw from P.F. Chang’s experience?
- Companies must understand the scope of their cyber coverage; and
- Companies that accept payment cards must ensure that the cyber policies cover PCI DSS assessments.
Those probably seem sensible to you, but actually doing them may not be as simple as it sounds.
As I mentioned in my last post, cyber policies are not standardized, and the risks they cover may not be well understood by companies. Companies could read a policy like the one Chubb sold to P.F. Chang’s and mistakenly conclude that the policy covers all important risks. To avoid that mistake companies need to work with brokers, lawyers, or others that are very familiar with cyber policy terms to ensure that the coverage is as broad as necessary.
Obtaining coverage for PCI DSS assessments can be difficult. Insurers historically have been hesitant to cover them because they are not the result of a transparent and contested proceeding such as a lawsuit. While insurers are more willing today to offer coverage, it can still be difficult to get. Off the shelf policies may not cover assessments at all, or may not cover them well. It is essential to get the policy wording right. Getting it wrong could be a multimillion dollar blunder.