On May 31, 2016, the U.S. District Court for the District of Arizona held that P.F. Chang’s obligation to pay its credit card processor nearly $2M following a 2014 data breach was contractual, and therefore not covered under its cyberinsurance policy. Ouch. Let’s back up.
In 2014, hackers posted the credit card numbers of 60,000 P.F. Chang’s customers on the internet. P.F. Chang’s had a Chubb cyberinsurance policy in place, for which it paid a $134,052.00 annual premium. Chubb paid P.F. Chang’s $1.7M in policy benefits to cover forensic investigation, litigation defense and other costs, but that was less than half of the cost of this breach.
Really? Yes, really.
Like most businesses, P.F. Chang’s contracts with a third-party credit card processor, Bank of America Merchant Services (“BAMS“) to process credit card payments. BAMS, in turn, contracts with credit card associations – here, MasterCard – to be able to process those transactions. MasterCard’s contract with BAMS makes BAMS liable for fees and penalties following a data breach. BAMS, in turn, has contractual indemnification for those costs from P.F. Chang’s. It’s the circle of credit card processing life. Follow?
After the breach, MasterCard fined BAMS nearly $2M for the costs associated with addressing fraudulent charges and notifying affected individuals. BAMS turned to P.F. Chang’s for indemnification, and P.F. Chang’s turned to Chubb for coverage. No dice.
The Chubb policy, like many cyberinsurance policies, excludes coverage for contractually assumed liability. This is standard in Commercial General Liability (“CGL“) policies, and since those forms are being used as the starting point for many cyber policies, that concept has bled into cyberinsurance policies. P.F. Chang’s argued that the exclusion didn’t apply because it would have been responsible for BAMS’ claims even absent a contract, but the Court disagreed. In rejecting P.F. Chang’s position, the Court “turned to cases analyzing commercial general liability policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”
CGL and cyberinsurance policy principles are not the same. The liabilities covered under a CGL policy (e.g., slip-and-fall, property damage) are generally not the types of liabilities that would ever be contractual. Therefore, if a CGL insured assumed an unusual liability by contract, it would make sense to exclude that liability from coverage because the carrier would not have contemplated that exposure when underwriting the policy. Data breaches are a different animal. ‘Fundamentally.’ While the data breach liability landscape is in constant flux, contractual liability is a major source of data breach related liability. This is particularly true as companies increasingly attempt to shift this risk to co-contracting parties.
Like several other standard CGL provisions (e.g., the acts of war/terror exclusion), contractual liability exclusions may eliminate coverage that most insureds would otherwise expect from a cyberinsurance policy. Negotiate for the removal or revision of this kind of language. Most carriers are willing to revise policy terms, and language varies greatly from carrier to carrier. Don’t just compare premiums. Keep an eye out for CGL spill-over that doesn’t belong, and use language variation as a major factor when policy shopping.
And order the Mongolian beef. It is delicious.