Following a significant victory for policyholders earlier this year for cyber security losses under CGL (Commercial General Liability) policies, in PF Chang’s China Bistro, Inv. v. Federal Ins. Co. a federal judge in Arizona recently found no coverage for PF Chang’s credit card fraud assessments under a specialty cyber insurance policy. After a 2014 breach, hackers posted PF Chang’s customers’ credit card numbers online. It then incurred almost $1.7 million in claims from its customers and associated mitigation and other expenses. Federal Insurance Company reimbursed PF Chang’s for those expenses. But what it failed to do—and which was the subject of coverage litigation—was pay for the additional $1.9 million in fraud recovery charges from various credit card companies.
PF Chang’s argued that those costs were recoverable under the specialty cyber insurance policy it purchased under the “Privacy Injury” coverage part, which provides coverage for certain costs resulting from unauthorized access to protected information. Initially, the court held that these fees fell within the scope of coverage under the cyber insurance policy. But then in an unusual application, it held that the “contractual liability” exclusion barred coverage. These exclusions are typical in most CGL policies and are found in some specialty cyber insurance products, and they generally exclude liability assumed under a contract. PF Chang’s has a master service agreement with its processor (in this case, MasterCard) in which it promises to pay fines levied by credit card associations. The court, relying on caselaw interpreting “contractual liability” exclusions in CGL policies only, held that because PF Chang’s had agreed that its credit card processor could charge back to PF Chang’s the fines and assessments from the credit card associations, the “contractual liability” exclusion precluded any recover of these charges.
If this case holds up on appeal, it could result in a massive gap in insurance coverage for policyholders. In many breaches involving credit card breaches, merchants have entered into similar master service agreements with their processor. As a result, policyholders without specific coverage for these losses may be without coverage for a significant portion of the breach. We recommend that any company utilizing any significant amount of credit card transactions carefully procure a cyber-insurance product that protects it from customer claims, data-breach response expenses, and any of the fines and expenses under a master service agreement with the processor.