Arizona District Court Rules That Cyber Policy Does Not Cover Assessments Imposed in Connection with Data Breach
06.23.16
This is only gets display when printing
(Article from Insurance Law Alert, June 2016)
For more information, please visit the Insurance Law Alert Resource Center. An Arizona federal district court granted an insurer’s summary judgment motion, ruling that a cyber policy did not provide coverage for assessments imposed by a credit card association in connection with a data breach. P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016).
Federal Insurance Company issued a cyber-security policy to P.F. Chang’s parent company. When computer hackers obtained credit card numbers belonging to P.F. Chang’s customers, the restaurant notified Federal. Federal reimbursed P.F. Chang’s more than $1.7 million pursuant to the policy but P.F. Chang’s also sought coverage for nearly $2 million in assessments that it paid to Bank of America Merchant Services (“BAMS”) pursuant to an indemnification agreement. The agreement, known as a Master Service Agreement (“MSA”), allowed BAMS to processes P.F. Chang’s credit card transactions and provided that P.F. Chang’s would pay for any fines, penalties or fees imposed on BAMS by credit card associations. Federal denied coverage for the assessments, arguing that the policy did not cover such expenses, and, alternatively, that exclusions barred coverage for such payments. The court agreed.
The court held that a policy provision covering loss arising out claims made against P.F. Chang’s for “Privacy Injury” did not cover the assessment charges. The court reasoned that BAMS, as a third-party credit card processing vendor, did not have a valid claim for Privacy Injury against P.F. Chang’s because its own records were not breached. Rather, the records of the banks that issued the credit cards were breached. The court reached a different conclusion with respect to a policy provision covering Privacy Notification Expenses and Extra Expenses, finding that those clauses provided coverage for certain assessments. However, the court held that policy exclusions relating to liability assumed by contract or agreement barred coverage because P.F. Chang’s liability for the assessments arose directly out of the MSA with BAMS. In so ruling, the court rejected P.F. Chang’s argument that the contractual liability exclusion did not apply because it would have been liable under negligence or equitable doctrines for the assessments imposed against BAMS even without the MSA. Finally, the court rejected P.F. Chang’s reasonable expectations argument, finding that it failed to establish that its expectation of coverage for the assessments was “objectively reasonable.”