In one of the first cases directly addressing the scope of coverage under a cyber insurance policy, an Arizona federal district court has dismissed an insured’s complaint seeking coverage for amounts paid to its credit card processor for assessments resulting from a data breach. P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. 2:15-CV-01322-SMM (D. Ariz. May 31, 2016).
The insured, a large restaurant chain, learned that computer hackers had obtained and posted on the internet approximately 60,000 credit card numbers belonging to its customers. Nine months later, MasterCard issued a report and imposed three assessments on the insured’s credit card processor: (1) a “Fraud Recovery Assessment” of $1.7 million; (2) an “Operational Reimbursement Assessment” of $163,123; and (3) a “Case Management Fee” of $50,000. The insured’s credit card processor subsequently sent a letter demanding the insured reimburse the assessments pursuant to the indemnity provisions in the parties’ agreement. The insured paid the assessments in order to continue operations and not lose its ability to process credit card transactions, and it sought coverage under its cyber policy for those payments. The insurer refused, and the insured brought suit. The court ultimately ruled in favor of the insurer and dismissed all claims asserted by the insured.
The court first evaluated an insuring clause providing coverage for “Loss on behalf of an Insured on account of any Claim first made against such Insured . . . for Injury.” “Injury” was defined to include “Privacy Injury,” which in turn was defined to mean “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record.” The term “Person” was defined as a natural person or an organization, and the term “Record” included “any information concerning a natural person . . . pursuant to any federal, state . . . statute or regulation, . . . where such information is held by an Insured Organization or on the Insured Organization’s behalf by a Third Party Service Provider” or “an organization’s non-public information that is . . . in an Insured’s or Third Party Service Provider’s care, custody, or control.”
The court agreed with the insurer that this insuring clause was not triggered because the credit card processor did not itself sustain a “Privacy Injury” as its own “Records” were not compromised. The court noted that the definition of “Privacy Injury” required an “actual or potential unauthorized access to such Person’s Record,” which did not occur.
The court rejected the insurer’s argument, however, that a second insuring clause was not triggered. That insuring clause afforded coverage for “Privacy Notification Expenses incurred by an Insured resulting from [Privacy] Injury.” In turn, “Privacy Notification Expenses” was defined to mean “the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes.” Under the facts presented, the court ruled that the Operational Reimbursement Assessment set forth in the credit card processor’s demand letter—which reflected the costs to notify cardholders affected by the incident and to reissue and deliver payment cards, new account numbers, and security cards to those cardholders—fell within the definition of “Privacy Notification Expenses.” The court therefore ruled that that portion of the assessment was potentially covered under the policy.
The court also found that a third insuring clause might be triggered. That insuring clause afforded coverage for “Extra Expenses . . . an Insured incurs during the Period of Recovery of Services due to the actual or potential impairment or denial of Operations resulting directly from Fraudulent Access or Transmission.” The court found that the insured experienced Fraudulent Access during the data breach. In addition, the court ruled that the insured’s ability to perform its regular business activities would be potentially impaired if it did not pay the “Case Management Fee” assessment because the credit card processor would be entitled to terminate its agreement with the insured, which in effect would eliminate the insured’s ability to process credit card transactions. The court found an issue of fact, however, as to when the insured’s services were restored, thus precluding summary judgment on whether the Case Management Fee would be recoverable given the temporal limitations in this insuring clause.
While the court did find coverage triggered as a matter of law under one insuring clause, and coverage potentially triggered under a second, the court nonetheless ruled in favor of the insurer on the basis of two exclusions and on the policy’s definition of “Loss.” One of the exclusions barred coverage for “Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.” Similarly, in connection with the two insuring clauses the court ruled were in play, the policy excluded “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” Finally, the policy’s “Loss” definition under one insuring clause did not include “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” The court opined that these provisions were “[f]unctionally . . . the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.” Here, in connection with the demand letter from the credit card processor, the court ruled that these provisions barred coverage in its entirety because the demand letter was made pursuant to the insured’s agreement to indemnify and hold harmless the credit card processor. As a result, the court ruled that there was no coverage for any of the amounts sought.