P.F. Chang’s Denied Coverage Under Cyber Insurance Policy for Penalties and Assessments Imposed Following Data Breach

A recent decision from the U.S. District Court for the District of Arizona – P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company – concluded that nearly $2 million in fees and assessments incurred by P.F. Chang’s China Bistro, Inc. (“PF Chang’s”) following a data breach were not covered by the restaurant chain’s cyber insurance policy.  P.F. Chang’s recently appealed the decision to the U.S. Court of Appeals for the Ninth Circuit.

The fees and assessments at issue were imposed by Bank of America Merchant Services (“BAMS”), a third-party servicer that processed PF Chang’s customers’ credit card payments, pursuant to a Master Services Agreement (“MSA”).  Under the MSA, PF Chang’s agreed to reimburse BAMS for any fees, fines, penalties, or assessments imposed on BAMS by credit card associations such as MasterCard or Visa.  The district court found that the subject policy – a CyberSecurity by Chubb Policy – did not provide coverage for the fees and assessments imposed against PF Chang’s because each of the penalties – a case management fee and assessments for operational reimbursement and fraud recovery – fell within an exclusion barring coverage for contractual obligations assumed by the insured outside of the policy.

Although the P.F. Chang’s decision is one of the first to address insurance coverage under a cyber insurance policy, its analysis of the policy’s contractual liability exclusion is not ground-breaking.  Many commercial insurance policies, including commercial general liability (“CGL”) policies, routinely contain exclusions for contractual obligations assumed by the insured.  The two primary exceptions to this exclusion are (1) liability that would be imposed on the insured with or without the agreement; and (2) liability assumed under an “insured contract” – typically defined in the policy as a specific type of contract common to many businesses.

Thus, cyber insurance policyholders should take away an important lesson from the P.F. Chang’s decision: pay attention to the cyber policy’s exclusions before purchasing or renewing the policy.  Businesses seeking to protect against cyber liability arising out of the compromise of customer credit card payment information should carefully review a cyber policy and, when possible, demand an exception to any contractual liability exclusion to account for the types of penalties and assessments that were imposed but not covered in the P.F. Chang’s case.

credit card phishing attack / credit card data theft concept