Cyber-insurance: Do you get what you expect and pay for?
Posted on 07/18/2016 at 09:07 AM by John Lande
A recent decision from a federal district court raises questions about the scope of cyber-insurance coverage.
The restaurant chain P.F. Chang’s China Bistro (“Chang’s”) purchased a cyber-insurance policy from Federal Insurance Company (“Federal”). In 2014 Chang’s learned that it had been the target of a cyber-attack that compromised over 60,000 customer credit and debit cards. Chang’s notified Federal of the breach the same day that Chang’s learned of it. Federal covered $1.7 million of costs associated with lawsuits filed by customers and a bank, and a forensic investigation, among other costs.
However, Chang’s had another $1.9 million of losses that Federal refused to cover. The additional losses were a consequence of the way Chang’s processed credit and debit card transactions. In order to process card transactions restaurants like Chang’s have to enter into contracts with third party banks. Chang’s had entered into a contract with Bank of America Merchant Services (“BAMS”) to process Chang’s card transactions. BAMS, in turn, had contracts with credit card associations—MasterCard and Visa, for example.
In the wake Chang’s data breach MasterCard imposed three different assessments on BAMS: (1) approximately $1.7 million for fraud recovery; (2) approximately $160,000 for operational reimbursements; and (3) a flat $50,000 case management fee. BAMS’s agreement with Chang’s required Chang’s to reimburse BAMS for the MasterCard assessments. Chang’s turned the claim into Federal for payment under the cyber-insurance policy.
Chang’s argued the Federal policy did provide coverage for the MasterCard assessment. However, the court ruled in favor of Federal for two primary reasons.
First, Chang’s argued the MasterCard assessment was covered as a “privacy injury” which provided coverage for loss of private, personally identifiable information. Federal argued that the insurance provision was intended to protect Chang’s sensitive information, not Chang’s customers’ information. The district court agreed with Federal, and denied Chang’s claim under the “privacy injury” provision.
Second, the court applied two exclusions under the policy that denied coverage for losses arising from any of Chang’s contractual obligations. Chang’s argued that even though BAMS was passing along costs imposed by MasterCard, it was Chang’s that ultimately suffered the loss from the MasterCard assessment. The court was not persuaded, and instead relied on Chang’s contract with BAMS which required Chang’s to reimburse BAMS for costs imposed by MasterCard.
The decision in Chang’s case is in contrast with a recent decision by the Eighth Circuit, covered by the blog, that required a bond carrier to cover a cyber-loss under a bank’s general financial institution bond. These two cases show that just because an insurance policy has “cyber” in the name doesn’t necessarily mean that all cyber-losses will be covered. Organizations should pay close attention to cyber-insurance policy terms, coverage, exclusions, and any riders to make sure that the policy will cover all aspects of the organization’s operations.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Categories: Cybersecurity Law, John Lande, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.