Cyber-insurance: Do you get what you expect and pay for?

A recent decision from a federal district court raises questions about the scope of cyber-insurance coverage.

The restaurant chain P.F. Chang’s China Bistro (“Chang’s”) purchased a cyber-insurance policy from Federal Insurance Company (“Federal”). In 2014 Chang’s learned that it had been the target of a cyber-attack that compromised over 60,000 customer credit and debit cards. Chang’s notified Federal of the breach the same day that Chang’s learned of it. Federal covered $1.7 million of costs associated with lawsuits filed by customers and a bank, and a forensic investigation, among other costs.

However, Chang’s had another $1.9 million of losses that Federal refused to cover. The additional losses were a consequence of the way Chang’s processed credit and debit card transactions. In order to process card transactions restaurants like Chang’s have to enter into contracts with third party banks. Chang’s had entered into a contract with Bank of America Merchant Services (“BAMS”) to process Chang’s card transactions. BAMS, in turn, had contracts with credit card associations—MasterCard and Visa, for example.

In the wake Chang’s data breach MasterCard imposed three different assessments on BAMS: (1) approximately $1.7 million for fraud recovery; (2) approximately $160,000 for operational reimbursements; and (3) a flat $50,000 case management fee. BAMS’s agreement with Chang’s required Chang’s to reimburse BAMS for the MasterCard assessments. Chang’s turned the claim into Federal for payment under the cyber-insurance policy.

Chang’s argued the Federal policy did provide coverage for the MasterCard assessment. However, the court ruled in favor of Federal for two primary reasons.

First, Chang’s argued the MasterCard assessment was covered as a “privacy injury” which provided coverage for loss of private, personally identifiable information. Federal argued that the insurance provision was intended to protect Chang’s sensitive information, not Chang’s customers’ information. The district court agreed with Federal, and denied Chang’s claim under the “privacy injury” provision.

Second, the court applied two exclusions under the policy that denied coverage for losses arising from any of Chang’s contractual obligations. Chang’s argued that even though BAMS was passing along costs imposed by MasterCard, it was Chang’s that ultimately suffered the loss from the MasterCard assessment. The court was not persuaded, and instead relied on Chang’s contract with BAMS which required Chang’s to reimburse BAMS for costs imposed by MasterCard.

The decision in Chang’s case is in contrast with a recent decision by the Eighth Circuit, covered by the blog, that required a bond carrier to cover a cyber-loss under a bank’s general financial institution bond. These two cases show that just because an insurance policy has “cyber” in the name doesn’t necessarily mean that all cyber-losses will be covered. Organizations should pay close attention to cyber-insurance policy terms, coverage, exclusions, and any riders to make sure that the policy will cover all aspects of the organization’s operations. 

The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.