July 20, 2019

July 19, 2019

Subscribe to Latest Legal News and Analysis

July 18, 2019

Subscribe to Latest Legal News and Analysis

July 17, 2019

Subscribe to Latest Legal News and Analysis

P.F. Chang’s Arizona District Ruling Highlights Potential Pitfalls of Cyber Insurance

Data breaches suffered by retailers and other businesses that handle payment cards can result in substantial assessments by card brands such as MasterCard and Visa. Retailers typically do not process payment card transactions directly with the banks that issue their customers’ cards. Instead, they contract with an intermediary—called an acquiring or servicing bank—to process their customers’ card transactions with the card-issuing banks. In the event of a payment card data breach, the card brands typically impose assessments on the retailer’s acquiring bank, which in turn pursues indemnification under its service contract with the retailer.

That was the situation in P.F. Chang’s v. Federal Insurance Co., in which a federal district court in Arizona recently held that Chang’s had no cyber coverage for over $1.9 million in credit card assessments that it had to pay as a result of a data breach. The Chang’s court found that the Federal cyber policy’s “Privacy Injury” coverage did not respond to an acquiring bank’s claim against Chang’s for reimbursement of card brand assessments, because the Federal policy’s definition of “Privacy Injury” required that the compromised confidential records at issue be the claimant’s. As is typical, the payment card information stolen by the hackers belonged to Chang’s customers and the card-issuing banks, not the acquiring bank that made the actual claim for reimbursement by Chang’s.

To make matters worse for Chang’s, the court found that Federal’s contractual liability exclusion applied to otherwise covered aspects of the acquiring bank’s underlying claim. The exclusion lacked customary carve-outs, and the court hewed strictly to the policy language excluding liability that the insured “assumed . . . under any contract or agreement.” The court ruled that this language barred coverage because Chang’s liability arose from an indemnification agreement with its acquiring bank.

Notably, Chang’s policy did not include Payment Card Industry (“PCI”) coverage, a common coverage option found in cyber policies for retailers and other entities that handle payment card data. PCI coverage expressly insures amounts assessed by the card brands in the event of a data breach.

Although Federal had marketed its cyber policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches,” the Chang’s court was unmoved by arguments based upon the insured’s reasonable expectations of coverage. Because Chang’s and Federal were deemed to be “sophisticated parties well versed in negotiating contractual claims,” the court held that Chang’s reasonable expectations were confined to what was spelled out in the actual policy.

Cyber insurance has become an essential line of coverage for many businesses, particularly those that handle payment card transactions. But the Chang’s case is a cautionary tale: a cyber insurance purchase requires both expertise and care. Cyber policy language is not standardized and requires expert scrutiny for hidden booby traps or coverage gaps. Indeed, the adverse decision in Chang’s might have been avoided if the insured had purchased PCI coverage and negotiated appropriate carve-outs to an unusually broad contractual liability exclusion.

© 2019 Covington & Burling LLP


About this Author

John G. Buchanan III, Covington, Insurance litigation attorney
Senior Counsel

John Buchanan, senior counsel in Covington's Washington office and the firm's first Insurance Practice Group Coordinator, has represented policyholders in insurance coverage advocacy, dispute resolution and counseling for over three decades. His career has ranged from the early DES and asbestos coverage litigation to claims for some of the largest cyber losses in history. Mr. Buchanan has litigated, arbitrated or negotiated a wide variety of complex property and casualty insurance claims, from railroad derailment claims to satellite-in-orbit claims, and from silver-theft...

202 662 5366
P. Benjamin Duke, Covington, Litigation attorney

Ben Duke advises and advocates for insurance policyholders in a broad range of complex litigation, arbitration and other matters involving all types of insurance, from general liability to D&O, professional liability, fidelity bond, and other specialized coverages.

Mr. Duke has helped obtain significant insurance recoveries on behalf of clients in many industries, including the financial services, technology, energy, and pharmaceutical industries. He is currently handling major coverage litigation in New York courts and has nationwide experience litigating in state and federal courts and in numerous arbitration forums. As co-lead trial and appellate litigation counsel, Mr. Duke recently helped a major technology company recover over $150 million in coverage for a massive government-mandated environmental remediation in Wisconsin’s Fox River.

212 841 1072
Scott Levitt, litigation attorney, Covington
Special Counsel

Scott Levitt has twenty years of experience representing policyholders in numerous types of insurance coverage claims. These matters include cyber-risk, mass tort, asbestos, silica, mixed dust, environmental, product liability, employment discrimination, errors and omissions, first-party losses, crime and employee dishonesty. Mr. Levitt has successfully represented policyholders in insurance recovery proceedings in federal and state trial and appellate courts around the U.S., as well as in mediation and international and domestic arbitrations. Mr. Levitt's practice often...

202 662 5661
Albert (Bert) Wells, Covington, Insurance Litigation Attorney

Bert Wells is a partner in the insurance coverage and litigation practices of Covington & Burling LLP. He began representing commercial policyholders in connection with complex insurance recovery matters in 1995, and regularly represents policyholders, including Fortune 100 and 500 companies, in a wide range of insurance coverage matters. He advises policyholders on assessing and maximizing the value of claims, developing and executing insurance recovery strategies, negotiating settlements, and resolving large claims through litigation, arbitration and mediation. He...

212 841 1074