In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy. This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.
In PF Chang’s, the insured purchased a cybersecurity insurance policy. The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft. Id. at *1. The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo. Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s. Id. Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse. BAMS thereafter credited the Chang’s account for the amount of the payments. Id.