In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), the United States District Court of District of Arizona held that liability for PCI assessments following a data breach of 60,000 credit card numbers was excluded under a cybersecurity policy. This case demonstrates the importance and ability of carriers to define the risk insured under a policy, including cybersecurity insurance.
In PF Chang’s, the insured purchased a cybersecurity insurance policy. The insurer’s underwriters classified the insured as a high risk, “PCI Level 1”, because the insured conducted more than 6 million transactions per year, a large number of which were with credit cards, thus creating a high exposure to potential customer identity theft. Id. at *1. The insured, like many merchants, was unable to process credit card transactions themselves, and therefore entered into an agreement with the credit card processor to process credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo. Here, Chang’s entered into a Masters Service Agreement (“MSA”) with the credit card processer Bank of America Merchant Services (“BAMS”) to process credit card payments made by customers of Chang’s. Id. Under the MSA, Chang’s delivered customer credit card payment information to BAMS who then settled the transaction through an automated clearinghouse. BAMS thereafter credited the Chang’s account for the amount of the payments. Id.
Importantly, credit card processors like BAMS perform their services under agreements entered into with the credit card associations like MasterCard and Visa. Id. Here, BAMS’s agreement with MasterCard, which was governed by the MasterCard Rules and incorporated into the MSA with Chang’s, obligated BAMS to pay certain fees/fines and assessments to MasterCard in the event of a data breach involving credit card information. The assessments included “Operational Reimbursement” fees and “Fraud Recovery” fees. Id. Under the Chang’s MSA, Chang’s agreed to compensate or reimburse BAMS for “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by credit card associations like MasterCard. Id. at *2. The MSA read in part:
[Chang’s] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang’s] . . . . In addition to the interchange rates, [BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations].
Id. at *2. Assessments levied by MasterCard against BAMS, for which Chang’s was responsible under the Chang’s MSA, became the focus of a coverage dispute.
On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers. Chang’s notified its insurer of the data breach that very same day. Id. Almost one year later, on March 2, 2015, MasterCard issued an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” to BAMS, assessing over $1.9 million in fines and assessments against BAMS for the data breach. The fines were “a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang’s data breach, and a Case Management Fee of $50,000.” Id. “The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. The Case Management Fee is a flat fee and relates to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards.” Id.
BAMS sought indemnity from Chang’s. Pursuant to the Chang’s MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang’s reimbursed BAMS on April 15, 2015. Chang’s sought coverage for the $1.9 million payment under three insuring agreements under the cybersecurity policy: Insuring Agreement A, Insuring Agreement B, and Insuring Agreement D.2. The insurer denied coverage and litigation ensued. Id.
No Privacy Injury Under Insuring Agreement A
Insuring Agreement A paid for “‘Loss’ on behalf of an ‘Insured’ on account of any ‘Claim’ first made against such ‘Insured’ . . . for ‘Injury’,” which included a “Privacy Injury.” Id. at *4. “Privacy Injury” was defined as “injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” Id. The insurer argued that Chang’s did not sustain a Privacy Injury because its own Records were not compromised during the data breach. Id. at *5. Chang’s acknowledged that it was the credit card issuers who suffered a Privacy Injury because it was their Records which were compromised in the data breach. However, Chang’s argued that the owner of the “Records” was immaterial to the issue of coverage because the injury “first passed through BAMS before BAMS in turn charged Chang’s” pursuant to industry standards. Id. As the Court generalized, “[b]asically, Chang’s argues that because a Privacy Injury exists and was levied against it, regardless of who suffered it, the Injury is covered under the Policy.” Id.
The Court disagreed with Chang’s and held that there was no Privacy Injury to implicate coverage under Insuring Agreement A because BAMS own Records had not been compromised. Thus, there was no coverage for BAMS’s liability under the MasterCard ADC Fraud Recovery Assessment:
The Court agrees with [the insurer]l; BAMS did not sustain a Privacy Injury itself, and therefore cannot maintain a valid Claim for Injury against Chang’s. The definition of Privacy Injury requires an “actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” (Doc. 8-1) (emphasis added). The usage of the word “such” means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury. Here, because the customers’ information that was the subject of the data breach was not part of BAMS’ Record, but rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury. Thus, BAMS did not make a valid Claim of the type covered under Insuring Clause A against Chang’s.
Id. at *5.
Coverage Under Insuring Agreement B Initially Implicated
Insuring Agreement B of the policy stated that the insurer would “pay ‘Privacy Notification Expenses’ incurred by an ‘Insured’ resulting from [Privacy] Injury.” Id. at *5. The policy defined “Privacy Notification Expenses” as “the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes….” Id.
Chang’s contended that the ADC Operational Reimbursement fee was a “Privacy Notification Expense” because it compensated credit card issuers for the cost of reissuing bankcards and new account numbers and security codes to Chang’s customers. The insurer argued that coverage did not exist because the ADC Operational Recovery fee was not personally incurred by Chang’s, but rather was incurred by BAMS. It also argued that the fee did not qualify as “Privacy Notification Expenses” because there is no evidence that the fee was used to “notify[ ] those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person’s account numbers, other identification numbers and security codes.” Id. at *6.
The Court agreed with Chang’s. Relying on Arizona courts’ broad interpretation of the term “incurred,” which merely required that an insured become liable for the expense, even if the expense originally was paid by others, the Court held that the ADC Operational Recovery fee was “incurred by” Chang’s “resulting from [Privacy] Injury.” Id. The Court explained:
Although the ADC Operational Reimbursement fee was originally incurred by BAMS, Chang’s is liable for it pursuant to its MSA with BAMS.
Id. at *6.
The Court also held that sufficient evidence existed – and the insurer did not identify any contrary evidence – that the assessment was to be used to compensate credit card issuers for the costs of notifying about the security compromise and reissuing credit cards to Chang’s customers to have the damages fall within the meaning of a “Privacy Notification Expense.” Id. As discussed further below, ultimately the Court held that two exclusions applied to bar coverage.
Coverage Under Insuring Agreement D.2 Potentially Implicated
The Court also held that it could not summarily hold, as a matter of law, that the requirements of Insuring Agreement D.2 were unsatisfied ti implicate coverage. The Insuring Agreement covered “’Extra Expenses’ an ‘Insured’ incurs during the ‘Period of Recovery of Services’ due to the actual or potential impairment or denial of ‘Operations’ resulting directly from ‘Fraudulent Access or Transmission’.” Id. at *6. The policy defined “Extra Expenses” to include “reasonable expenses an Insured incurs in an attempt to continue Operations that are over and above the expenses such Insured would have normally incurred. Extra Expenses do not include any costs of updating, upgrading or remediation of an Insured’s System that are not otherwise covered under [the] Policy.” Id. Critically, the policy defined “Period of Recovery of Services” as beginning:
. . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of…the date Operations are restored,…to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured’s Services are fully restored…to the level that would have existed had there been no impairment or denial.
Id. at *6.
The insurer argued that Insuring Clause D.2. did not apply because Chang’s had not submitted evidence demonstrating that the data breach caused “actual or potential impairment or denial” of business activities. Id. at *7. The insurer also argued that Chang’s did not incur Loss during the “Period of Recovery of Services” because it did not pay the Case Management Fee until April 15, 2015, nearly one year after it discovered the data breach. Id. Chang’s contended that its ability to operate was impaired because BAMS would have terminated the MSA and eliminated Chang’s ability to process credit card transactions if it did not pay BAMS. Further, the Chang’s MSA prohibited Chang’s to use another servicer while contracting with BAMS for its services. Id. Chang’s also contended that its business activities were still not fully restored; therefore, the “Period of Recovery of Services” remained ongoing. Id.
The Court agreed with Chang’s in part, concluding evidence showed that “Chang’s experienced a Fraudulent Access during the data breach and that its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee imposed by BAMS.” Id. However, whether Chang’s operations were not yet fully restored, thereby extending the “Period of Recovery of Services,” was an issue of fact the Court could not resolve on Summary Judgment and was best suited for trial. Id. at *7. However, as discussed below, ultimately the Court held that two exclusions applied to bar coverage.
Two Contractual Liability Exclusions Prohibit Coverage
Although the Court held that the requirements of Insuring Agreement B were met, and refrained from ruling on the requirements of Insuring Agreement D.2., the court held that coverage under the Insuring Agreements was prohibited by two policy exclusions. The two exclusions prohibited coverage as follows:
With respect to all Insuring Clauses, [the insurer] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement.
* * *
With respect to Insuring Clauses B through H, [the insurer] shall not be liable for…any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.
Id. at *7. The Court characterized these two exclusions as “the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.” Id. In addition, “Loss” was defined to exclude “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” Id.
Notably, the Court “turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.” Id. at *8. Observing that “Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to ‘the assumption of another’s liability, such as an agreement to indemnify or hold another harmless’,” the Court held that both exclusions, as well as the definition of “Loss,” applied to prohibit coverage under Insuring Agreement B. The Court explained:
In no less than three places in the MSA does Chang’s agree to reimburse or compensate BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed on BAMS by the Associations, or, in other words, indemnify BAMS. . . . Furthermore, the Court is unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these Assessments absent its agreement with BAMS. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here.
Id. at *8.
What This Case Means: This case has a number of takeaways. Briefly, and perhaps most important, this case illustrates that although cybersecurity insurance can provide significant amounts of coverage – here, the Court noted that the insurer already had provided $1.7 million in coverage under the policy to Chang’s – coverage is not limitless. Some may say that a policyholder should “read the fine print,” but I say that the policyholder should understand its risk and ensure it purchases the insurance it needs. A carrier has an unfettered right to limit the scope of the cyber risk it is willing to insure. This case also raises the issue of coverage for third-party contracts, which can be a significant source of liability in a data breach. This case also illustrates how sometimes the timing of liability and payments can affect coverage. “Extra Expenses” coverage, sometimes overlooked, also can play a significant role in a data breach. Questions are welcome.