We are starting to see insurance coverage litigation related to the data breach this summer at P.F. Chang’s restaurants. [1]
On October 2, 2014, Travelers filed a lawsuit [2] in the District Court of Connecticut seeking a declaration that it has no duty to defend or indemnify its insured, P.F. Chang’s. Travelers’ lawsuit seeks the court’s determination related to multiple lawsuits claiming P.F. Chang’s failed to safeguard its customers’ credit and debit card information. The underlying complaints assert P.F. Chang’s security failures allowed hackers to steal customer’s private information. In its Complaint [3], Travelers argues the allegations in the underlying lawsuits do not constitute “bodily injury” or “property damage” caused by an “occurrence” under Coverage A of its policies or “advertising injury” or “personal injury” under Coverage B of its policies.
Further, the underlying complaints provide insight into the claims and causes of action plaintiffs are asserting related to data breaches. For example, the underlying plaintiffs alleged they would not have entrusted their private information to P.F. Chang’s if they were made aware of the lack of security measures. The underlying plaintiffs also claim they “would have paid less for their meals or not purchased them at all had P.F. Chang’s disclosed the alleged security risks.” These allegations result in causes of action for breach of implied contract and violations of consumer fraud statutes from around the country.
We expect to see the insurance coverage litigation related to data breach cases continue to challenge courts as they determine whether data breach cases trigger coverage under traditional insurance policies. It is not a surprise to see courts struggle with the insurance coverage issues related to data breaches when courts are struggling with the same concepts in the underlying litigation outside the context of insurance coverage.