- Privacy Risk Report - https://privacyriskreport.com -

The Future Is Now: Court Finds No Coverage Under Cyber Policy for P.F. Chang’s Data Breach

In 2014, P.F. Chang’s experienced a credit card breach involving a number of its restaurants that culminated in numerous lawsuits nationwide. The ensuing litigation related to this data breach provided significant insight into what would become the important issues in data breach litigation moving forward. For example, the 7th Circuit U.S. Court of Appeals held the class representatives’ allegations [1] of fraudulent credit card charges, credit monitoring costs and potential identity theft were sufficient to establish standing to bring suit against P.F. Chang’s for this data breach.

The impact of P.F. Chang’s data breach on insurance coverage law is becoming apparent two years after the breach and as class action plaintiffs are beginning to prosecute their cases. For instance, on May 31, 2016, in P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co. [2], a federal District Court in Arizona issued an order granting Federal Insurance Company’s motion for summary judgment, finding there was no coverage under a cyber policy for P.F. Chang’s breach. The P.F. Chang’s court stated the central issue in its coverage determination as:  “…whether coverage exists under the insurance policy between Chang’s and Federal for the credit card association assessments that arose from the data breach Chang’s suffered….”

Prior to its analysis of the coverage issues, the order granting summary judgment provides the following background related to P.F. Chang’s claim under the Federal Policy:

BoA also sought nearly $2 million in fees and assessments from P.F. Chang’s for amounts it incurred from its agreements with the credit card companies pursuant to P.F. Chang’s reimbursement agreement with BoA. P.F. Chang’s reimbursed BoA and then sought to recover this amount from Federal under its cyber policy. P.F. Chang’s initiated this litigation when Federal denied coverage for these amounts. P.F. Chang’s sought coverage under both Insuring Clause A and Insuring Clause B of the cyber policy. The court granted Federal’s motion for summary judgment finding no coverage under either Insuring Clause based on the following reasoning:

As seen on prior occasions, the court’s coverage determination went back to basic coverage law [3]. In the P.F. Chang’s decision, the court discusses its reliance on existing coverage law: “In reaching this decision, the court turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”

It is important to note that Federal paid approximately $1.7 million for P.F. Chang’s damages related to forensic investigations and defense costs. These damages were not at issue under the cyber insurance policy. In short, the cyber policy worked exactly as it was intended to work when there was a data breach. While struggling with the more difficult question (whether the costs P.F. Chang’s became responsible for in its contract with BoA), the court went back to fundamental insurance concepts to find cyber coverage was barred by exclusions for liability assumed from a third party. Therefore, while this decision provides guidance on how courts may be expected to interpret the specific language of a cyber policy, it also demonstrates the importance of the existing body of law related to CGL coverage.