In 2014, P.F. Chang’s experienced a credit card breach involving a number of its restaurants that culminated in numerous lawsuits nationwide. The ensuing litigation related to this data breach provided significant insight into what would become the important issues in data breach litigation moving forward. For example, the 7th Circuit U.S. Court of Appeals held the class representatives’ allegations  of fraudulent credit card charges, credit monitoring costs and potential identity theft were sufficient to establish standing to bring suit against P.F. Chang’s for this data breach.
The impact of P.F. Chang’s data breach on insurance coverage law is becoming apparent two years after the breach and as class action plaintiffs are beginning to prosecute their cases. For instance, on May 31, 2016, in P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co. , a federal District Court in Arizona issued an order granting Federal Insurance Company’s motion for summary judgment, finding there was no coverage under a cyber policy for P.F. Chang’s breach. The P.F. Chang’s court stated the central issue in its coverage determination as: “…whether coverage exists under the insurance policy between Chang’s and Federal for the credit card association assessments that arose from the data breach Chang’s suffered….”
Prior to its analysis of the coverage issues, the order granting summary judgment provides the following background related to P.F. Chang’s claim under the Federal Policy:
- Federal issued a cyber policy to P.F. Chang’s, effective January 1, 2014, to January 1, 2015.
- P.F. Chang’s, as with many merchants, cannot process credit card transactions themselves and, therefore, used “Servicers” who process the transactions with banks that issue the credit cards (Issuers). P.F. Chang’s entered into an agreement with Bank of America (BoA) to process these transactions.
- Servicers such as BoA process these transactions and, in turn, must enter into agreements with credit card companies that obligate BoA and banks acting as Issuers to pay fees and assessments to credit card companies if there is a breach.
- Under P.F. Chang’s agreement with BoA, P.F. Chang’s agreed to reimburse BoA for any fees and assessments it was required to pay credit card companies for P.F. Chang’s breach.
- After the breach, Federal reimbursed P.F. Chang’s approximately $1.7 million for costs related to forensic investigations and defense of claims arising out of the breach.
BoA also sought nearly $2 million in fees and assessments from P.F. Chang’s for amounts it incurred from its agreements with the credit card companies pursuant to P.F. Chang’s reimbursement agreement with BoA. P.F. Chang’s reimbursed BoA and then sought to recover this amount from Federal under its cyber policy. P.F. Chang’s initiated this litigation when Federal denied coverage for these amounts. P.F. Chang’s sought coverage under both Insuring Clause A and Insuring Clause B of the cyber policy. The court granted Federal’s motion for summary judgment finding no coverage under either Insuring Clause based on the following reasoning:
- No Coverage Under Insuring Clause A: Under the Federal Policy, Insuring Clause A provided that, “[Federal] shall pay for Loss on behalf of an Insured on account of any Claim first made against such Insured . . . for Injury.” Injury is further defined under the cyber policy to include “Privacy Injury” which “means injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person’s Record, or exceeding access to such Person’s Record.” The Federal Policy also defines “Record” as “any information concerning a natural person that is defined as: (i) private personal information; (ii) personally identifiable information…pursuant to any federal, state…statute or regulation,…where such information is held by an Insured Organization or on the Insured Organization’s behalf by a Third Party Service Provider” or “an organization’s non-public information that is…in an Insured’s or Third Party Service Provider’s care, custody, or control.” The court agreed with Federal’s argument on this point that P.F. Chang’s was not entitled to coverage under Insuring Clause A because BoA itself did not sustain a privacy injury because its records were not compromised during the data breach.
- There May Be Coverage Under Insuring Clause B: Under the Federal Policy, Insuring Clause B provides that “[Federal] shall pay Privacy Notification Expenses incurred by an Insured resulting from [Privacy] Injury.” The court agreed with P.F. Chang’s argument that it was entitled to coverage under this provision because of the amounts P.F. Chang’s paid Issuers to reissue bankcards and new account numbers. Even though these fees and assessments may have been incurred by BoA, the court found it persuasive that P.F. Chang’s was ultimately responsible to pay these amounts under its contracts with BoA.
- Policy Exclusions Bar Coverage: Even if there was coverage under Insuring Clause B, the court held two exclusions in the Federal Policy would bar coverage for any contractual obligations P.F. Chang’s assumed from a third party. Specifically, the court agreed with Federal’s argument that the fees and assessments P.F. Chang’s assumed in its contract with BoA were excluded from coverage.
As seen on prior occasions, the court’s coverage determination went back to basic coverage law . In the P.F. Chang’s decision, the court discusses its reliance on existing coverage law: “In reaching this decision, the court turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same.”
It is important to note that Federal paid approximately $1.7 million for P.F. Chang’s damages related to forensic investigations and defense costs. These damages were not at issue under the cyber insurance policy. In short, the cyber policy worked exactly as it was intended to work when there was a data breach. While struggling with the more difficult question (whether the costs P.F. Chang’s became responsible for in its contract with BoA), the court went back to fundamental insurance concepts to find cyber coverage was barred by exclusions for liability assumed from a third party. Therefore, while this decision provides guidance on how courts may be expected to interpret the specific language of a cyber policy, it also demonstrates the importance of the existing body of law related to CGL coverage.