In May 2016 a US District Court ruled a cyber insurance policy did not cover liabilities arising out of a data breach at P.F. Chang’s. The breach involved 33 P.F. Chang’s restaurant locations and compromised the data of about 60,000 customers.
P.F. Chang’s reported the breach to Federal Insurance Company—a unit of Chubb—which covered $1.7 million in costs related to investigating the data breach and in defense against class action litigation from affected customers.
The court ruled, however, that Chubb was not responsible for the fraudulent charges incurred by cardholders whose data was stolen. The banks that issue the cards are responsible for these costs. The banks, though, do have some recourse against the vendor whose data was compromised—in this case—P.F. Chang’s.
MasterCard filed suit against P.F. Chang’s credit card processor, Bank of America Merchant Services (BAMS), to the tune of $1.9 million, and BAMS demanded reimbursement from the restaurant chain. P.F. Chang’s next move was to seek reimbursement from Chubb via their cyber policy, but Chubb refused payment, resulting in a lawsuit from Chang’s.
P.F. Chang’s loss came due to the involvement of the third-party credit card processor. Chubb argued in court that the claimant’s data had to have been compromised, and the claimant in this case was BAMS, not P.F. Chang’s. BAMS data was not compromised, argued Chubb, and the court agreed. The court ruled that P.F. Chang’s—not Chubb—was liable for reimbursement payments to BAMS.
According to Lockton’s Cyber Risk Update Blog, there are two lessons to be learned from this suit.
- Companies need to understand the scope of their cyber policy.
- Companies that accept credit cards must be sure their policies cover PCI DSS (Payment Card Industry Data Security Standard) assessments.
PCI DSS coverage is not easy to obtain. According to the Lockton blog, it is essential to get the policy wording correct. Not getting the details right, in this case, got the carrier of the hook for reimbursing the client, leaving the restaurant on the hook for the $1.9 million owed to BAMS.
Visit Lockton’s cyber risk blog for more information on this landmark case, believed to be the first ruling on a cyber insurance policy—important because it could start a wave of litigation between insurers and policyholders.