Cyber Insurance: The devil is in the details
In P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., (U.S. Dist. Ct. LEXIS 70749, 2016) the U.S. District Court for the District of Arizona ruled in favor of the Federal Insurance Company in holding that the cyber insurance policy did not cover fees or penalties levied by the credit card processor (Bank of America).
An article in Business Insurance indicates the 2016 P.F. Chang case was one of the first rulings focused on cyber insurance and has some important implications. The article indicates that the assessments imposed by MasterCard on Chang’s credit card processor, Bank of America, were not covered under Chang’s cyber insurance policy. Thus, Chang’s was solely responsible for the $1.9M assessed by Bank of America against Chang’s. While, Federal Insurance Company did reimburse Chang’s for $1.7M related to the breach, litigation associated with the breach, and a forensic investigation, the $1.9M in fees from Bank of America were above and beyond that amount.
The court in Chang’s held that Bank of America Merchant Services (BAMS) had a separate agreement with Chang’s and that there was no evidence that Chang’s, ever attempted to include potential BAMS fees in the cyber insurance policy or that Chang’s even raised this as a concern during negotiations.
While Chang’s does attempt to use the reasonable expectation doctrine, the Court found that this doctrine relies on two predicate conditions: (1) the insured’s expectation of coverage must be objectively reasonable; and (2) the insurer must have reason to infer that the insured would not have purchased the policy if it included the now offensive provision. The Court found that there was nothing to support Chang’s contention that they believed that assessment fees would be covered by the insurance policy, they provided no proof to suggest that this had been an element of the negotiations or that this was ever discussed during the underwriting process. Consequently, the court found that a failure to discuss coverage in the context of credit card assessments fails to meet the first condition of the doctrine and thus the doctrine is inapplicable.
While cyber insurance policies are relatively new they are likely to be governed by existing interpretations of traditional insurance policies. Consequently, it is important that the policies are carefully reviewed and that in the case of data breaches that the insured carefully evaluates the policy and understands any potential pecuniary losses that could be incurred either directly or indirectly from a data breach. As P.F. Chang’s found out, had they negotiated the ancillary fees from BAMS they could have saved millions. Furthermore, while neither this case nor the article addressed this, entities need to understand any exclusions related to pre-existing conditions. Thus, a complete and thorough cybersecurity assessment and audit should be undertaken to ensure that an insurer will not be able to deny coverage based on a previous breach (which should be uncovered during an assessment and audit review process).