Ellen MacDonald Farrell

On May 26, 2016, in the case of P.F. Chang’s v. Federal Insurance Co., the U.S. District Court for the District of Arizona held that a stand-alone cyber insurance policy did not cover fees assessed by a third party credit card processing company against P.F. Chang’s following a June 2014 data breach.  This decision is notable because it is one of the first involving the scope of coverage under a stand-alone cyber insurance policy.  Furthermore, since hiring a credit card processing company is a common practice among restaurants and retailers, if and when a data breach occurs, policyholders that use these third party companies may encounter similar fees.

At the core of this dispute was P.F. Chang’s decision to hire a third-party company to process credit card payments instead of dealing directly with credit card associations.  After the 2014 data breach, in which computer hackers obtained and posed to the Internet about 60,000 credit card numbers belonging to P.F. Chang’s customers, the credit card associations imposed fees on the third-party processing company, Bank of America Merchant Services (“BAMS”).  BAMS then passed these fees on to P.F. Chang’s pursuant to the service contract.

Federal Insurance Company (“Federal Insurance”) had sold a CyberSecurity by Chubb Policy (the “Cyber Policy”) to P.F. Chang’s corporate parent, Wok Holdco LLC, which was in effect from January 1, 2014 to January 1, 2015.  After learning of the data breach, P.F. Chang’s tendered its claim to Federal Insurance.  Federal Insurance reimbursed P.F. Chang’s for over $1.7 million in costs incurred as a result of the data breach, including a forensic investigation and a third-party lawsuit.  However, Federal Insurance refused to reimburse P.F. Chang’s for fees assessed by BAMS in connection with the data breach, and P.F. Chang’s filed suit.

P.F. Chang’s maintained that the BAMS fees were covered by three different insuring clauses in the Cyber Policy: (1) Claims for Privacy Injuries, (2) Privacy Notification Expenses, and (3) Extra Expenses.  In response, Federal Insurance argued that none of the insuring clauses applied; that the fees were not a “Loss;” and that coverage was eliminated by two exclusions found in the Cyber Policy which precluded liabilities assumed by P.F. Chang’s without the consent of Federal Insurance.

The district court held that the Cyber Policy did not cover the BAMS fees.  First, the court concluded that the “Claims for Privacy Injuries” insuring clause did not apply because only the person whose “Record” is accessed suffers a “Privacy Injury.”  The court explained that the Records accessed by the hackers were neither BAMS’ nor in the care, custody or control of BAMS.  Thus, the data breach did not cause a “Privacy Injury” to BAMS.  And although the court found that the remaining two insuring clauses did apply, because neither clause required that the BAMS fees be incurred by the same person whose “Record” was accessed, the court held that the BAMS fees (1) fell within two Cyber Policy exclusions concerning assumed liabilities, and (2) were not included in the policy’s definition of “Loss,” in any event.

On June 27, P.F. Chang’s stated that it intends to appeal this order to the 9th Circuit Court of Appeals.