On May 26, 2016, in the case of P.F. Chang’s v. Federal Insurance Co., the U.S. District Court for the District of Arizona held that a stand-alone cyber insurance policy did not cover fees assessed by a third party credit card processing company against P.F. Chang’s following a June 2014 data breach.  This decision is notable because it is one of the first involving the scope of coverage under a stand-alone cyber insurance policy.  Furthermore, since hiring a credit card processing company is a common practice among restaurants and retailers, if and when a data breach occurs, policyholders that use these third party companies may encounter similar fees.

At the core of this dispute was P.F. Chang’s decision to hire a third-party company to process credit card payments instead of dealing directly with credit card associations.  After the 2014 data breach, in which computer hackers obtained and posed to the Internet about 60,000 credit card numbers belonging to P.F. Chang’s customers, the credit card associations imposed fees on the third-party processing company, Bank of America Merchant Services (“BAMS”).  BAMS then passed these fees on to P.F. Chang’s pursuant to the service contract.

Federal Insurance Company (“Federal Insurance”) had sold a CyberSecurity by Chubb Policy (the “Cyber Policy”) to P.F. Chang’s corporate parent, Wok Holdco LLC, which was in effect from January 1, 2014 to January 1, 2015.  After learning of the data breach, P.F. Chang’s tendered its claim to Federal Insurance.  Federal Insurance reimbursed P.F. Chang’s for over $1.7 million in costs incurred as a result of the data breach, including a forensic investigation and a third-party lawsuit.  However, Federal Insurance refused to reimburse P.F. Chang’s for fees assessed by BAMS in connection with the data breach, and P.F. Chang’s filed suit.Continue Reading Arizona District Court Determines Scope of Coverage Provided by Cyberinsurance Policy