Even though cyber breaches—hacks, ransomware attacks, denial or delay of service attacks, malware, phishing and the like— have existed for years, coverage under actual cyber policies (as opposed to CGL, D&O, or crime policies) is now starting to be litigated. One of the early issues that has been addressed under a cyber policy is if cyber policies provide coverage for Payment Card Industry (PCI) fees assessed by credit card companies in case of a data breach for which the insured is ultimately liable. In P.F. Chang’s China Bistro, Inc. v. Federal Insurance Co., No. CV-15-01322-PHX-SMM,  2016 WL 3055111 (D. Ariz. May 26, 2016), the court answered that question in the negative under the cyber policy at issue there.

The relevant facts will sound familiar to any retailer or restaurateur who has experienced a data breach. As P.F. Chang’s (Chang’s) allowed its customers to pay for their meals with credit cards, it had, as is standard practice under the circumstances, entered into a Master Service Agreement (the Agreement) with Bank of America Merchant Services (BAMS) under which BAMS processed credit card transactions for Chang’s (essentially, BAMS functioned as an intermediary between Chang’s and, as relevant here, MasterCard).

The Agreement incorporated MasterCard’s PCI rules, which provided, among other things, that MasterCard could assess fees against BAMS if MasterCard experienced losses resulting from a data breach at a client of BAMS, such as Chang’s. The Agreement also contained an indemnification clause under which Chang’s agreed to indemnify BAMS for any such fees assessed against it because of a breach at Chang’s. All of that is standard and well known in the industry and to insurers working with retailers and restaurants.

Chang’s Hack and the Aftermath

Chang’s was subsequently hacked, and the hackers posted on the internet the credit card numbers belonging to over 60,000 of Chang’s customers. As a result, MasterCard incurred costs in fraudulent charges on its customers’ credit cards as well as for the processes of notifying its customers of the potential that their credit cards were compromised and of providing them with new credit cards and pins, and the like.

MasterCard consequently assessed about $1.72 million in fees against BAMS (the PCI Fees), of which $1.7 million was for fraudulent charges and about $200,000 for the issuance of new credit cards and associated operational costs. BAMS sought indemnification from Chang’s. Since BAMS would have stopped providing credit card processing services to Chang’s had Chang’s not paid, Chang’s indemnified BAMS. Chang’s then brought a claim against Federal Insurance Company (Federal) seeking reimbursement for the PCI Fees under Chang’s cyber coverage with Federal. Federal denied the claim, and litigation ensued.

The district court initially found that there was no coverage in any event for the $1.7 million in fees for fraudulent charges because the policy provided that coverage was available only if the person making the claim against the insured was the person whose confidential records had been disclosed (“injury sustained . . . by a Person because of . . . unauthorized access to such Person’s Record” (emphasis added)). Although BAMS had made the claim against Chang’s when it sought indemnification for the $1.7 million, the records that had been disclosed did not belong to BAMS, they belonged to MasterCard. As such, there was no covered claim for the fees related to fraudulent charges. And although the court found that there was at least potential coverage for the remaining approximately $200,000 in PCI Fees, it also found that those fees fell under a policy exclusion “for contractual obligations an insured assumes with a third-party outside of the Policy.” 

In reaching this conclusion, the court held that Chang’s had voluntarily entered into the Agreement with BAMS and had voluntarily agreed to indemnify BAMS. Moreover, there was no evidence that Chang’s would have had to indemnify BAMS even if Chang’s had not entered into the Agreement. Rather, to the contrary, Chang’s had the duty to indemnify only because of the Agreement. The court was not swayed by Chang’s argument that it had no choice but to enter into the Agreement if it wanted to allow its customers to pay by credit card. Similarly, the fact that Federal knew just as well as Chang’s did that the assessment of PCI Fees and indemnification of credit card processing services by businesses accepting credit cards was standard practice in the industry was of no relevance to the court. To the contrary, the court said that since both Federal and Chang’s were sophisticated parties, it assumed that they had contracted to have covered precisely what they wanted, which, under the facts and the plain language of the policy, clearly excluded the PCI Fees. Had Chang’s wanted to have such fees covered, it should have specifically asked for that—for example, through an exception to the contractually assumed-liability exclusion.

But there was no evidence that Chang’s had sought to negotiate for coverage of PCI Fees, or that it had, at any time during the underwriting process, assumed or expected that such fees would be covered. Consequently, Chang’s was simply out of luck.

Lessons Learned from Chang’s v. Federal

As one would expect, Chang’s appealed to the U.S. Court of Appeals for the Ninth Circuit, but the parties settled during the pendency of the appeal, and the appeal was dismissed. That means that the district court opinion discussed above is, at least for now, the last word of a court on the issues between Chang’s and Federal. What’s the significance? It means that, if you are a business that accepts credit cards as payment and contracts with a credit card processing service, you should:

1. confirm whether your credit card processing agreement contains a clause obliging you to indemnify the service provider for PCI fees (which it probably does);
2. review your cyber policy for a “contractually assumed liability” exclusion;
3. if there is such an exclusion, seek to negotiate an exception to it for PCI fees; and
4. beware of a definition of a “claim” as an injury sustained only by the person whose confidential records were harmed (i.e., beware of the “such person” language), and seek to have such language changed, or an endorsement added that specifically provides coverage for PCI fees, including fees for fraudulent credit card charges.