POSTED IN BREACH OF CONTRACT – COVERAGE FOR AMOUNTS DUE PURSUANT TO CONTRACT, EXCLUSIONS,CYBER POLICIES AND ISSUES
In one of the first cases
directly addressing the scope of coverage under a cyber insurance policy, an
Arizona federal district court has dismissed an insured’s complaint seeking
coverage for amounts paid to its credit card processor for assessments
resulting from a data breach. P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. 2:15-CV-01322-SMM (D. Ariz. May 31, 2016).
The insured, a large
restaurant chain, learned that computer hackers had obtained and posted on the
internet approximately 60,000 credit card numbers belonging to its customers.
Nine months later, MasterCard issued a report and imposed three assessments on
the insured’s credit card processor: (1) a “Fraud Recovery Assessment” of $1.7
million; (2) an “Operational Reimbursement Assessment” of $163,123; and (3) a
“Case Management Fee” of $50,000. The insured’s credit card processor
subsequently sent a letter demanding the insured reimburse the assessments
pursuant to the indemnity provisions in the parties’ agreement. The insured
paid the assessments in order to continue operations and not lose its ability
to process credit card transactions, and it sought coverage under its cyber
policy for those payments. The insurer refused, and the insured brought suit.
The court ultimately ruled in
favor of the insurer and dismissed all claims asserted by the insured.
The court first evaluated an
insuring clause providing coverage for “Loss on behalf of an Insured on account
of any Claim first made against such Insured . . . for Injury.” “Injury” was
defined to include “Privacy Injury,” which in turn was defined to mean “injury
sustained or allegedly sustained by a Person because of actual or potential
unauthorized access to such Person’s Record.”
The term “Person” was defined as
a natural person or an organization, and the term “Record” included “any
information concerning a natural person . . . pursuant to any federal, state .
. . statute or regulation, . . . where such information is held by an Insured
Organization or on the Insured Organization’s behalf by a Third Party Service
Provider” or “an organization’s non-public information that is . . . in an
Insured’s or Third Party Service Provider’s care, custody, or control.”
The court agreed with the
insurer that this insuring clause was not triggered because the credit card
processor did not itself sustain a “Privacy Injury” as its own “Records” were
not compromised. The court noted that the definition of “Privacy Injury”
required an “actual or potential unauthorized access to such Person’s
Record,” which did not occur.
The court rejected the
insurer’s argument, however, that a second insuring clause was not triggered.
That insuring clause afforded coverage for “Privacy Notification Expenses
incurred by an Insured resulting from [Privacy] Injury.” In turn, “Privacy
Notification Expenses” was defined to mean “the reasonable and necessary
cost[s] of notifying those Persons who may be directly affected by the
potential or actual unauthorized access of a Record, and changing such Person’s
account numbers, other identification numbers and security codes.”
Under the
facts presented, the court ruled that the Operational Reimbursement Assessment
set forth in the credit card processor’s demand letter—which reflected the
costs to notify cardholders affected by the incident and to reissue and deliver
payment cards, new account numbers, and security cards to those
cardholders—fell within the definition of “Privacy Notification Expenses.” The
court therefore ruled that that portion of the assessment was potentially
covered under the policy.
The court also found that a
third insuring clause might be triggered. That insuring clause afforded coverage
for “Extra Expenses . . . an Insured incurs during the Period of Recovery of
Services due to the actual or potential impairment or denial of Operations
resulting directly from Fraudulent Access or Transmission.” The court found
that the insured experienced Fraudulent Access during the data breach. In
addition, the court ruled that the insured’s ability to perform its regular
business activities would be potentially impaired if it did not pay the “Case
Management Fee” assessment because the credit card processor would be entitled
to terminate its agreement with the insured, which in effect would eliminate
the insured’s ability to process credit card transactions. The court found an
issue of fact, however, as to when the insured’s services were restored, thus
precluding summary judgment on whether the Case Management Fee would be
recoverable given the temporal limitations in this insuring clause.
While the court did find
coverage triggered as a matter of law under one insuring clause, and coverage
potentially triggered under a second, the court nonetheless ruled in favor of
the insurer on the basis of two exclusions and on the policy’s definition of
“Loss.” One of the exclusions barred coverage for “Loss on account of any
Claim, or for any Expense . . . based upon, arising from or in consequence of
any . . . liability assumed by any Insured under any contract or agreement.”
Similarly, in connection with the two insuring clauses the court ruled were in
play, the policy excluded “any costs or expenses incurred to perform any
obligation assumed by, on behalf of, or with the consent of any Insured.”
Finally, the policy’s “Loss” definition under one insuring clause did not
include “any costs or expenses incurred to perform any obligation assumed by,
on behalf of, or with the consent of any Insured.”
The court opined that these
provisions were “[f]unctionally . . . the same in that they bar coverage for
contractual obligations an insured assumes with a third-party outside of the
Policy.” Here, in connection with the demand letter from the credit card
processor, the court ruled that these provisions barred coverage in its
entirety because the demand letter was made pursuant to the insured’s agreement
to indemnify and hold harmless the credit card processor. As a result, the
court ruled that there was no coverage for any of the amounts sought.
No comments:
Post a Comment