Anyone who has walked by a television or radio in the last few years has likely heard news reports of cyber breaches and hacking that have exposed the personal information of many of the nation’s major retailers. These breaches are extremely expensive. A recent Forbes.com article projects the costs to exceed $2 trillion dollars within three years. One of the more publicized breaches, the Target attack, reportedly cost that company $164 million, however some reports believe the actual cost could approach $1 billion when all of the attendant costs are calculated.
The question then becomes, who foots the bill for these attacks and with insurance coverage, what is covered? A recent ruling in P.F. Chang’s China Bistro Inc. v. Federal Insurance Company,1 in U.S. District Court of Arizona, addressed where coverage may cease. In P.F. Chang’s, some 60,000 credit card numbers were stolen. In response, Mastercard charged P.F. Chang’s payment processor, BAMS, to handle the costs of the exposure. Under the payment processing agreement P.F. Chang’s, was obligated to repay that amount to BAMS and thereafter sought coverage from Federal Insurance from which it had purchased a $5 million cybersecurity policy. Federal denied coverage and P.F. Chang’s filed suit.
In ruling for the carrier, the court found that the policy specifically excluded any liability “assumed by any insured under any contract or agreement.” Thus, even though P.F. Chang’s purchased coverage for a cyber breach, not all of the natural losses occurring from a breach were covered. This case really demonstrates the importance of analyzing the potential exposures one may suffer in the event of a loss. Had P.F. Chang’s reviewed their agreements with the payment processor, they likely would have sought additional coverage which may have covered this loss.