Cybersecurity Insurance: Credit Card Data Breaches Come with Extra Costs that May Not be Covered

Like many people, I cannot remember the last time I paid for a dinner out, bought a new pair of pants, or paid an electric bill with cash or a check. When I am not working on behalf of policy holders, I like to travel, so I pay for everything I can by credit card to earn travel miles. For a business owner to get paid from my credit card transaction, they must enter into agreements with a third-party servicer to facilitate the processing of credit card transactions. To complete these transactions, the third-party servicers also have separate agreements with credit card associations, like MasterCard and Visa. MasterCard or Visa have rules that may obligate the business owner to pay additional fees and assessments in the event of a data breach in order to keep accepting credit cards.

A few years ago, P.F. Chang’s was the victim of a data breach when computer hackers obtained and posted approximately 60,000 credit card numbers belonging to its customers on the internet (the “security compromise” or “data breach”).1 Subsequently, P.F. Chang’s made an insurance claim through its cyber security policy of insurance provided by Chubb Insurance Company.

Due to the data breach, MasterCard imposed three assessments on P.F. Chang’s third-party servicer who in turn imposed the assessments on P.F. Chang’s. The assessments were for a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for the data breach, and a Case Management Fee of $50,000.² Pursuant to its agreement with its third-party servicer, in order to continue processing credit card transactions, P.F Chang’s had reimbursed its third-party servicer for these assessments. P.F. Chang’s made an insurance claim for the assessments. Chubb refused to pay the MasterCard assessments and P.F. Chang’s filed suit. Through summary judgment, the trial court found that based on the terms and exclusions of the policy, Chubb was not responsible to cover the assessments and dismissed P.F. Chang’s lawsuit with prejudice.

Chubb argued that P.F. Chang’s assumed liability for the assessments through its agreement with its third-party servicer and was therefore excluded liability coverage for it under the policy. Chubb supported its argument by citing to the third-party servicer agreement, wherein P.F. Chang’s agreed that the MasterCard assessments may be passed through. The court agreed with Chubb. The court reasoned that contractual liability exclusions apply to the assumption of another’s liability, such as an agreement to indemnify or hold another harmless and that P.F. Chang’s third-party servicer agreement met this criteria. The court supported its reasoning by pointing out that:

In no less than three places in the [third-party servicer agreement] does P.F. Chang’s agree to reimburse or compensate [the third-party servicer] for any ‘fees,’ ‘fines,’ ‘penalties,’ or ‘assessments’ imposed [] by [MasterCard], or, in other words, indemnify [the third-party servicer] … [f]urthermore, the Court is unable to find and Chang’s does not direct the Court’s attention to any evidence in the record indicating that Chang’s would have been liable for these [fees and assessments] absent its agreement []. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here. Accordingly, the Court must find that the above referenced exclusions bar coverage for [the fees and] [a]ssessments claimed by Chang’s.

In order to accept credit cards, business owners effectively have to work with third-party servicers, which exposes them to additional fees and costs after a data breach. Whether the trial court got the decision wrong or right, business owners that are vulnerable to data breaches must be aware of these additional costs and avoid exclusionary language in insurance policies whenever possible.
_____________________________________________
¹ P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., No. 15-cv-01322, 2016 WL 3055111 (D. Ariz. May 31, 2016).
² The Fraud Recovery Assessment reflects costs associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. The Operational Reimbursement Assessment reflects costs for notifying cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. The Case Management Fee is a flat fee and relating to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards.