Login Register Subscribe
Current Issue

Chubb scores victory in key cyber ruling

Reprints

Chubb Ltd. does not have to reimburse P.F. Chang's for costs charged the restaurant chain by its credit card processor in connection with a 2014 data breach under its cyber policy, a federal court ruled.

Policyholder attorney Robert D. Chesler, a shareholder with Anderson Kill P.C. in Newark, New Jersey, said he believes this is the first ruling on a cyber insurance policy, and is important because it could signal a wave of litigation between cyber insurers and policyholders.

Chubb Ltd. unit Federal Insurance Co. sold a Cybersecurity by Chubb policy to Scottsdale, Arizona-based P.F. Chang's China Bistro Inc. corporate parent Wok Holdco L.L.C. with effective dates from Jan. 1, 2014, to Jan. 1, 2015, according to the Tuesday ruling by the U.S. District Court in Phoenix in P.F. Chang's China Bistro Inc. v. Federal Insurance Co.

Chubb marketed the policy as covering “direct loss, legal liability, and consequential loss resulting from cyber security breaches,” according to the ruling by Judge Stephen M. McNamee.

Chang's and other merchants are unable to process credit card transactions themselves and must enter into agreements with third parties, said the ruling.

In this case, Chang's entered into a master service agreement with Charlotte, North Carolina-based Bank of America Merchant Services L.L.C. to process credit card payments made by Chang's customers, according to the ruling.

On June 10, 2014, Chang's learned that computer hackers had obtained and posted on the internet about 60,000 credit card numbers belonging to its customers, and the company notified Federal Insurance of the breach that same day.

To date, Federal has reimbursed Chang's more than $1.7 million under the cyber policy for costs incurred as a result of the breach, the ruling said.

In March 2015, Bank of America sent Chang's a letter stating it was obligated to reimburse it a total of $1.9 million in connection with the breach. Chang's reimbursed Bank of America in April 2015. Federal denied coverage for this amount, which is separate from the $ 1.7 million it has already paid, and Chang's filed suit.

Judge McNamee's technical opinion closely analyzes the Chubb policy, and concludes on several counts that Federal is not obligated to reimburse the charges.

One of its clauses, for instance, says Chubb will pay for a claim which it defines as “a written request for monetary damages … against an insured for an injury.” Injury is a broad term that encompasses many types of injuries, including privacy injury, says the ruling.

Federal argued this clause is inapplicable because Bank of America itself did not sustain a privacy injury because its records were not compromised during the data breach, and Judge McNamee agreed.

“The court agrees with Federal; (Bank of America) did not sustain a privacy Injury itself, and therefore cannot maintain a valid claim for injury against Chang's,” said the ruling, in granting Chubb's motion for summary judgment.

In April, a federal appeals court reinstated a putative class action lawsuit filed by two customers of P.F. Chang's who said they were damaged by the data breach.