P.F. Chang case a cyber forerunnerReprints
In what may be the first court rulings focused on cyber insurance, the U.S. District Court in Phoenix held in P.F. Chang's China Bistro Inc. v. Federal Insurance Co. that the Chubb Ltd. unit did not have to reimburse the Scottsdale, Arizona-based company $1.9 million in costs for a 2014 data breach.
The restaurant chain had entered into a master service agreement with Charlotte, North Carolina-based Bank of America Merchant Services L.L.C. to process credit card payments made to by P.F. Chang's customers.
Following the breach, MasterCard imposed three assessments on the Bank of America unit totaling $1.9 million, which the restaurant chain reimbursed in April 2015. P.F. Chang's sued after Federal Insurance denied coverage for the assessments.
The cyber coverage included a clause that provided that Federal Insurance would pay for any claim first made against the insured for injury. Federal Insurance successfully argued the clause was not applicable to its policy because the payment processing unit itself had not sustained an injury.
The court also held Federal Insurance was not obligated to indemnify P.F. Chang's for the assessments because of policy exclusions “that bar coverage for contractual obligations an insured assumes with a third party outside of the policy.” The court held P.F. Chang's agreement with the processing unit met the criteria “and thus triggers the exclusions.”
Federal Insurance did reimburse the restaurant chain for more than $1.7 million for costs incurred from the security compromise, including forensic investigation and defense costs.