June
2016
Arizona Court Finds Cyber Insurance Policy Does Not Cover PCI Fees and Assessments
P.F. Chang’s China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ariz. May 26, 2016). A federal court in Arizona held that PCI fees and assessments were not insured under a CyberSecurity by Chubb Policy on the grounds that they fell within the exclusions for (1) liability assumed under any contract or agreement and (2) any obligation assumed with the consent of the Insured. The restaurant chain P.F. Chang’s suffered a breach which led to the online posting of approximately 60,000 credit card numbers belonging to its customers. Chubb reimbursed Chang’s for more than $1.7 million in breach related costs. Chang’s sought an additional recovery of more than $1.9 million, representing the costs of reimbursing Bank of America, the processing bank, under a Master Service Agreement. The court examined three separate items for which coverage was sought. First, it found that the Fraud Recovery Assessment did not fall within the insuring clause covering “Loss on behalf of an Insured on account of any claim first made against the Insured . . . for Injury. Injury was defined to include a Privacy Injury. It reasoned that Bank of America did not sustain a Privacy Injury itself, and therefore could not maintain a valid claim for Injury against Chang’s. Next, it found that the Operational Assessment Fee would have been covered as Privacy Notification Expenses, save for the exclusions. Third, it found that the Case Management Fee qualified as a covered Extra Expense, and thus might have been covered, although there was an issue of fact as to whether the Fee was paid within the Period of Recovery of Services. Despite the conclusions regarding the Operational Assessment Fee and the Case Management Fee, the court ruled that coverage for all three assessments was precluded by the exclusion for loss “based upon, arising from, or in consequence of any . . . liability assumed by any insured under any contract or agreement.” Further, coverage was also precluded by the exclusion for “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” It also fell outside the definition of Loss, which did not include “any costs or expenses incurred to perform obligation assumed by, on behalf of, or with the consent of any Insured.” The court also examined and rejected Chang’s arguments that coverage existed pursuant to the reasonable expectations doctrine, dismissing the arguments as “merely attempts to cobble together such an expectation after the fact.”