Cyber insurance has a gap if it doesn't cover PCI breach fees
In the age of cyberattacks, businesses that accept credit cards must ask themselves whether their cyber insurance policies provide coverage for Payment Card Industry (“PCI”) fees assessed by credit card companies in case of a data breach for which the insured is ultimately liable.
The court answered that question in the negative under the policy at issue in the P.F. Chang’s China Bistro, Inc. v. Federal Insurance Co. case.
The relevant facts were as follows: As P.F. Chang’s (“Chang’s”) allowed its customers to pay with credit cards, it had, as is standard practice, entered into a Master Service Agreement (“Agreement”) for credit-card-transaction processing with Bank of America Merchant Services (“BAMS”).
The agreement incorporated Mastercard’s PCI rules providing for the assessment of fees against BAMS if Mastercard experienced losses from a data breach at a BAMS client (“PCI Fees”), and required Chang’s to indemnify BAMS for such fees.
A hack of Chang’s computer system resulted in the public dissemination of over 60,000 credit card numbers.
As a result, Mastercard incurred over $1.7 million in fraudulent charges and customer-notification and card-replacement costs. Mastercard assessed those costs against BAMS, which sought indemnification from Chang’s. To avoid losing its credit card processing ability, Chang’s indemnified BAMS and sought reimbursement from Federal Insurance Company (“Federal”) under Chang’s cyber policy. Federal denied coverage, and litigation ensued.
The court found that there was no coverage for the $1.7 million fee for fraudulent charges. Such coverage was available only if the disclosed records were those of the person making the claim against the insured. Here, BAMS had made the claim against Chang’s, but the disclosed records were Mastercard’s, so there was no coverage.
Next, the court found that the remaining about $200,000 in PCI fees fell under a policy exclusion “for contractual obligations an insured assumes with a third-party outside of the Policy.”
Chang’s had voluntarily agreed to indemnify BAMS, and there was no evidence that Chang’s would have had that to indemnify BAMS absent the Agreement. That Chang’s had no choice but to agree to indemnification if it wanted to be able to accept credit cards, and that Federal knew just as well as Chang’s that PCI-fee assessment and indemnification were standard practices in the industry, did not make a difference.
Rather, sophisticated parties like Federal and Chang’s typically contracted for precisely what they wanted, which clearly excluded the PCI fees. Chang’s could have asked for coverage for those fees, but had not, so it was simply out of luck.
So what should a business do? The best course of action would be to seek a policy, or an endorsement to your policy, that specifically includes coverage for all PCI fees.
If that is not available, seek an exception for your credit card processing agreement (or, more broadly, for any standard industry agreements) to any “contractually assumed liability” exclusion in your cyber policy.
And closely review the policy’s definition of “claim” for a requirement that the claim be brought by the person whose confidential information was disclosed.
If it does, seek to have the language changed to allow coverage for claims brought by entities responsible for the costs resulting from the disclosure of the information. And, in general, carefully review all terms of your cyber policy, or any other policy, before binding, if necessary with the assistance of coverage counsel.