Data breach lawsuit highlights the need for due diligence in buying cyber insurance
Well-known restaurant chain P. F. Chang’s China Bistro just sustained a significant hit to its cyber insurance coverage. The federal court’s opinion serves as a lesson to policyholders regarding cyber insurance in a rapidly evolving market. Due diligence is the name of the game when placing such insurance in order to understand the scope of coverage.
P. F. Chang’s was ahead of the curve when it purchased cyber insurance from Chubb. The restaurant recognized its data breach potential and acted to address it. It may be no surprise it went with Chubb, which marketed its cyber insurance as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “covers direct loss, legal liability, and consequential loss resulting from cyber breaches.”
Unfortunately for P. F. Chang’s, what Chubb’s marketing pitch and the insurance policy actually covers is only decided when there is a loss and the insurer is called upon to pay the claim. Policyholders pay a premium to buy coverage, but what the insurance covers is usually not known until the insurer takes a position on the scope of its insurance policy in light of a claim. Ultimately, the true arbiter of coverage is a judge overseeing a coverage lawsuit. That can be a hard lesson to learn for a policyholder like Chang’s, which paid a $134,052 premium for the cyber policy. If you do not want to end up in this position, then policyholders must be diligent from the beginning.
This particular dispute revolved around the processing of credit card transactions at Chang’s. The operator entered into a master service agreement (“MSA”) with Bank of America to process credit-card transactions. That is a standard arrangement, since most merchants cannot process the transactions themselves. MasterCard has its own agreements with the banks that allow assessments in the event of a data breach. In this instance, MasterCard assessed Bank of America approximately $1.7 million for costs arising from the Chang’s breach. Bank of America then pushed that assessment cost back onto Chang’s pursuant to the MSA. Naturally, the restaurant chain gave notice to Chubb for Bank of America’s $1.7 million claim, which the insurer denied.
In an insurance coverage lawsuit between Chang’s and Chubb, the federal court methodically analyzed the cyber insurance policy. The court concluded that coverage did not exist for Bank of America’s claim. Naturally, this came as a shock to P. F. Chang’s, since all involved knew the restaurant handled millions of credit card transactions per year and had standard agreements with its processor, Bank of America, which itself had standard agreements with credit card associations like MasterCard. The bottom line for the court was that P. F. Chang’s was a sophisticated party, and if it wanted cyber insurance for credit card assessments “it could have bargained for that coverage.”
Chang’s also argued that it had a reasonable expectation that credit card assessments would be covered if arising out of a data breach. However, the court determined that the record was void of any evidence that the policyholder expected such coverage. As the court noted, there was no evidence showing Chang’s insurance broker asked Chubb’s underwriter if such assessments would be covered. Furthermore, the application and underwriting files were devoid of any evidence as to Chang’s expectation of coverage for this type of claim.
This is an excellent, but unfortunate, example of why due diligence is critical when placing cyber insurance. Here is a short checklist that policyholders should consider when considering cyber insurance:
- Use a team approach: insured, broker, coverage counsel
- Understand your risk profile
- Review existing coverages to know what coverage is already available
- Put into place other coverage as needed
- Understand that data coverage is broader than just “cyber”
- Ensure there is coverage for using the “cloud”
- Negotiate for a retro date of at least one year
- Know what counsel and vendors will be supplied
- Carefully review the application and ask questions of the broker and underwriter
In this instance, Chang’s needed a better understanding of its complete risk profile for possible losses arising from a data breach. With such information it could have worked with coverage counsel to determine if the Chubb policy truly provided the “flexible insurance solution” it marketed. It is critical that policyholders take the time and effort when placing cyber insurance to avoid costly gaps in coverage. Cyber policies vary greatly among insurers with little uniformity. In-depth due diligence is the only way to avoid problems.
Finally, attention also is required as to the reputation of insurance companies. Policyholders must determine which insurers are true leaders in the cyber insurance market and who stand behind the coverage they sell. As more cyber coverage cases are filed, a clearer picture is developing as to those insurers earning a reputation for fighting data breach coverage and leaving their policyholders holding the bag.
Collin Hite leads the Insurance Recovery Group and the Data Privacy & Security practice of Hirschler Fleischer in Richmond. He may be reached at (804)771-9595 or [email protected]