P.F. Chang’s $1.9 Million Cyber Claim Denied
On June 10, 2014, P.F Chang’s China Bistro Inc. learned that hackers stole about 60,000 customer credit card numbers. It notified its insurer, Federal Insurance Co., that same day. Chang’s had a CyberSecurity by Chubb policy with an annual premium of $134,052. It promised to cover “direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
Federal reimbursed Chang’s more than $1.7 million for costs, including a forensic investigation and litigation. However, it denied a claim for $1.9 million that was assessed against Chang’s by Bank of America Merchant Services (BAMS), which processes credit card payments for the restaurant.
BAMS had billed Chang’s for fraud recovery, operational reimbursement and case management fees, including notifying cardholders affected by the data breach, reimbursing fraudulent charges and reissuing new credit cards.
Federal said the fees did not fall within the coverage and that certain exclusions barred coverage.
The U.S. District Court for the District of Arizona agreed with most of the insurer’s arguments. It ruled that Chang’s coverage did not include the fraud recovery fees because BAMS did not sustain a privacy injury itself.
While it agreed with the restaurant that the operational reimbursement and case management fees would be covered by the policy, the court ruled that those fees were excluded by another part of the policy because they “arise out of liability assumed by Chang’s to BAMS” in the merchant service agreement.
The court also ruled Chang’s had no “reasonable expectation” the policy would cover the fees, and noted that as a “sophisticated” purchaser of insurance, the restaurant could have negotiated such coverage if it was desired.
Scorecard: Federal Insurance Co. will not have to pay a $1.9 million claim related to data breach charges.
Takeaway: Insureds with cyber policies should determine whether liabilities assumed under contracts with third parties are covered.
Insurance Company Must Provide a Defense
In 2013, E. Mishan & Sons. Inc. (Emson) was accused in two class-action lawsuits of “deceptively” trapping customers into recurring credit card charges by sharing private customer information with telemarketers.
The lawsuits were filed in the Circuit Court of Cook County, Ill., and the U.S. District Court for the Western District of Michigan.
Emson sought a defense from its commercial general liability insurers, National Fire Insurance Co. of Hartford, Valley Forge Insurance Co., and Transportation Insurance Co. under “personal and advertising injury” coverage.
The insurers denied the request, citing the exclusion for “knowing violations of another’s rights.” In a lawsuit filed in the U.S. District Court for the Southern District of New York, the insurers sought a judgment that they were not required to provide a defense to Emson in the underlying lawsuits.
The court concluded the allegations against Emson were excluded and ruled for the insurers.
The U.S. 2nd Circuit Court of Appeals reversed that decision on June 1, ruling that an insurer has a duty to defend “until it is determined with certainty that the policy does not provide coverage.”
The underlying lawsuits, it said, described conduct that could have been performed without intent to harm and that even if all claims but one were excluded, the insured is still due a defense.
Scorecard: The court granted Emson a defense by its insurance companies.
Takeaway: If any allegations are potentially covered, insurers have a duty to defend.
Employee Negligence Did Not Void Coverage
On Oct. 27, 2011, an employee of the state bank of Bellingham in Minnesota left two tokens overnight in a computer that required both tokens to be inserted to make wire transfers. The next day, she discovered two unauthorized wire transfers to two different banks in Poland.
Although the Federal Reserve refused to reverse the wire transfers, it did inform the other institutions that the transfers were fraudulent. One of the transfers was reversed. The other, for $485,000, was not.
Bellingham notified BancInsure Inc. (now known as Red Rock Insurance Co.), which issued a financial institution bond to the bank in 2010. An investigation revealed that a “Zeus Trojan horse” virus infected the computer and permitted access for the fraudulent transfers.
BancInsure denied the claim, relying on exclusions for loss caused by an employee, for theft of confidential information, and for mechanical breakdown or deterioration of a computer.
A U.S. District Court issued a summary judgment in favor of Bellingham in September 2014, finding that the virus was the “efficient and proximate cause” of the loss, even if the employee actions, and failure to update antivirus software may have played an “essential role” in the loss.
“It was not … a ‘foreseeable and natural consequence’ that a hacker would make a fraudulent wire transfer,” the court ruled.
On May 20, the U.S. 8th Circuit Court of Appeals agreed. It ruled that an “insured is entitled to recover from an insurer when cause of the loss is not excluded under the policy, even though an excluded cause may also have contributed to the loss.”
Scorecard: The bank was awarded $620,187 for losses, including interest.
Takeaway: The “overriding cause” of the loss was the criminal activity, not the employee’s negligent actions.