If you store cardholder data, transaction information, or other personally identifiable information you may want to revisit your cyber insurance policy to verify the extent of your coverage. A court recently found that the cyber insurance policy held by P.F. Chang’s did not cover many losses suffered in P.F. Chang’s data breach. Based on the court’s findings in this decision and given the structure of the payments industry, many cyber insurance policies will not provide processors, ISOs, or payment facilitators with coverage against fees, fines, and assessments issued by the card brands.
On June 10, 2014, P.F. Chang’s learned that hackers had obtained approximately 60,000 credit card numbers belonging to its customers. P.F. Chang’s turned to its cyber insurance policy to cover the costs of the data breach. The policy had been advertised as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
Under the cyber insurance policy, P.F. Chang’s was reimbursed for approximately $1.7 million for the cost of an investigation and defending litigation. However, the insurance company denied coverage of three assessments by MasterCard: a Fraud Recovery Assessment of $1,716,798.85; an Operational Reimbursement Assessment of $163,122.72; and a Case Management Fee of $50,000. These assessments were technically received by Bank of America, and not by P.F. Chang’s. P.F. Chang’s used Bank of America Merchant Services (“BAMS”) for its payment processing services. The assessments were contractually passed through to P.F. Chang’s under its merchant agreement with Bank of America. P.F. Chang’s filed a lawsuit seeking to recover the amount of the MasterCard assessment.
In its opinion, the court sided with the insurance company. The court found that the Fraud Recovery Assessment was not covered because: P.F. Chang’s received the assessment from BAMS pursuant to its merchant agreement; BAMS did not suffer any privacy injury (as it was the issuing bank’s records that were breached rather than the acquiring bank’s records); and the policy only covered claims brought by those persons whose records were accessed without authorization.
In addition, the court found that all three MasterCard assessments were excluded from P.F. Chang’s coverage. The policy excluded any liability contractually assumed, an exclusion commonly found in insurance contracts. This exclusion means that any loss incurred by P.F. Chang’s as the result of a contractual relationship (in this case as a result of its merchant agreement with BAMS) would not be covered.
Processors, ISOs, and payment facilitators are typically liable for card brand assessments incurred by their sponsor financial institution under their sponsorship agreement. If you suffer a breach, you may incur card brand assessments. If one of your merchants suffers a breach, and the merchant isn’t able to pay the related assessments from the card brands, you will likely be liable for the assessment. Would your cyber insurance policy cover such expenses? It would be worth your time to check on your insurance coverage and, if appropriate, work with your broker to adjust your insurance policy accordingly.
– James Kramer, Attorney, Jaffe Raitt Heuer & Weiss, P.C.