Contenu connexe
Similaire à 1267 - PF Changs White Paper - Online (20)
1267 - PF Changs White Paper - Online
- 1. © 2016 Integro Insurance Brokers
LEARNINGALESSONFROMP.F.CHANG'S
The Need for PCI-DSS Assessment Inclusion in Cyber Coverage
P.F. Chang's (“Chang's”) recently learned the hard way that
insurance carriers do not acknowledge coverage for all losses
arising out of a data breach covered under the cyber policies they
sell. After Chang's was assessed Payment Card Industry Data Security
Standard (PCI-DSS) fines, penalties, and assessments by its processing
bank after a breach, its carrier denied coverage for those fines. A
federal district court has held that the fines were considered a
contractual liability and therefore are not covered by the insurance
policy. Chang's has appealed the ruling, but the ruling should
provide a red flag to all policyholders with the risk of PCI-DSS losses—
which can be a substantial source of loss caused by a data breach—
that they are not always explicitly covered by cyber insurance
policies. Companies looking to avoid such disputes will examine their
policies closely and work to ensure these critical losses are covered.
The Nature of Data Breach and Cyber Insurance
Generally speaking, liability insurance policies do not cover breach
of contract claims, because carriers view a contractual agreement as
a voluntarily imposed duty, as opposed to a duty imposed by the law.
Almost all forms of liability insurance will include a contractual liability
exclusion to effect that purpose, although the exclusion can be broader
in some policies than others.
Cyber insurance is no exception—every policy contains a contractual
liability exclusion. However, a significant potential source of loss arising
out of a data breach is contractual, which is the imposition of PCI-DSS
fines, penalties, or assessments under merchant services agreements
(referenced generally herein as “PCI-DSS Assessments”). Recognizing
this, carriers have begun to grant limited coverage for such assessments
in cyber insurance policies.
A recent decision by the United States District Court of the District of
Arizona, P.F. Chang's China Bistro, Inc. v. Federal Insurance Company
(“P.F. Chang's”) granted summary judgment to Federal, and held that
there was no coverage for PCI-DSS Assessments for P.F. Chang's China
Bistro, Inc. (“Chang's”) in the cyber insurance policy at issue. No. CV-15-
01322-PHX-SMM (D. Ariz. May 26, 2016). Because this type of coverage
is quickly evolving, this decision highlights the need for companies
potentially subject to PCI-DSS Assessments to review their policies
carefully, because if courts continue to enforce these exclusions in
cyber insurance policies, it could result in significant uncovered losses
for clients.
The Role of PCI-DSS Assessments
PCI-DSS was developed by the major credit card brands with the goal to
ensure that merchants accepting their credit cards met certain minimum
data security standards. It is imposed by contract on companies, either
directly on issuing banks and credit card processing companies by
the credit card brands, or indirectly by agreement between the banks
and processing companies, and the end-user merchant, where the
- 2. © 2016 Integro Insurance Brokers
merchant agrees to indemnify the processors and banks for penalties
and assessments imposed by the credit card brands. See, e.g.,
P.F. Chang's, at slip op. *2-3.
These agreements are usually known as “merchant services agreements”,
and are required to be executed before a merchant may process credit
card transactions. See, e.g., id. at *2. These agreements require the
merchant to remain compliant with the PCI-DSS, and impose a system
of fines and penalties should a breach occur and/or the merchant found
to be non-compliant. Id. In addition, merchant services agreements
permit the upstream company to pass down its operational expenses
associated with curing a breach, such as reissuance of credit cards, to
the merchant in the form of monthly assessments. The assessments
can be substantial, and for a large company, might exceed notification,
credit-monitoring, and other first-party costs arising from a breach.
The Case of P.F. Chang's
In P.F Chang's, the policyholder suffered a breach of
approximately 60,000 credit card records. Under its agreement with
Chang’s processor, Bank of America Merchant Services (“BAMS”),
MasterCard imposed on BAMS nearly $2 million in penalties and
assessments. Under a merchant services agreement, BAMS in turn
sought recovery of these penalties and assessments from Chang's.
Chang's made a claim for coverage of these penalties and
assessments under its cyber insurance policy sold by Federal. Id. at *3-4.
Federal denied coverage, Chang's brought a lawsuit, and the case
proceeded to summary judgment.
Many cyber insurance policies now include explicit PCI-DSS coverage,
either separately or as part of the policy’s regulatory coverage. Such
policies typically contain an exception to the policy’s contractual
liability exclusion, as well as an affirmative insuring agreement covering
contractually imposed fines, penalties, and assessments. PCI-DSS
coverage usually is sub-limited. Unfortunately for P.F. Chang's, it is
clear from the decision that the Federal policy did not include such
explicit coverage.
Federal denied coverage on three grounds:
1. The PCI-DSS Assessments did not fall within any of the policy’s
insuring agreements.
2. The policy excluded contractual liability.
3. The policy did not cover, and excluded, any obligation voluntarily
assumed by the Insured.
Notwithstanding some creative arguments by the policyholder,
including its invocation of the “reasonable expectations” doctrine
due to the way Federal marketed the policy, the court held that
there was no coverage. The court held that certain components of
the PCI-DSS Assessments at issue were, or could be, covered under
the scope of certain insuring agreements. Notably, the court held
that the “Operational Reimbursement Fee” imposed on P.F.
Chang's could be considered “Privacy Notification Costs” under the
policy’s definition, because it was clear in the agreement that the
Operational Reimbursement Fee was imposed to compensate Issuers
for the “costs of notifying about the security compromise and
reissuing credit cards to Chang’s customers.” Id. at *11.
The court held, however, that Federal correctly denied coverage under
the asserted exclusions. Analyzing the circumstances under guidance
provided by commercial general liability insurance case law, and
taking account of the requirement to construe exclusions narrowly,
the court held that there was no evidence that PCI-DSS assessments
were imposed by law, other than Chang’s voluntary entering into the
agreement with BAMS. As a result, Chang's could not avail itself of the
exceptions to the contractual liability exclusion. Id. at *13-15.
Lessons to Learn From P.F. Chang's v. Federal
The most important lesson from P.F. Chang's is that courts are unlikely
to find coverage for PCI-DSS Assessments under a cyber insurance
policy unless there is explicit coverage for PCI-DSS Assessments, due
to the contractual liability exclusion. However, it is not sufficient for a
company merely to ensure that it has such explicit coverage in its
policy, because the scope of PCI-DSS coverage can vary widely from
policy to policy.
Keeping several things in mind when placing cyber insurance coverage
may help protect clients in the event of data breaches.
§§ Coverage is almost always sub-limited, providing sometimes
substantially lower limits than the policy aggregate.
§§ The scope of coverage in some policies is limited to certain
PCI-DSS fines, penalties, or assessments, but does not broadly
cover all potential penalties and assessments that could arise
from a merchant services agreement.
§§ Some policies limit coverage to agreements with the issuing
banks or credit card brand, which would not cover agreements
between merchants and payment processors.
- 3. © 2016 Integro Insurance Brokers
§§ Many policies cover PCI-DSS Assessments, but only when the
policyholder has been in breach of the PCI-DSS standard. Not
all PCI-DSS Assessments require the merchant to be in breach
of the standard to be imposed.
Finally, policyholders must also be very careful in the underwriting
process if they seek PCI-DSS coverage, because underwriters often
require the policyholder to represent that it is “PCI-DSS compliant”
before they provide coverage. However, the definition of “PCI-DSS
compliance” can change.
Therefore, in addition to reviewing their PCI-DSS coverage carefully,
companies should be careful about the scope of their representations
to their carriers when they purchase it.
About Integro
Integro is an insurance brokerage and risk management firm. Clients
credit Integro’s superior technical abilities and creative, collaborative
work style for securing superior program results and pricing. The firm’s
acknowledged capabilities in brokerage, risk analytics and claims are
rewriting industry standards for service and quality. Launched in 2005,
Integro and its family of specialty insurance and reinsurance companies,
some having served clients for more than 150 years, operate from
offices in the United States, Canada, Bermuda and the United Kingdom.
Its U.S. headquarter office is located at:
1 State Street Plaza, 9th Floor
New York, NY 10004
877.688.8701
www.integrogroup.com
Kilpatrick Townsend is a leading knowledge asset protection law firm
that helps its clients protect their most important information. The
firm’s Cybersecurity, Privacy & Data Governance Practice takes a
comprehensive, multidisciplinary, and integrated approach to helping
clients anticipate and obviate information risks, appropriately monetize
information, comply with law, and contain and obtain coverage for
incidents. Jon Neiditz co-leads the practice, is listed as one of the Best
Lawyers in America®
in Information Management Law, and blogs at
datalaw.net and linkedin.com/in/informationmanagementlaw.
For more information, contact:
James Sheehan, J.D.
Integro Insurance Brokers
617.531.6865
james.sheehan@integrogroup.com
The content contained herein is not intended as legal, tax or other
professional advice. If such advice is needed, consult with a qualified adviser.
CA Lic. #0E77964