SlideShare une entreprise Scribd logo

1267 - PF Changs White Paper - Online

J
James Sheehan
1  sur  3
Télécharger pour lire hors ligne
© 2016 Integro Insurance Brokers LEARNINGALESSONFROMP.F.CHANG'S The Need for PCI-DSS Assessment Inclusion in Cyber Coverage P.F. Chang's (“Chang's”) recently learned the hard way that insurance carriers do not acknowledge coverage for all losses arising out of a data breach covered under the cyber policies they sell. After Chang's was assessed Payment Card Industry Data Security Standard (PCI-DSS) fines, penalties, and assessments by its processing bank after a breach, its carrier denied coverage for those fines. A federal district court has held that the fines were considered a contractual liability and therefore are not covered by the insurance policy. Chang's has appealed the ruling, but the ruling should provide a red flag to all policyholders with the risk of PCI-DSS losses— which can be a substantial source of loss caused by a data breach— that they are not always explicitly covered by cyber insurance policies. Companies looking to avoid such disputes will examine their policies closely and work to ensure these critical losses are covered. The Nature of Data Breach and Cyber Insurance Generally speaking, liability insurance policies do not cover breach of contract claims, because carriers view a contractual agreement as a voluntarily imposed duty, as opposed to a duty imposed by the law. Almost all forms of liability insurance will include a contractual liability exclusion to effect that purpose, although the exclusion can be broader in some policies than others. Cyber insurance is no exception—every policy contains a contractual liability exclusion. However, a significant potential source of loss arising out of a data breach is contractual, which is the imposition of PCI-DSS fines, penalties, or assessments under merchant services agreements (referenced generally herein as “PCI-DSS Assessments”). Recognizing this, carriers have begun to grant limited coverage for such assessments in cyber insurance policies. A recent decision by the United States District Court of the District of Arizona, P.F. Chang's China Bistro, Inc. v. Federal Insurance Company (“P.F. Chang's”) granted summary judgment to Federal, and held that there was no coverage for PCI-DSS Assessments for P.F. Chang's China Bistro, Inc. (“Chang's”) in the cyber insurance policy at issue. No. CV-15- 01322-PHX-SMM (D. Ariz. May 26, 2016). Because this type of coverage is quickly evolving, this decision highlights the need for companies potentially subject to PCI-DSS Assessments to review their policies carefully, because if courts continue to enforce these exclusions in cyber insurance policies, it could result in significant uncovered losses for clients. The Role of PCI-DSS Assessments PCI-DSS was developed by the major credit card brands with the goal to ensure that merchants accepting their credit cards met certain minimum data security standards. It is imposed by contract on companies, either directly on issuing banks and credit card processing companies by the credit card brands, or indirectly by agreement between the banks and processing companies, and the end-user merchant, where the
© 2016 Integro Insurance Brokers merchant agrees to indemnify the processors and banks for penalties and assessments imposed by the credit card brands. See, e.g., P.F. Chang's, at slip op. *2-3. These agreements are usually known as “merchant services agreements”, and are required to be executed before a merchant may process credit card transactions. See, e.g., id. at *2. These agreements require the merchant to remain compliant with the PCI-DSS, and impose a system of fines and penalties should a breach occur and/or the merchant found to be non-compliant. Id. In addition, merchant services agreements permit the upstream company to pass down its operational expenses associated with curing a breach, such as reissuance of credit cards, to the merchant in the form of monthly assessments. The assessments can be substantial, and for a large company, might exceed notification, credit-monitoring, and other first-party costs arising from a breach. The Case of P.F. Chang's In P.F Chang's, the policyholder suffered a breach of approximately 60,000 credit card records. Under its agreement with Chang’s processor, Bank of America Merchant Services (“BAMS”), MasterCard imposed on BAMS nearly $2 million in penalties and assessments. Under a merchant services agreement, BAMS in turn sought recovery of these penalties and assessments from Chang's. Chang's made a claim for coverage of these penalties and assessments under its cyber insurance policy sold by Federal. Id. at *3-4. Federal denied coverage, Chang's brought a lawsuit, and the case proceeded to summary judgment. Many cyber insurance policies now include explicit PCI-DSS coverage, either separately or as part of the policy’s regulatory coverage. Such policies typically contain an exception to the policy’s contractual liability exclusion, as well as an affirmative insuring agreement covering contractually imposed fines, penalties, and assessments. PCI-DSS coverage usually is sub-limited. Unfortunately for P.F. Chang's, it is clear from the decision that the Federal policy did not include such explicit coverage. Federal denied coverage on three grounds: 1. The PCI-DSS Assessments did not fall within any of the policy’s insuring agreements. 2. The policy excluded contractual liability. 3. The policy did not cover, and excluded, any obligation voluntarily assumed by the Insured. Notwithstanding some creative arguments by the policyholder, including its invocation of the “reasonable expectations” doctrine due to the way Federal marketed the policy, the court held that there was no coverage. The court held that certain components of the PCI-DSS Assessments at issue were, or could be, covered under the scope of certain insuring agreements. Notably, the court held that the “Operational Reimbursement Fee” imposed on P.F. Chang's could be considered “Privacy Notification Costs” under the policy’s definition, because it was clear in the agreement that the Operational Reimbursement Fee was imposed to compensate Issuers for the “costs of notifying about the security compromise and reissuing credit cards to Chang’s customers.” Id. at *11. The court held, however, that Federal correctly denied coverage under the asserted exclusions. Analyzing the circumstances under guidance provided by commercial general liability insurance case law, and taking account of the requirement to construe exclusions narrowly, the court held that there was no evidence that PCI-DSS assessments were imposed by law, other than Chang’s voluntary entering into the agreement with BAMS. As a result, Chang's could not avail itself of the exceptions to the contractual liability exclusion. Id. at *13-15. Lessons to Learn From P.F. Chang's v. Federal The most important lesson from P.F. Chang's is that courts are unlikely to find coverage for PCI-DSS Assessments under a cyber insurance policy unless there is explicit coverage for PCI-DSS Assessments, due to the contractual liability exclusion. However, it is not sufficient for a company merely to ensure that it has such explicit coverage in its policy, because the scope of PCI-DSS coverage can vary widely from policy to policy. Keeping several things in mind when placing cyber insurance coverage may help protect clients in the event of data breaches. §§ Coverage is almost always sub-limited, providing sometimes substantially lower limits than the policy aggregate. §§ The scope of coverage in some policies is limited to certain PCI-DSS fines, penalties, or assessments, but does not broadly cover all potential penalties and assessments that could arise from a merchant services agreement. §§ Some policies limit coverage to agreements with the issuing banks or credit card brand, which would not cover agreements between merchants and payment processors.
© 2016 Integro Insurance Brokers §§ Many policies cover PCI-DSS Assessments, but only when the policyholder has been in breach of the PCI-DSS standard. Not all PCI-DSS Assessments require the merchant to be in breach of the standard to be imposed. Finally, policyholders must also be very careful in the underwriting process if they seek PCI-DSS coverage, because underwriters often require the policyholder to represent that it is “PCI-DSS compliant” before they provide coverage. However, the definition of “PCI-DSS compliance” can change. Therefore, in addition to reviewing their PCI-DSS coverage carefully, companies should be careful about the scope of their representations to their carriers when they purchase it. About Integro Integro is an insurance brokerage and risk management firm. Clients credit Integro’s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm’s acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at: 1 State Street Plaza, 9th Floor New York, NY 10004 877.688.8701 www.integrogroup.com Kilpatrick Townsend is a leading knowledge asset protection law firm that helps its clients protect their most important information. The firm’s Cybersecurity, Privacy & Data Governance Practice takes a comprehensive, multidisciplinary, and integrated approach to helping clients anticipate and obviate information risks, appropriately monetize information, comply with law, and contain and obtain coverage for incidents. Jon Neiditz co-leads the practice, is listed as one of the Best Lawyers in America® in Information Management Law, and blogs at datalaw.net and linkedin.com/in/informationmanagementlaw. For more information, contact: James Sheehan, J.D. Integro Insurance Brokers 617.531.6865 james.sheehan@integrogroup.com The content contained herein is not intended as legal, tax or other professional advice. If such advice is needed, consult with a qualified adviser. CA Lic. #0E77964

Recommandé

FairLendingQ&Av10
FairLendingQ&Av10FairLendingQ&Av10
FairLendingQ&Av10
Michael Hickey
 
The New Paradigm In Vendor Management Under CFPB - Law360
The New Paradigm In Vendor Management Under CFPB - Law360The New Paradigm In Vendor Management Under CFPB - Law360
The New Paradigm In Vendor Management Under CFPB - Law360
John Barnes
 
Erisa 3(38) fiduciary status managing liability
Erisa 3(38) fiduciary status managing liabilityErisa 3(38) fiduciary status managing liability
Erisa 3(38) fiduciary status managing liability
The 401k Study Group ®
 
resources_spring_2014
resources_spring_2014resources_spring_2014
resources_spring_2014
Deborah VanCamp, CIC, CRM, AFIS
 
Advertising & The Dirty Dozen
Advertising & The Dirty DozenAdvertising & The Dirty Dozen
Advertising & The Dirty Dozen
Jim Radogna
 
Rdr inducements-rules
Rdr inducements-rulesRdr inducements-rules
Rdr inducements-rules
rmkemp
 
Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...
Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...
Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...
corfinancial
 
dac-beachcroft-thought-leadership-beating-insurance-fraud
dac-beachcroft-thought-leadership-beating-insurance-frauddac-beachcroft-thought-leadership-beating-insurance-fraud
dac-beachcroft-thought-leadership-beating-insurance-fraud
Claire Wright
 

Recommandé

FairLendingQ&Av10
FairLendingQ&Av10FairLendingQ&Av10
FairLendingQ&Av10
Michael Hickey
 
The New Paradigm In Vendor Management Under CFPB - Law360
The New Paradigm In Vendor Management Under CFPB - Law360The New Paradigm In Vendor Management Under CFPB - Law360
The New Paradigm In Vendor Management Under CFPB - Law360
John Barnes
 
Erisa 3(38) fiduciary status managing liability
Erisa 3(38) fiduciary status managing liabilityErisa 3(38) fiduciary status managing liability
Erisa 3(38) fiduciary status managing liability
The 401k Study Group ®
 
resources_spring_2014
resources_spring_2014resources_spring_2014
resources_spring_2014
Deborah VanCamp, CIC, CRM, AFIS
 
Advertising & The Dirty Dozen
Advertising & The Dirty DozenAdvertising & The Dirty Dozen
Advertising & The Dirty Dozen
Jim Radogna
 
Rdr inducements-rules
Rdr inducements-rulesRdr inducements-rules
Rdr inducements-rules
rmkemp
 
Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...
Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...
Avoiding a “suitability gap” between Financial Advisers and Discretionary Inv...
corfinancial
 
dac-beachcroft-thought-leadership-beating-insurance-fraud
dac-beachcroft-thought-leadership-beating-insurance-frauddac-beachcroft-thought-leadership-beating-insurance-fraud
dac-beachcroft-thought-leadership-beating-insurance-fraud
Claire Wright
 
Implementing the New BSA Customer Due Diligence Rule
Implementing the New BSA Customer Due Diligence RuleImplementing the New BSA Customer Due Diligence Rule
Implementing the New BSA Customer Due Diligence Rule
Colleen Beck-Domanico
 
UK FCA's Response to COVID-19
UK FCA's Response to COVID-19UK FCA's Response to COVID-19
UK FCA's Response to COVID-19
JasonSchupp1
 
Rc privacy-counseling-agreement
Rc privacy-counseling-agreementRc privacy-counseling-agreement
Rc privacy-counseling-agreement
alcorrell
 
Risks-of-Diminishing-Limit-Policies-94-11
Risks-of-Diminishing-Limit-Policies-94-11Risks-of-Diminishing-Limit-Policies-94-11
Risks-of-Diminishing-Limit-Policies-94-11
Frederick Fisher, J.D.
 
A Practical Guide to VA Veteran Small Busines Program
A Practical Guide to VA Veteran Small Busines ProgramA Practical Guide to VA Veteran Small Busines Program
A Practical Guide to VA Veteran Small Busines Program
Jason Bousquet, EMBA
 
Client Alert: CFPB
Client Alert: CFPBClient Alert: CFPB
Client Alert: CFPB
Kelly Hart & Hallman LLP
 
Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...
Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...
Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...
Cognizant
 
Josh Grimes Handout 11-7-11
Josh Grimes Handout 11-7-11Josh Grimes Handout 11-7-11
Josh Grimes Handout 11-7-11
PCMAGulfStates
 
Professional Indemnity Workshop
Professional Indemnity WorkshopProfessional Indemnity Workshop
Professional Indemnity Workshop
Ram Garg
 
Sinclair Spring 2016 Newsletter Original
Sinclair Spring 2016 Newsletter OriginalSinclair Spring 2016 Newsletter Original
Sinclair Spring 2016 Newsletter Original
Jonathan Belek
 
Tricks & Traps: Practical Tips for Your Appellate Practice
Tricks & Traps: Practical Tips for Your Appellate PracticeTricks & Traps: Practical Tips for Your Appellate Practice
Tricks & Traps: Practical Tips for Your Appellate Practice
Kelly Hart & Hallman LLP
 
Representations and Warranties Claims Report
Representations and Warranties Claims ReportRepresentations and Warranties Claims Report
Representations and Warranties Claims Report
Emily Maier
 
Bartlett Credit Insurance Flyer
Bartlett Credit Insurance FlyerBartlett Credit Insurance Flyer
Bartlett Credit Insurance Flyer
Sellers2
 
Sinclair Spring 2016 Newsletter RI
Sinclair Spring 2016 Newsletter RISinclair Spring 2016 Newsletter RI
Sinclair Spring 2016 Newsletter RI
Jonathan Belek
 
Business Liability Policy Requires Insurer to Defend Defamation and Business ...
Business Liability Policy Requires Insurer to Defend Defamation and Business ...Business Liability Policy Requires Insurer to Defend Defamation and Business ...
Business Liability Policy Requires Insurer to Defend Defamation and Business ...
NationalUnderwriter
 
CROWDPAY_CLIENT.PDF
CROWDPAY_CLIENT.PDFCROWDPAY_CLIENT.PDF
CROWDPAY_CLIENT.PDF
Timothy Simmons
 
ACSDA Volumen_3Risk
ACSDA Volumen_3RiskACSDA Volumen_3Risk
ACSDA Volumen_3Risk
Chris Cononico
 
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative ScamsDon¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
NationalUnderwriter
 
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Advisors4Advisors
 
Mortgage Redress For The Over Indebted 090516
Mortgage Redress For The Over Indebted 090516Mortgage Redress For The Over Indebted 090516
Mortgage Redress For The Over Indebted 090516
William O'Brien
 
Fronting until when - Author- Clementina Hiteshew - April 2012
Fronting until when - Author- Clementina Hiteshew - April 2012Fronting until when - Author- Clementina Hiteshew - April 2012
Fronting until when - Author- Clementina Hiteshew - April 2012
Clementina Bayot-Hiteshew
 
Advantage Talk - Need to Know (Contracts)
Advantage Talk - Need to Know (Contracts)Advantage Talk - Need to Know (Contracts)
Advantage Talk - Need to Know (Contracts)
Robert Munday
 

Contenu connexe

Tendances

Rc privacy-counseling-agreement
Rc privacy-counseling-agreementRc privacy-counseling-agreement
Rc privacy-counseling-agreement
alcorrell
 
Risks-of-Diminishing-Limit-Policies-94-11
Risks-of-Diminishing-Limit-Policies-94-11Risks-of-Diminishing-Limit-Policies-94-11
Risks-of-Diminishing-Limit-Policies-94-11
Frederick Fisher, J.D.
 
A Practical Guide to VA Veteran Small Busines Program
A Practical Guide to VA Veteran Small Busines ProgramA Practical Guide to VA Veteran Small Busines Program
A Practical Guide to VA Veteran Small Busines Program
Jason Bousquet, EMBA
 
Josh Grimes Handout 11-7-11
Josh Grimes Handout 11-7-11Josh Grimes Handout 11-7-11
Josh Grimes Handout 11-7-11
PCMAGulfStates
 
Sinclair Spring 2016 Newsletter Original
Sinclair Spring 2016 Newsletter OriginalSinclair Spring 2016 Newsletter Original
Sinclair Spring 2016 Newsletter Original
Jonathan Belek
 
Tricks & Traps: Practical Tips for Your Appellate Practice
Tricks & Traps: Practical Tips for Your Appellate PracticeTricks & Traps: Practical Tips for Your Appellate Practice
Tricks & Traps: Practical Tips for Your Appellate Practice
Kelly Hart & Hallman LLP
 
Sinclair Spring 2016 Newsletter RI
Sinclair Spring 2016 Newsletter RISinclair Spring 2016 Newsletter RI
Sinclair Spring 2016 Newsletter RI
Jonathan Belek
 
Business Liability Policy Requires Insurer to Defend Defamation and Business ...
Business Liability Policy Requires Insurer to Defend Defamation and Business ...Business Liability Policy Requires Insurer to Defend Defamation and Business ...
Business Liability Policy Requires Insurer to Defend Defamation and Business ...
NationalUnderwriter
 
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative ScamsDon¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
NationalUnderwriter
 
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Advisors4Advisors
 
Mortgage Redress For The Over Indebted 090516
Mortgage Redress For The Over Indebted 090516Mortgage Redress For The Over Indebted 090516
Mortgage Redress For The Over Indebted 090516
William O'Brien
 

Tendances (20)

Implementing the New BSA Customer Due Diligence Rule
Implementing the New BSA Customer Due Diligence RuleImplementing the New BSA Customer Due Diligence Rule
Implementing the New BSA Customer Due Diligence Rule
 
UK FCA's Response to COVID-19
UK FCA's Response to COVID-19UK FCA's Response to COVID-19
UK FCA's Response to COVID-19
 
Rc privacy-counseling-agreement
Rc privacy-counseling-agreementRc privacy-counseling-agreement
Rc privacy-counseling-agreement
 
Risks-of-Diminishing-Limit-Policies-94-11
Risks-of-Diminishing-Limit-Policies-94-11Risks-of-Diminishing-Limit-Policies-94-11
Risks-of-Diminishing-Limit-Policies-94-11
 
A Practical Guide to VA Veteran Small Busines Program
A Practical Guide to VA Veteran Small Busines ProgramA Practical Guide to VA Veteran Small Busines Program
A Practical Guide to VA Veteran Small Busines Program
 
Client Alert: CFPB
Client Alert: CFPBClient Alert: CFPB
Client Alert: CFPB
 
Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...
Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...
Retail Distribution Review: Preparing Insurance IT for Compliance and Strateg...
 
Josh Grimes Handout 11-7-11
Josh Grimes Handout 11-7-11Josh Grimes Handout 11-7-11
Josh Grimes Handout 11-7-11
 
Professional Indemnity Workshop
Professional Indemnity WorkshopProfessional Indemnity Workshop
Professional Indemnity Workshop
 
Sinclair Spring 2016 Newsletter Original
Sinclair Spring 2016 Newsletter OriginalSinclair Spring 2016 Newsletter Original
Sinclair Spring 2016 Newsletter Original
 
Tricks & Traps: Practical Tips for Your Appellate Practice
Tricks & Traps: Practical Tips for Your Appellate PracticeTricks & Traps: Practical Tips for Your Appellate Practice
Tricks & Traps: Practical Tips for Your Appellate Practice
 
Representations and Warranties Claims Report
Representations and Warranties Claims ReportRepresentations and Warranties Claims Report
Representations and Warranties Claims Report
 
Bartlett Credit Insurance Flyer
Bartlett Credit Insurance FlyerBartlett Credit Insurance Flyer
Bartlett Credit Insurance Flyer
 
Sinclair Spring 2016 Newsletter RI
Sinclair Spring 2016 Newsletter RISinclair Spring 2016 Newsletter RI
Sinclair Spring 2016 Newsletter RI
 
Business Liability Policy Requires Insurer to Defend Defamation and Business ...
Business Liability Policy Requires Insurer to Defend Defamation and Business ...Business Liability Policy Requires Insurer to Defend Defamation and Business ...
Business Liability Policy Requires Insurer to Defend Defamation and Business ...
 
CROWDPAY_CLIENT.PDF
CROWDPAY_CLIENT.PDFCROWDPAY_CLIENT.PDF
CROWDPAY_CLIENT.PDF
 
ACSDA Volumen_3Risk
ACSDA Volumen_3RiskACSDA Volumen_3Risk
ACSDA Volumen_3Risk
 
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative ScamsDon¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
Don¹t Take Any Wooden Nickels: Lawyers as Targets of Lucrative Scams
 
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
Financial Planning Coalition Comments To SEC Request For Information On Fiduc...
 
Mortgage Redress For The Over Indebted 090516
Mortgage Redress For The Over Indebted 090516Mortgage Redress For The Over Indebted 090516
Mortgage Redress For The Over Indebted 090516
 

Similaire à 1267 - PF Changs White Paper - Online

Fronting until when - Author- Clementina Hiteshew - April 2012
Fronting until when - Author- Clementina Hiteshew - April 2012Fronting until when - Author- Clementina Hiteshew - April 2012
Fronting until when - Author- Clementina Hiteshew - April 2012
Clementina Bayot-Hiteshew
 
Advantage Talk - Need to Know (Contracts)
Advantage Talk - Need to Know (Contracts)Advantage Talk - Need to Know (Contracts)
Advantage Talk - Need to Know (Contracts)
Robert Munday
 
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
CohenGrigsby
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
Ted Richmond
 
The Plight of Blanket Additional Insureds
The Plight of Blanket Additional InsuredsThe Plight of Blanket Additional Insureds
The Plight of Blanket Additional Insureds
NationalUnderwriter
 

Similaire à 1267 - PF Changs White Paper - Online (20)

Fronting until when - Author- Clementina Hiteshew - April 2012
Fronting until when - Author- Clementina Hiteshew - April 2012Fronting until when - Author- Clementina Hiteshew - April 2012
Fronting until when - Author- Clementina Hiteshew - April 2012
 
Advantage Talk - Need to Know (Contracts)
Advantage Talk - Need to Know (Contracts)Advantage Talk - Need to Know (Contracts)
Advantage Talk - Need to Know (Contracts)
 
Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...Privacy and security insurance coverage relates to pci (payment card industry...
Privacy and security insurance coverage relates to pci (payment card industry...
 
Commercial insurance risk and liability review, February 2016
Commercial insurance risk and liability review, February 2016Commercial insurance risk and liability review, February 2016
Commercial insurance risk and liability review, February 2016
 
Life insurance in financial planning
Life insurance in financial planningLife insurance in financial planning
Life insurance in financial planning
 
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
Cohen & Grigsby Commercial & Complex Litigation Newsletter - Hot Topics that ...
 
Managing Credit Risk in Uncertain Times
Managing Credit Risk in Uncertain TimesManaging Credit Risk in Uncertain Times
Managing Credit Risk in Uncertain Times
 
D&O Insurance - Become a Knowledgeable Buyer
D&O Insurance - Become a Knowledgeable BuyerD&O Insurance - Become a Knowledgeable Buyer
D&O Insurance - Become a Knowledgeable Buyer
 
AICPA MS - Article MKS2016
AICPA MS - Article MKS2016AICPA MS - Article MKS2016
AICPA MS - Article MKS2016
 
Richmond reprint 20151106
Richmond reprint 20151106Richmond reprint 20151106
Richmond reprint 20151106
 
Professional indemnity insurance for quantity surveyors
Professional indemnity insurance for quantity surveyorsProfessional indemnity insurance for quantity surveyors
Professional indemnity insurance for quantity surveyors
 
Commercial: PwC Top Issues
Commercial: PwC Top Issues Commercial: PwC Top Issues
Commercial: PwC Top Issues
 
Setting Up a Successful Insurance Venture
Setting Up a Successful Insurance VentureSetting Up a Successful Insurance Venture
Setting Up a Successful Insurance Venture
 
The Plight of Blanket Additional Insureds
The Plight of Blanket Additional InsuredsThe Plight of Blanket Additional Insureds
The Plight of Blanket Additional Insureds
 
D&O
D&OD&O
D&O
 
Blockchain's impact on insurance industry
Blockchain's impact on insurance industryBlockchain's impact on insurance industry
Blockchain's impact on insurance industry
 
Blockchain's Impact on Insurance
Blockchain's Impact on InsuranceBlockchain's Impact on Insurance
Blockchain's Impact on Insurance
 
CIT_ProfitCenterArticleforVCIA
CIT_ProfitCenterArticleforVCIACIT_ProfitCenterArticleforVCIA
CIT_ProfitCenterArticleforVCIA
 
Insurance claim settlement in china by daxue consulting
Insurance claim settlement in china by daxue consultingInsurance claim settlement in china by daxue consulting
Insurance claim settlement in china by daxue consulting
 
A 408(b)(2) Claim: Now What?
A 408(b)(2) Claim: Now What?A 408(b)(2) Claim: Now What?
A 408(b)(2) Claim: Now What?
 

1267 - PF Changs White Paper - Online

  • 1. © 2016 Integro Insurance Brokers LEARNINGALESSONFROMP.F.CHANG'S The Need for PCI-DSS Assessment Inclusion in Cyber Coverage P.F. Chang's (“Chang's”) recently learned the hard way that insurance carriers do not acknowledge coverage for all losses arising out of a data breach covered under the cyber policies they sell. After Chang's was assessed Payment Card Industry Data Security Standard (PCI-DSS) fines, penalties, and assessments by its processing bank after a breach, its carrier denied coverage for those fines. A federal district court has held that the fines were considered a contractual liability and therefore are not covered by the insurance policy. Chang's has appealed the ruling, but the ruling should provide a red flag to all policyholders with the risk of PCI-DSS losses— which can be a substantial source of loss caused by a data breach— that they are not always explicitly covered by cyber insurance policies. Companies looking to avoid such disputes will examine their policies closely and work to ensure these critical losses are covered. The Nature of Data Breach and Cyber Insurance Generally speaking, liability insurance policies do not cover breach of contract claims, because carriers view a contractual agreement as a voluntarily imposed duty, as opposed to a duty imposed by the law. Almost all forms of liability insurance will include a contractual liability exclusion to effect that purpose, although the exclusion can be broader in some policies than others. Cyber insurance is no exception—every policy contains a contractual liability exclusion. However, a significant potential source of loss arising out of a data breach is contractual, which is the imposition of PCI-DSS fines, penalties, or assessments under merchant services agreements (referenced generally herein as “PCI-DSS Assessments”). Recognizing this, carriers have begun to grant limited coverage for such assessments in cyber insurance policies. A recent decision by the United States District Court of the District of Arizona, P.F. Chang's China Bistro, Inc. v. Federal Insurance Company (“P.F. Chang's”) granted summary judgment to Federal, and held that there was no coverage for PCI-DSS Assessments for P.F. Chang's China Bistro, Inc. (“Chang's”) in the cyber insurance policy at issue. No. CV-15- 01322-PHX-SMM (D. Ariz. May 26, 2016). Because this type of coverage is quickly evolving, this decision highlights the need for companies potentially subject to PCI-DSS Assessments to review their policies carefully, because if courts continue to enforce these exclusions in cyber insurance policies, it could result in significant uncovered losses for clients. The Role of PCI-DSS Assessments PCI-DSS was developed by the major credit card brands with the goal to ensure that merchants accepting their credit cards met certain minimum data security standards. It is imposed by contract on companies, either directly on issuing banks and credit card processing companies by the credit card brands, or indirectly by agreement between the banks and processing companies, and the end-user merchant, where the
  • 2. © 2016 Integro Insurance Brokers merchant agrees to indemnify the processors and banks for penalties and assessments imposed by the credit card brands. See, e.g., P.F. Chang's, at slip op. *2-3. These agreements are usually known as “merchant services agreements”, and are required to be executed before a merchant may process credit card transactions. See, e.g., id. at *2. These agreements require the merchant to remain compliant with the PCI-DSS, and impose a system of fines and penalties should a breach occur and/or the merchant found to be non-compliant. Id. In addition, merchant services agreements permit the upstream company to pass down its operational expenses associated with curing a breach, such as reissuance of credit cards, to the merchant in the form of monthly assessments. The assessments can be substantial, and for a large company, might exceed notification, credit-monitoring, and other first-party costs arising from a breach. The Case of P.F. Chang's In P.F Chang's, the policyholder suffered a breach of approximately 60,000 credit card records. Under its agreement with Chang’s processor, Bank of America Merchant Services (“BAMS”), MasterCard imposed on BAMS nearly $2 million in penalties and assessments. Under a merchant services agreement, BAMS in turn sought recovery of these penalties and assessments from Chang's. Chang's made a claim for coverage of these penalties and assessments under its cyber insurance policy sold by Federal. Id. at *3-4. Federal denied coverage, Chang's brought a lawsuit, and the case proceeded to summary judgment. Many cyber insurance policies now include explicit PCI-DSS coverage, either separately or as part of the policy’s regulatory coverage. Such policies typically contain an exception to the policy’s contractual liability exclusion, as well as an affirmative insuring agreement covering contractually imposed fines, penalties, and assessments. PCI-DSS coverage usually is sub-limited. Unfortunately for P.F. Chang's, it is clear from the decision that the Federal policy did not include such explicit coverage. Federal denied coverage on three grounds: 1. The PCI-DSS Assessments did not fall within any of the policy’s insuring agreements. 2. The policy excluded contractual liability. 3. The policy did not cover, and excluded, any obligation voluntarily assumed by the Insured. Notwithstanding some creative arguments by the policyholder, including its invocation of the “reasonable expectations” doctrine due to the way Federal marketed the policy, the court held that there was no coverage. The court held that certain components of the PCI-DSS Assessments at issue were, or could be, covered under the scope of certain insuring agreements. Notably, the court held that the “Operational Reimbursement Fee” imposed on P.F. Chang's could be considered “Privacy Notification Costs” under the policy’s definition, because it was clear in the agreement that the Operational Reimbursement Fee was imposed to compensate Issuers for the “costs of notifying about the security compromise and reissuing credit cards to Chang’s customers.” Id. at *11. The court held, however, that Federal correctly denied coverage under the asserted exclusions. Analyzing the circumstances under guidance provided by commercial general liability insurance case law, and taking account of the requirement to construe exclusions narrowly, the court held that there was no evidence that PCI-DSS assessments were imposed by law, other than Chang’s voluntary entering into the agreement with BAMS. As a result, Chang's could not avail itself of the exceptions to the contractual liability exclusion. Id. at *13-15. Lessons to Learn From P.F. Chang's v. Federal The most important lesson from P.F. Chang's is that courts are unlikely to find coverage for PCI-DSS Assessments under a cyber insurance policy unless there is explicit coverage for PCI-DSS Assessments, due to the contractual liability exclusion. However, it is not sufficient for a company merely to ensure that it has such explicit coverage in its policy, because the scope of PCI-DSS coverage can vary widely from policy to policy. Keeping several things in mind when placing cyber insurance coverage may help protect clients in the event of data breaches. §§ Coverage is almost always sub-limited, providing sometimes substantially lower limits than the policy aggregate. §§ The scope of coverage in some policies is limited to certain PCI-DSS fines, penalties, or assessments, but does not broadly cover all potential penalties and assessments that could arise from a merchant services agreement. §§ Some policies limit coverage to agreements with the issuing banks or credit card brand, which would not cover agreements between merchants and payment processors.
  • 3. © 2016 Integro Insurance Brokers §§ Many policies cover PCI-DSS Assessments, but only when the policyholder has been in breach of the PCI-DSS standard. Not all PCI-DSS Assessments require the merchant to be in breach of the standard to be imposed. Finally, policyholders must also be very careful in the underwriting process if they seek PCI-DSS coverage, because underwriters often require the policyholder to represent that it is “PCI-DSS compliant” before they provide coverage. However, the definition of “PCI-DSS compliance” can change. Therefore, in addition to reviewing their PCI-DSS coverage carefully, companies should be careful about the scope of their representations to their carriers when they purchase it. About Integro Integro is an insurance brokerage and risk management firm. Clients credit Integro’s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm’s acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at: 1 State Street Plaza, 9th Floor New York, NY 10004 877.688.8701 www.integrogroup.com Kilpatrick Townsend is a leading knowledge asset protection law firm that helps its clients protect their most important information. The firm’s Cybersecurity, Privacy & Data Governance Practice takes a comprehensive, multidisciplinary, and integrated approach to helping clients anticipate and obviate information risks, appropriately monetize information, comply with law, and contain and obtain coverage for incidents. Jon Neiditz co-leads the practice, is listed as one of the Best Lawyers in America® in Information Management Law, and blogs at datalaw.net and linkedin.com/in/informationmanagementlaw. For more information, contact: James Sheehan, J.D. Integro Insurance Brokers 617.531.6865 james.sheehan@integrogroup.com The content contained herein is not intended as legal, tax or other professional advice. If such advice is needed, consult with a qualified adviser. CA Lic. #0E77964