PF Chang v Federal is a great case to discuss limitations in Business Owners Insurance (BOP)/Commercial General Liability (CGL) and Cyber Liability. This case goes to the heart of making sure that your insurance coverages for malpractice insurance, BOP/CGL and Cyber Liability properly cover the firm’s exposures. Attorneys are especially good at trying to argue (without reading the policies) that they have coverage for cyber and expect to have coverage for contractual liability claims with their BOP and/or Errors & Omissions Coverage.
Many law and accounting firms have signed contracts that contractually assume liability for a client. We have seen this “assumed contractual liability” particularly with health provider clients, where the health provider is trying to pass on the liability of a data breach of medical records in the contract. Firms need to be aware that just because they have a BOP/CGL and a Data Breach Cyber policy in place, it may not provide coverage for “assumed contractual liability”.
Firms that argue that their (BOP/CGL) or their malpractice insurance will cover a Cyber breach should look at lessons of PF Chang v Federal.
Travelers Insurance wrote the CGL and Chubb (Federal Insurance is a Chubb Subsidiary) wrote the Cyber coverage for PF Chang. Chang had a data breach where 60,000 credit card numbers were stolen. It promptly filed claims with Travelers & Chubb. Travelers obtained a declaratory action to extricate itself from this claim, so there was no coverage under the Travelers’s CGL policy. Unlike a standalone CGL policy, admittedly some BOP’s will have limited Cyber coverage in the BOP policy; it is generally very limited coverage with low sub-limits.
Firms that think their data breach policy will cover assumed contractual liability claims need to also look at PF Chang v Federal.
Thankfully PF Chang had a Cyber policy written by Chubb (Federal), but there were holes in the coverage. The Chubb Cyber policy had both 1st & 3rd party coverages that you expect to see with Cyber Insurance. Chubb agreed to provide a defense on the class action case and pay for forensic investigation costs which totaled $1.7 million. But Chubb declined to cover the MasterCard Assessments which totaled approximately $1.9 million. MasterCard had charged PF Chang’s payment processor BAMS the $1.9 million for the costs of replacement cards, notifications to consumers, and reimbursement for fraudulent charges. Chubb had already paid out $1.7 million as a direct result of the data breach, but objected to the $1.9 Master Card assessment, because PF Chang had agreed to assume BAMS’s liability as part of their processing contract agreement.
The Chubb policy insures “extra expenses an insured incurs during the period of recovery services due to the actual or potential impairment or denial of operations resulting directly from fraudulent access or transmission.” P.F. Chang's argued that all of MasterCard's charges fell into this category covered under the policy.
But US District Judge McNamee said that the policy unequivocally barred coverage for “any loss on account of any claim, or for any expense ... based upon, arising from or in consequence of any ... liability assumed by any insured under any contract or agreement,” as he quoted the policy. That puts P.F. Chang's out of luck, because it had assumed BAMS's liability as part of their processing agreement.
Because there is little Cyber Insurance case law, Judge McNamee relied upon the similar policy exclusions case law in CGL policies. The court held that no coverage was available for any part of the MasterCard assessment due to the policy’s exclusions for contractual liability, which barred coverage for contractual obligations assumed by the insured.