Costs commonly associated with retail data breaches include notification to affected consumers, third-party lawsuits by alleged victims, and reimbursements for fraudulent charges. After the press releases, notifications and third-party lawsuits, however, there are the issues or disputes involving the breached merchant, its credit card servicer, the credit card associations or the bank issuing the credit cards. Case law is evolving regarding whether the fines, assessments or damages asserted by the servicers, the associations or the banks are covered by any of the merchant’s cyber or other policies.
One court recently found that assessments imposed on an insured’s credit card servicer were not covered under the insured’s cyber policy. In P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., No. CV-15-01322 (D. Ariz. May 31, 2016), the court addressed P.F. Chang’s demand for coverage of certain assessments under a cybersecurity policy. The policy covered “direct loss, legal liability, and consequential loss resulting from cyber security breaches.” Following a 2014 breach, Chang’s notified its insurer, which reimbursed Chang’s for costs of a forensic investigation and third party lawsuits by customers. Chang’s credit card servicer performed its services pursuant to contracts with credit card associations such as MasterCard and Visa. As a result of the breach, MasterCard imposed $1.7 million in assessments on the credit card servicer. The servicer paid and then received reimbursement for those assessments from Chang’s under the agreement between the servicer and Chang’s. Chang’s submitted a claim to its insurer for the payment. After the insurer denied coverage, Chang’s sued.
The court granted the insurer’s summary judgment motion, finding no coverage for the reimbursed assessments. First, the court held that Chang’s servicer did not sustain an injury as defined in Chang’s policy, because the servicer was not the party that was breached. Therefore, the assessments were not an injury sustained by the insured. Had the servicer itself been the victim of the breach, coverage may have been triggered because the servicer was a “Third Party Servicer Provider” under the policy. Chang’s argued it was immaterial that the assessments were first passed through its servicer which in turned charged Chang’s, i.e., because a “Privacy Injury” occurred and Chang’s was responsible for the resulting assessments, it should not matter which party suffered the injury. The court rejected this argument, holding that the plain language of the policy provided that only the party that was breached suffers a “Privacy Injury.” Because the servicer’s records were not breached, the assessments imposed on it were not covered.
Second, although the court found that the assessments qualified as “Privacy Notification Expenses” and “Extra Expenses” arising from a breach, certain exclusions barred coverage. The court found that exclusions for losses arising from a “contract or agreement” and for costs “incurred to perform any obligation assumed by, on behalf of, or with the consent” of the insured applied. The court thus dismissed Chang’s complaint.
In a slightly different scenario, a Texas liquor store chain is seeking coverage under a liability policy for litigation costs incurred in attempting to recover $4.2 million withheld by its credit card servicer. The servicer kept the funds to pay for assessments imposed on it by MasterCard and Visa following two breaches of Spec’s computer network. Spec’s Family Partners, LTD v. The Hanover Ins. Co., No. 4:16-cv-438 (S.D. Tex.) (filed Feb. 19, 2016). Spec’s sued the servicer to recover the withheld funds and sought coverage from its insurer for its affirmative litigation fees. The insurer denied coverage on grounds that that Spec’s incurred the fees solely in connection with the lawsuit filed by Spec’s against the servicer. This litigation is ongoing.
Another recent decision involves coverage for the defense of a lawsuit brought by a bank in connection with its reimbursement of fraudulent charges relating to the insured’s data breach. RVST Holdings, LLC v. Main Street Assurance Co., No. 52419 (NY App. Div. Feb. 18, 2016). The bank alleged that the insured failed to exercise reasonable care in safeguarding cardholder information. The insured sought coverage for defense and indemnification as to the bank’s action. The insurer declined coverage, asserting an exclusion that barred coverage for claims arising from loss of electronic data. The trial court granted summary judgment in the insured’s favor, holding that the insurer had a duty to defend the underlying action. The appellate court reversed in favor of the insurer, relying on the electronic data exclusion and the tangible property definition.
The universe of those affected by a data breach expands to a range of parties beyond those most commonly thought of as the victims – the holder of the information (the merchant) and the persons whose information is stolen (the customers). The above cases illustrate the types of other players in the stream of commerce that are often affected as a result of retailer data breaches. These include banks, credit card issuers and servicers, and credit card associations that have authority to impose or seek reimbursement for significant assessments, fines and other fees. Each type of entity may potentially seek coverage for such damages under its own policies or those of the breached entity, a process which is often complicated by the contractual obligations among them.
Molly McGinnis Stine is a Partner and John F. Kloecker is Of Counsel in Locke Lord’s Chicago office. They can be reached at email@example.com and firstname.lastname@example.org.