A federal court ruled that Chubb
Ltd. does not have to reimburse P.F. Chang's for costs the restaurant chain charged by its credit card processor under its cyber policy.
On June 10, 2014, the restaurant chain was informed that computer hackers had managed to access the roughly 60,000 credit card numbers of its customers. The hackers also posted the numbers they stole on the Internet. On the same day, P.F. Chang's notified Federal Insurance of the breach.
Prior to the incident, Federal Insurance—a business unit of Chubb—had sold to Wok Holdco L.L.C. (the corporate parent of P.F. Chang's) a Cybersecurity by Chubb policy, effective Jan. 1, 2014 to Jan. 1, 2015.
The policy was marketed as something that covered “direct loss, legal liability, and consequential loss resulting from cyber security breaches,” ruled Judge Stephen M. McNamee of the U.S. District Court in Phoenix.
The ruling also detailed that P.F. Chang's and other similar merchants must enter into agreements with third parties in order to process credit card transactions; without the agreements, merchants would be unable to process the transactions. In P.F. Chang's case, it had entered into a master service agreement with Bank of America Merchant Services L.L.C.
Federal has compensated the restaurant chain over $1.7 million under the cyber policy, for costs incurred consequently of the data breach.
Bank of America notified P.F. Chang's that the restaurant chain was obligated to reimburse the financial institution a total of $1.9 million in relation to charges made as a result of the credit card number leaks.
While the restaurant chain reimbursed Bank of America in April 2015, Federal refused coverage for the amount, reasoning that it is separate from the $1.7 million it has already paid. At this, P.F. Chang's filed suit.
The Federal Court ultimately concluded that on several counts that Federal Insurance is not obligated to reimburse the charges, rationalizing that Bank of America did not suffer from P.F. Chang's data breach and therefore did not suffer a “privacy injury” the policy could cover.
“The court agrees with Federal; (Bank of America) did not sustain a privacy Injury itself, and therefore cannot maintain a valid claim for injury against Chang's,” said the ruling.