The Need for PCI-DSS Assessment Inclusion in Cyber Coverage
P.F. Chang’s (“Chang’s”) recently learned the hard way that insurance carriers do not acknowledge coverage for all losses arising out of a data breach covered under the cyber policies they sell. After Chang’s was assessed Payment Card Industry Data Security Standard (PCI-DSS) fines, penalties, and assessments by its processing bank after a breach, its carrier denied coverage for those fines. A federal district court has held that the fines were considered a contractual liability and therefore are not covered by the insurance policy. Chang’s has appealed the ruling, but the ruling should provide a red flag to all policyholders with the risk of PCI-DSS losses—which can be a substantial source of loss caused by a data breach—that they are not always explicitly covered by cyber insurance policies. Companies looking to avoid such disputes will examine their policies closely and work to ensure these critical losses are covered.
The Nature of Data Breach and Cyber Insurance
Generally speaking, liability insurance policies do not cover breach of contract claims, because carriers view a contractual agreement as a voluntarily imposed duty, as opposed to a duty imposed by the law. Almost all forms of liability insurance will include a contractual liability exclusion to effect that purpose, although the exclusion can be broader in some policies than others.
Cyber insurance is no exception—every policy contains a contractual liability exclusion. However, a significant potential source of loss arising out of a data breach is contractual, which is the imposition of PCI-DSS fines, penalties, or assessments under merchant services agreements (referenced generally herein as “PCI-DSS Assessments”). Recognizing this, carriers have begun to grant limited coverage for such assessments in cyber insurance policies.
A recent decision by the United States District Court of the District of Arizona, P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company (“P.F. Chang’s”) granted summary judgment to Federal, and held that there was no coverage for PCI-DSS Assessments for P.F. Chang’s China Bistro, Inc. (“Chang’s”) in the cyber insurance policy at issue. No. CV-15-01322-PHX-SMM (D. Ariz. May 26, 2016). Because this type of coverage is quickly evolving, this decision highlights the need for companies potentially subject to PCI-DSS Assessments to review their policies carefully, because if courts continue to enforce these exclusions in cyber insurance policies, it could result in significant uncovered losses for clients.
The Role of PCI-DSS Assessments
PCI-DSS was developed by the major credit card brands with the goal to ensure that merchants accepting their credit cards met certain minimum data security standards. It is imposed by contract on companies, either directly on issuing banks and credit card processing companies by the credit card brands, or indirectly by agreement between the banks and processing companies, and the end-user merchant, where the merchant agrees to indemnify the processors and banks for penalties and assessments imposed by the credit card brands. See, e.g., P.F. Chang’s, at slip op. *2-3.
These agreements are usually known as “merchant services agreements”, and are required to be executed before a merchant may process credit card transactions. See, e.g., id. at *2. These agreements require the merchant to remain compliant with the PCI-DSS, and impose a system of fines and penalties should a breach occur and/or the merchant found to be non-compliant. Id. In addition, merchant services agreements permit the upstream company to pass down its operational expenses associated with curing a breach, such as reissuance of credit cards, to the merchant in the form of monthly assessments. The assessments can be substantial, and for a large company, might exceed notification, credit-monitoring, and other first-party costs arising from a breach.
The Case of P.F. Chang's
In P.F Chang’s, the policyholder suffered a breach of approximately 60,000 credit card records. Under its agreement with Chang’s processor, Bank of America Merchant Services (“BAMS”), MasterCard imposed on BAMS nearly $2 million in penalties and assessments. Under a merchant services agreement, BAMS in turn sought recovery of these penalties and assessments from Chang’s. Chang’s made a claim for coverage of these penalties and assessments under its cyber insurance policy sold by Federal. Id. at *3-4. Federal denied coverage, Chang’s brought a lawsuit, and the case proceeded to summary judgment.
Many cyber insurance policies now include explicit PCI-DSS coverage, either separately or as part of the policy’s regulatory coverage. Such policies typically contain an exception to the policy’s contractual liability exclusion, as well as an affirmative insuring agreement covering contractually imposed fines, penalties, and assessments. PCI-DSS coverage usually is sub-limited. Unfortunately for P.F. Chang’s, it is clear from the decision that the Federal policy did not include such explicit coverage.
Federal denied coverage on three grounds:
- The PCI-DSS Assessments did not fall within any of the policy’s insuring agreements.
- The policy excluded contractual liability.
- The policy did not cover, and excluded, any obligation voluntarily assumed by the Insured.
Notwithstanding some creative arguments by the policyholder, including its invocation of the “reasonable expectations” doctrine due to the way Federal marketed the policy, the court held that there was no coverage. The court held that certain components of the PCI-DSS Assessments at issue were, or could be, covered under the scope of certain insuring agreements. Notably, the court held that the “Operational Reimbursement Fee” imposed on P.F. Chang’s could be considered “Privacy Notification Costs” under the policy’s definition, because it was clear in the agreement that the Operational Reimbursement Fee was imposed to compensate Issuers for the “costs of notifying about the security compromise and reissuing credit cards to Chang’s customers.” Id. at *11.
The court held, however, that Federal correctly denied coverage under the asserted exclusions. Analyzing the circumstances under guidance provided by commercial general liability insurance case law, and taking account of the requirement to construe exclusions narrowly, the court held that there was no evidence that PCI-DSS assessments were imposed by law, other than Chang’s voluntary entering into the agreement with BAMS. As a result, Chang’s could not avail itself of the exceptions to the contractual liability exclusion. Id. at *13-15.
Lessons to Learn From P.F. Chang's v. Federal
The most important lesson from P.F. Chang’s is that courts are unlikely to find coverage for PCI-DSS Assessments under a cyber insurance policy unless there is explicit coverage for PCI-DSS Assessments, due to the contractual liability exclusion. However, it is not sufficient for a company merely to ensure that it has such explicit coverage in its policy, because the scope of PCI-DSS coverage can vary widely from policy to policy.
Keeping several things in mind when placing cyber insurance coverage may help protect clients in the event of data breaches.
- Coverage is almost always sub-limited, providing sometimes substantially lower limits than the policy aggregate.
- The scope of coverage in some policies is limited to certain PCI-DSS fines, penalties, or assessments, but does not broadly cover all potential penalties and assessments that could arise from a merchant services agreement.
- Some policies limit coverage to agreements with the issuing banks or credit card brand, which would not cover agreements between merchants and payment processors.
- Many policies cover PCI-DSS Assessments, but only when the policyholder has been in breach of the PCI-DSS standard. Not all PCI-DSS Assessments require the merchant to be in breach of the standard to be imposed.
Finally, policyholders must also be very careful in the underwriting process if they seek PCI-DSS coverage, because underwriters often require the policyholder to represent that it is “PCI-DSS compliant” before they provide coverage. However, the definition of “PCI-DSS compliance” can change.
Therefore, in addition to reviewing their PCI-DSS coverage carefully, companies should be careful about the scope of their representations to their carriers when they purchase it.
Integro is an insurance brokerage and risk management firm. Clients credit Integro’s superior technical abilities and creative, collaborative work style for securing superior program results and pricing. The firm’s acknowledged capabilities in brokerage, risk analytics and claims are rewriting industry standards for service and quality. Launched in 2005, Integro and its family of specialty insurance and reinsurance companies, some having served clients for more than 150 years, operate from offices in the United States, Canada, Bermuda and the United Kingdom. Its U.S. headquarter office is located at:
1 State Street Plaza, 9th Floor New York, NY 10004 877.688.8701 www.integrogroup.com
Kilpatrick Townsend is a leading knowledge asset protection law rm that helps its clients protect their most important information. The firm’s Cybersecurity, Privacy & Data Governance Practice takes a comprehensive, multidisciplinary, and integrated approach to helping clients anticipate and obviate information risks, appropriately monetize information, comply with law, and contain and obtain coverage for incidents. Jon Neiditz co-leads the practice, is listed as one of the Best Lawyers in America® in Information Management Law, and blogs at datalaw.net and linkedin.com/in/informationmanagementlaw.
For more information, contact:
James Sheehan, J.D.
Integro Insurance Brokers 617.531.6865 email@example.com
The content contained herein is not intended as legal, tax or other professionaladvice. If such advice is needed, consult with a qualied adviser.
CA Lic. #0E77964