Travelers Insurance wrote the general Liability insurance policy (CGL) and Chubb wrote the Cyber coverage for PF Chang. Chang had a data breach where 60,000 credit card numbers were stolen. It promptly filed claims with Travelers & Chubb for coverage.
Law firms that argue that their (CGL) will cover a Cyber breach should look at PF Chang v Federal. Travelers obtained a declaratory action to extricate itself from this claim, so there was no coverage under the Travelers’s CGL policy.
The Chubb Cyber policy had both 1st & 3rd party coverage that you expect to see in with Cyber Insurance. Chubb agreed to provide a defense on the class action case and pay for forensic investigation costs which totaled $1.7 million. But Chubb declined to cover the MasterCard Assessments which totaled approximately $1.9 million. MasterCard had charged its payment processor BAMS the $1.9 million for the costs of replacement cards, notifications to consumers, and reimbursement for fraudulent charges. Federal insurance, a Chubb Subsidiary, had already paid out $1.7 million as a direct result of the data breach, but objected to the $1.9 Master Card assessment, because PF Chang had agreed to assume BAMS’s liability as part of their processing agreement.
The Federal policy insures “extra expenses an insured incurs during the period of recovery services due to the actual or potential impairment or denial of operations resulting directly from fraudulent access or transmission.” P.F. Chang’s said that all of MasterCard’s charges fell into the categories covered under the policy.
But Federal Judge McNamee said that the policy unequivocally barred coverage for “any loss on account of any claim, or for any expense … based upon, arising from or in consequence of any … liability assumed by any insured under any contract or agreement,” as he quoted the policy. That puts P.F. Chang’s out of luck, because it had assumed BAMS’s liability as part of their processing agreement.
Judge McNamee, relied upon the application of policy exclusions. The court held that no coverage was available for any part of the MasterCard assessment due to the policy’s exclusions for contractual liability, which barred coverage for contractual obligations assumed by the insured. Because there is little case law regarding cyber insurance, the court relied on prior rulings from CGL policies.
Many law firms have signed contracts that assume liability for a client. We have seen this “assumed contractual liability” particularly with health provider clients, where the health provider is trying to pass on the liability of a data breach of medical records in the contract with the law firm. Law firms need to be aware that just because they have a CGL and a Data Breach Cyber policy in place, it may not provide coverage for “assumed contractual liability”.