PRESCOTT, Ariz. (Legal Newsline) – A recent ruling by an Arizona federal court involved cyber insurance policies and coverage.
The decision made in P.F. Chang’s China Bistro v. Federal Insurance Co. by the U.S. District Court for the District of Arizona showed that cyber insurance claims would most likely be interpreted based on what the policy actually says is covered rather than what the policyholder believes is covered.
The case involved P.F. Chang’s, an Asian restaurant chain, that became the target of a June 2014 hacking incident in which about 60,000 credit card numbers were stolen from the company’s computer system.
P.F. Chang’s turned to its cyber insurance policy to cover the costs that resulted from investigation and remediation expenses, as well as its defense against the various class action lawsuits that followed.
The issue came about when P.F. Chang’s looked to its insurer, Federal Insurance Co., to cover a $2 million charge in fees and assessments from its credit card service providers. However, Federal denied the payment based on the restaurant's policy, which contained a contractual liability exclusion.
Therefore, it was the liability exclusion that led the Arizona court to rule in favor of Federal. It maintained that this clause prevented it from receiving any payment “because P.F. Chang’s had agreed that its credit card acquirer could charge back against it these credit card brand imposed costs and assessments.”
Kathryn Maynard Guinn, a managing associate with Dentons who followed the case, said that, “a big point in this case was the contractual liability exclusion, and that exclusion had been around with insurance policies for decades.” However, she admitted that for cyber insurance, this element is relatively new.
Assumption and misinterpretation were the two other elements that seemed to have really defined this case. P.F. Chang’s believed that these costs would be covered under its policy because they were given a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.”
Guinn said that a possible reason behind this may be because “companies tend to treat cyber insurance as a completely new beast, which in a lot of ways it is.” Nevertheless, she explained that cyber policies contain a lot of the same rules and principles as traditional ones.
Guinn speculated that P.F. Chang’s may have misread the language in its policy.
"They were looking at it as a different form of insurance, and they weren't thinking of it the way they would with any traditional type of policies," Guinn said.
She revealed that the confusing nature by which some insurance policies are worded is an issue that has been flagged by courts for decades. As a result, this may be the main source of confusion for companies when they are looking at their coverage.
The only solution may have to involve insurance companies simplifying the language of their policies. Instead of using terms and phrases that can be interpreted in more ways than one, insurers may have to use language that is more specific.
Furthermore, businesses such as P.F. Chang’s could also take a closer look at the cyber policies that they have purchased and make sure that creditor fees would be covered by its insurance in the event of another hacking incident.