By Kurt Valentine, Staff Writer
Cybercrime is one of the biggest threats facing companies in today’s technology-driven society. In 2015, it is estimated that cybercrime cost businesses $400 to $500 billion.[1] That number is expected to increase to $2.1 trillion by 2019.[2]
There have been numerous high-profile hacks. In 2013, Target disclosed that hackers stole the personal information of 70 million people.[3] The breach cost the company approximately $191 million, offset by a $46 million insurance reimbursement.[4] In 2014, Home Depot was the victim of a similar attack.[5] Its expenses from the data breach were roughly $63 million dollars, offset by a $30 million insurance payout.[6] Large companies are not hackers’ only targets, however: Microsoft reports that 20 percent of small to mid-sized businesses have been hacked.[7]
The growing threat of cyber-attacks is driving the growth of the cyber insurance market. Cyber insurance is the insurance industry’s fastest growing product.[8] The market was valued at $2.5 billion in 2015 and is expected to grow to $7.5 billion by 2020.[9] Since the market is in its infancy, many of its policies remain untested.[10] This uncertainty will inevitably lead to litigation. There has not been a lot of cyber insurance litigation for claims after a data breach, but that is likely to change as cyber insurance policies become increasingly popular.[11]
P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., decided on May 26, 2016, was the first opinion to shed light on the coverage scope for cyber insurance policies.[12] This action stemmed from computer hackers gaining access to 60,000 customers’ credit card information from 33 P.F. Chang’s restaurants.[13] Federal Insurance Company sold P.F. Chang’s corporate parent a CyberSecurity policy described as “a flexible insurance solution . . . to address the full breadth of risks associated with doing business in today’s technology-dependent world.”[12] Federal deemed P.F. Chang’s a high risk because it conducts more than 6 million credit card transactions per year.[12] In 2014, P.F. Chang’s paid $134, 052.00 for coverage.[12]
In order to process credit card transactions, P.F. Chang’s entered into an agreement with third-party credit card transaction processor Bank of America Merchant Services (BAMS).[12] That agreement provided that P.F. Chang’s was liable for paying “any fines, fee, or penalties imposed on BAMS” from credit card associations, like MasterCard and Visa.[12] Similarly, BAMS had an agreement with MasterCard that provided it was liable to pay MasterCard certain fees in the event of a data breach.[12]
After the breach occurred, MasterCard sent BAMS an assessment for the recovery of $1,716,798. 85 pursuant to their agreement.[12] The assessment reflected the cost MasterCard incurred notifying cardholders of the breach, issuing new cards, new account numbers, and new security codes.[12] Pursuant to P.F. Chang’s agreement with BAMS, it reimbursed BAMS for the assessment.[12]
Following that payment, P.F. Chang’s filed a claim to Federal to be reimbursed.[12] Federal denied the claim, and litigation ensued.[12] Federal filed a motion for summary judgement, which was granted.[12] There was an exclusion in the insurance contract that released Federal from liability that the insured party assumed via contract.[12] The court held that the agreement P.F. Chang’s had with BAMS, coupled with the provision in the insurance contract, barred it from being reimbursed.[12]
Since the breach, Federal has reimbursed P.F. Chang’s more than $1.7 million for a forensic investigation into the data breach and for costs incurred defending litigation from customers and banks.[12] Using this case as an example, experts suggest that policyholders should be sure their cyber insurance policies do not bar coverage for charges passed along by third-parties.[14] Additionally, the case is a cautionary tale to never assume that a cyber security policy will provide full coverage in the event of a data breach.[8]
As the cyber insurance market matures, litigation will follow. As Thomas Rohback and Patricia Carreiro note, “The next year or two will see the birth of massive insurance coverage litigation that will dwarf the litigation spike seen several decades ago.”[15] This case just represents the beginning.
Sources
[1] http://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#2035de103bb0
[2] Id.
[3] http://www.canadianbusiness.com/the-last-days-of-target-canada/
[4] http://www.pymnts.com/news/2015/target-home-depot-reveal-full-breach-costs/
[5] http://www.pymnts.com/news/2015/target-home-depot-reveal-full-breach-costs/
[6] http://www.pymnts.com/news/2015/target-home-depot-reveal-full-breach-costs/
[7] https://www.forbes.com/sites/stevemorgan/2016/01/17/cyber-crime-costs-projected-to-reach-2-trillion-by-2019/#aaf38683a913
[8] https://www.law360.com/articles/890831/developing-trends-in-cyberinsurance-litigation-part-1
[9] Id.
[10] http://www.insidecounsel.com/2015/10/14/cybersecurity-litigation-the-tip-of-the-iceberg-pa
[11] https://www.law360.com/articles/890831/developing-trends-in-cyberinsurance-litigation-part-1
[12] https://www.law360.com/articles/891726/insurance-group-of-the-year-hogan-lovells
[13] P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., 2016 U.S. Dist. LEXIS 70749
[14] https://www.law360.com/articles/804825?scroll=1
[15] https://www.law360.com/articles/890831/developing-trends-in-cyberinsurance-litigation-part-1
