Payment Card Industry fines and penalties are fines charged by payment card brands like Mastercard and Visa to merchants’ acquiring banks for violation of their industry rules and regulations, which often occurs when there is a data breach. PF Chang thought it had coverage for PCI Fines & Penalties, that it was ultimately responsible for paying, in its cyber policy. The District Court of Arizona recently ruled that it did not. P.F. Chang’s China Bistro, Inc. v. Federal Insurance Company, 2016 U.S. Dist. LEXIS 70749 (D. Ariz. May 31, 2016). PF Chang suffered a data breach in 2014 after a hacker obtained and posted 60,000 of its customers’ credit card numbers on the internet. Its cyber insurer, Federal Insurance Company, initially paid out more than $1.7 million toward the covered cost of forensic investigation and costs to defend underlying litigation filed against PF Chang by its impacted customers and a bank that issued credit card information.
PF Chang then sought additional coverage of $1.9 million for reimbursement of PCI Fines & Penalties that it was obligated to reimburse its merchant acquiring bank Bank of America Merchant Services (BAMS) pursuant to a Master Services Agreement (MSA) entered into between BAMS and PF Chang. Federal denied coverage for this additional $1.9 million PCI Fines and Penalties.
The District Court agreed with Federal’s position, finding that there was only explicit coverage in the policy for less than 10% of the $1.9 million of Fines & Penalties under the first party privacy notification expense coverage (for the $163,000 ADC Operational Reimbursement portion of the total PCI Fines & Penalties being sought), given that PF Chang was ultimately liable for this cost pursuant to the MSA.
However, the court went on to analyze whether any exclusions applied that would preclude coverage for this covered amount. It concluded that no coverage exists for PCI Fines & Penalties here due to the liability assumed by contract exclusions (as well as the definition of “Loss”) because PF Chang explicitly assumed the liability in the MSA to pay any PCI Fines & Penalties assessed against BAMS.
The takeaways from this case: (1) If your company’s cyber policy does not already explicitly cover PCI Fines & Penalties in its coverage grants, particularly in the first party privacy notification or event management coverages and any extra expense coverage, you should negotiate this coverage in to the coverage grants explicitly right away. (2) In addition, you must also make sure your coverage carves back the exclusions relating to liability assumed under contract and any fines and penalties exclusions (both in the exclusions and in the definition of “loss”), such that PCI Fines & Penalties are explicitly excepted from these exclusions. (3) Last, you need to make sure you have adequate explicit limits for PCI Fines & Penalties. Many carriers only offer minimal sublimits of coverage for this issue. However, be aware that additional limits may be available, perhaps at an additional premium if you ask and negotiate for them. As you can see from PF Chang’s lawsuit, the PCI Fines & Penalties ($1.9 million) can be more than the rest of the loss related to the claim ($1.7 million). Make sure that your company has explicit coverage and carvebacks to standard exclusions as well as sufficient limits under your company’s cyber policy.