Well-known restaurant chain, P.F. Chang’s China Bistro, recently sustained a significant hit to its cyberinsurance coverage. The federal court’s opinion in the case serves as a lesson to policyholders regarding cyberinsurance in a rapidly evolving market. Due diligence is the name of the game when placing such insurance in order to understand the scope of coverage.
P.F. Chang’s was ahead of the curve when it purchased cyberinsurance from Chubb. The restaurant recognized its data breach potential and acted to address it. It may be no surprise that the restaurant chain decided to go with Chubb for its coverage, which marketed its cyberinsurance as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “covers direct loss, legal liability and consequential loss resulting from cyber breaches.”
Unfortunately for P.F. Chang’s, any possible disconnect between what Chubb’s marketing pitch says and what the insurance policy actually covers, is only decided when there is a loss and the insurer is called upon to pay the claim. Policyholders pay a premium to buy coverage, but what the insurance really covers is usually not known until the insurer takes a position on the scope of its insurance policy in light of a claim. Ultimately, the true arbiter of coverage is a judge overseeing a coverage lawsuit. That can be a hard lesson to learn for a policyholder like Chang’s, which paid a $134,052 premium for the cyber policy. Policyholders must be diligent from the beginning if they do not want to end up in this position.
This particular dispute revolved around the processing of credit card transactions at P.F. Chang’s. The operator entered into a Master Service Agreement (MSA) with Bank of America to process credit card transactions. That is a standard arrangement, since most merchants cannot process the transactions themselves. MasterCard has its own agreements with the banks that allow assessments in the event of a data breach. In this instance, MasterCard assessed Bank of America approximately $1.7 million for costs arising from the Chang’s breach. Bank of America then pushed that assessment cost back onto Chang’s, pursuant to the MSA. Naturally, the restaurant chain gave notice to Chubb for Bank of America’s $1.7 million claim, which the insurer denied.
In an insurance coverage lawsuit between Chang’s and Chubb, the federal court methodically analyzed the cyberinsurance policy. The court concluded that coverage did not exist for Bank of America’s claim. Not surprisingly, this came as a shock to P.F. Chang’s, since all involved knew the restaurant handled millions of credit card transactions per year and had standard agreements with its processor, Bank of America, which itself had standard agreements with credit card associations such as MasterCard. The bottom line for the court was that P.F. Chang’s was a sophisticated party and if it wanted cyberinsurance for credit card assessments, “it could have bargained for that coverage.”
Chang’s also argued that it had a reasonable expectation that credit card assessments would be covered if arising out of a data breach. However, the court determined that the record was void of any evidence that the policyholder expected such coverage. As the court noted, there was no evidence showing that Chang’s insurance broker asked Chubb’s underwriter if such assessments would be covered. Furthermore, the application and underwriting files were devoid of any evidence as to Chang’s expectation of coverage for this type of claim.
This is an excellent, but unfortunate, example of why due diligence is critical when placing cyberinsurance.
Placing the Best Cyberinsurance Requires Due Diligence
Data breaches continue to escalate and garner national attention. The situation is getting so bad that businesses, large and small, are finally realizing that the question is not if they will get breached, but when. And the sheer number of high-profile breaches in the last year reminds policyholders that cyber coverage is a critical part of any insurance program.
In response to the continually growing risk of loss from cyber and privacy violations, insurers are reacting in two ways. First, most insurers are now excluding cyber risks from more traditional insurance policies, such as Commercial General Liability (CGL) or Errors & Omissions (E&O).
Second, insurance companies are racing into the market with new products aimed at providing specialized coverage for such losses. Estimates are that data breach policies are changing every six months to keep pace with the sheer size of the risk and exposure.
CGL Isn’t for Cyber Coverage
Just as insurers reacted to CGL policies providing coverage for environmental exposures, they are now doing so with respect to cyber losses.
In May 2014, the Insurance Services Office (ISO) introduced several new endorsements addressing access or disclosure of confidential or personal data. These new endorsements will strip most, if not all, coverage for data-related losses from CGL policies.
The losses that are excluded could be those at the heart of an enterprise and which, if uninsured, could cripple a business with response and rebuilding expenses related to their network infrastructure. Insurers want policyholders to place true cyberinsurance, and that is where the best coverage can be found.
A True Cyber Policy Is the Best Protection
Businesses can obtain cyberinsurance for losses, but it is critical to understand the full scope of the coverage you buy. Insurance to protect your property and network can include: 1) computer data restoration; 2) re-securing a company’s information network; 3) theft and fraud coverage; 4) business interruption; 5) forensic investigations; 6) crisis and public relations management; and 7) extortion. Commentators note that first-party losses are usually the higher costs to a business suffering a cyber attack, so adequate coverage in this area is vital.
Organizations also need liability coverage. Most coverage in this area will provide for a defense to litigation brought by customers for direct losses due to a breach. However, insurance may also cover: 1) PCI-DSS liability; 2) credit monitoring for customers; 3) the cost associated with notifying customers of a breach; 4) media and privacy liability; and 5) responses to regulatory investigations. Policyholders can obtain difference in conditions (DIC) coverage under certain aspects of first- and third-party coverages.
Today, “cyber” can be a misnomer for the breadth of coverage available. In addition, policyholders should remember that “paper” loss is still a data breach. A solid data privacy insurance policy must cover more than electronic data.
However, policy forms among the different carriers vary tremendously, and policyholders must be vigilant to ensure they purchase the right coverage. Those insured must look well beyond the declarations page and coverage grant when considering this type of insurance. Although those are obviously important, the devil is in the details.
Here are some important areas to consider.
Watch the Sublimits
A critical area to watch for with cyberinsurance is the sublimits. While many policyholders have a far better understanding of standard CGL and property coverage, it remains critical for them to take extra time to truly understand the nature of a new cyber policy being added into their insurance program. It is not uncommon for the most expensive and necessary aspects of coverage to have the lowest sublimits. Policyholders have to understand their risk and the costs for responding to a breach, then make sure the sublimits are appropriate for those various costs.
The Definitions Can Be a Real ‘Gotcha’
Since insurers all use different forms for data breach and privacy insurance, the definitions used in the policy are critical to the scope of coverage. For example, how does the policy define “computer system?” That definition may make all of the difference in whether there is coverage or not. The same is true for “wrongful act” and a host of other definitions that are highly specific to the insurer’s forms. Remember, data breaches can take all forms of attacks so you need the policy to account for them.
Cyber Policies Have Exclusions Just Like All Policies
No surprise, these policies also contain a litany of exclusions. A prospective purchaser of cyberinsurance must pay particular attention to the exclusions. Match the exclusions up with the numerous definitions, and it becomes easy to see how tough it can be to have coverage at the end of the day. That does not mean such insurance is not critical – it is. But, a prospective insured must be hyper vigilant to determine what the policy offers against the risks, and negotiate like the devil for better terms.
It’s Cool to Be Retro
A survey by Mandiant, a FireEye Company, noted that in 2013, the average number of days a hacker is in your system before discovery is 229. Many businesses continue to struggle with detecting a breach. What does this mean? You need a retroactive date of at least a year to ensure coverage for this lag time in breach discovery. Ideally, an insured would want a minimum of two years, if possible.
Cyberinsurance Isn’t Worth More than the Vendors
One of the main selling points of such insurance is that the insurers bring all of their resources to the table. The insurance company will have forensic information technology vendors to assist in closing the breach. They also have the credit monitoring and public relations experts. The goal is that one call to your insurer after a breach should immediately marshal these resources for the coverage purchased. But, do you know these vendors and will they do more harm than good for you? Policyholders should vet the vendors, determine if they are best in class or negotiate on the issue.
Time spent upfront on an in-depth analysis when considering such insurance may prevent the type of coverage fight many policyholders are facing in order to get the coverage they paid for from their insurer. Working closely with your broker and coverage counsel may seem tedious, but ensuring the correct coverage can prevent unwanted litigation to try and secure it after the fact.
In the Chang’s instance, it needed a better understanding of its complete risk profile for possible losses arising from a data breach. With such information, it could have worked with coverage counsel to determine if the Chubb policy truly provided the “flexible insurance solution” that was marketed. It is critical that policy holders take the time and effort when placing cyberinsurance to avoid costly gaps in coverage. Cyber policies vary greatly among insurers with little uniformity. In-depth due diligence is the only way to avoid problems.
Finally, attention also is required as to the reputation of insurance companies. Policyholders must determine which insurers are true leaders in the cyberinsurance market and who stand behind the coverage they sell. As more cyber coverage cases are filed, a clearer picture is developing as to those insurers earning a reputation for fighting data breach coverage and leaving their policyholders holding the bag.
Collin Hite leads the Insurance Recovery Group and the Data Privacy & Security practice at the law firm of Hirschler Fleischer in Richmond, VA. A member of the Board of Editors of Cybersecurity Law & Strategy, he may be reached at 804-771-9595 or by email at firstname.lastname@example.org.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.