In possibly the first-ever ruling on a cyber insurance policy, a federal court in Arizona recently rejected restaurant chain P.F. Chang’s attempt to recover an additional $2 million from a “CyberSecurity by Chubb Policy,” following a 2014 data breach. The restaurant chain had purchased this cyber policy from Federal Insurance Company, a Chubb subsidiary, for an annual premium of $134,000 before the data breach resulted in approximately 60,000 stolen credit card numbers from P.F. Chang customers. While Chubb had already paid $1.7 million in valid claims to “injured customers and Issuers,” P.F. Chang’s sought an additional $2 million in reimbursement towards fees it had to pay to credit card providers. However, the Arizona federal court agreed with Chubb/Federal Insurance that “P.F. Chang’s had no reasonable expectation of coverage for these amounts.”
Additionally, the court made clear that Federal had not outright denied coverage entirely, as it did pay millions in other valid claims to injured customers and issuers. However, this decision displays how imperative it is to know the exact scope of your cyber policy before purchasing coverage and before a breach occurs. Unlike other forms of property/casualty policies, the cyber insurance market is rapidly evolving leading to inconsistent and varied cyber policies among insurers. It is important to remember, what is covered under one policy may not be covered in another as there is no “one size fits all” policy.