P.F. Chang’s Inc. was hit hard when it discovered that its cyber liability insurance failed to cover nearly $2 million in fees and assessments following a breach that led to hackers accessing the credit card information of 60,000 customers. P.F. Chang’s cybersecurity provider was Federal Insurance Company (Federal). The policy reimbursed $1.7 million following the breach. The amount covered the cost of the forensic investigation of the breach, the defending of litigation by consumers and a bank that issued compromised credit cards. However, Federal did not reimburse P.F. Chang’s for costs it paid to Bank of America Merchant Services (BAMS), which provided P.F. Chang’s credit card processing. P.F. Chang’s filed charges against Federal in the District Court of Arizona, claiming that Federal was liable for the $2 million paid to BAMS, but lost and was forced to pay its liability of the breach. Under the Master Services Agreement between P.F. Chang’s and BAMS, P.F. Chang’s was obligated to reimburse BAMS for any fees, fines, penalties or assessments issued against BAMS by MasterCard, which ended up being nearly $2 million. However, when P.F Chang’s sought reimbursement from Federal, the insurance company refused, stating that there were no recoverable losses under the policy.
The court ruling stated that Federal was exempt from coverage cited its exclusions, specifically an exclusion for any loss or expense based on any liability that PF Chang’s assumed under a contract. Since the only reason for P.F. Chang’s to pay BAMS debt to MasterCard was the Master Services Agreement, thereby falling into the Federal exclusion. P.F Chang’s argued that the marketing was misleading by stating that all cybersecurity-related issues would be covered. No evidence was produced that the MasterCard liability was calculated into the decision to purchase the plan, and that the plan could have accommodated the liability if brought up before the time of purchase.