Courts continue to struggle with specialty cyber-insurance products2020-04-23T00:34:37+00:00
Courts continue to struggle with specialty cyber-insurance products

Following a significant victory for policyholders earlier this year for cyber security losses under CGL (Commercial General Liability) policies, in PF Chang’s China Bistro, Inv. v. Federal Ins. Co. a federal judge in Arizona recently found no coverage for PF Chang’s credit card fraud assessments under a specialty cyber insurance policy. After a 2014 breach, hackers posted PF Chang’s customers’ credit card numbers online. It then incurred almost $1.7 million in claims from its customers and associated mitigation and other expenses. Federal Insurance Company reimbursed PF Chang’s for those expenses. But what it failed to do—and which was the subject of coverage litigation—was pay for the additional $1.9 million in fraud recovery charges from various credit card companies.

Courts continue to struggle with specialty cyber-insurance productsPF Chang’s argued that those costs were recoverable under the specialty cyber insurance policy it purchased under the “Privacy Injury” coverage part, which provides coverage for certain costs resulting from unauthorized access to protected information. Initially, the court held that these fees fell within the scope of coverage under the cyber insurance policy. But then in an unusual application, it held that the “contractual liability” exclusion barred coverage. These exclusions are typical in most CGL policies and are found in some specialty cyber insurance products, and they generally exclude liability assumed under a contract. PF Chang’s has a master service agreement with its processor (in this case, MasterCard) in which it promises to pay fines levied by credit card associations. The court, relying on caselaw interpreting “contractual liability” exclusions in CGL policies only, held that because PF Chang’s had agreed that its credit card processor could charge back to PF Chang’s the fines and assessments from the credit card associations, the “contractual liability” exclusion precluded any recover of these charges.

If this case holds up on appeal, it could result in a massive gap in insurance coverage for policyholders. In many breaches involving credit card breaches, merchants have entered into similar master service agreements with their processor. As a result, policyholders without specific coverage for these losses may be without coverage for a significant portion of the breach. We recommend that any company utilizing any significant amount of credit card transactions carefully procure a cyber-insurance product that protects it from customer claims, data-breach response expenses, and any of the fines and expenses under a master service agreement with the processor.


Ball Janik LLP was founded in 1982 with six lawyers and a four-person support staff in Portland, Oregon. Since our firm’s inception, we have expanded our capabilities, our professionals, and geographic footprint. What started as a firm focused in real property and land use (known then as Ball Janik & Novack), has grown to include the insights of a team of 30-plus attorneys, with a combined six centuries of experience, and capabilities including Real Estate and Land Use, Construction Defect, Commercial Litigation, Insurance Recovery, Construction and Design, Employment, Finance and Corporate, Public Agencies and Schools, and Community Associations. With offices in Florida and Oregon, our regional growth has earned us a national reputation for upholding the rights of our clients.

Ball Janik LLP has been recognized by Chambers USA, U.S. News & World Report and Best Lawyers®, The Best Lawyers in America©, and Corporate International. Ball Janik LLP’s success and integrity have repeatedly made it one of “Oregon’s Most Admired Professional Firms,” according to the Portland Business Journal’s survey results of CEOs throughout the region.

No Blog Tiles found.