Contractual Liability exclusions have found their way into many different types of insurance policies over the years, and cybersecurity insurance has proven no exception. These exclusions operate to prevent insureds from recovering for losses that result from the insured willingly agreeing to assume a liability or risk in a contract. In the field of cyber insurance, these types of contractual liabilities can take many forms. When companies contract out information technology work, cloud storage, or other data services, they may sign contracts assigning liability to them without realizing it.
The issue of contractual liability exclusion arose recently with regards to P.F. Chang’s data breach. The breach affected the credit card information of 60,000 P.F. Chang’s customers. P.F. Chang’s had purchased a cyber insurance policy through Chubb that purported to cover the company from losses incurred as a result of a data breach.
The insurance company paid out $1.7 million to P.F. Chang’s for various losses as a result of that breach, including forensic investigation of the breach and defense of lawsuits resulting from the breach.
The insurance company and P.F. Chang’s, though, had a serious disagreement as to whether $2 million in fraud assessment fees charged by P.F. Chang’s credit card processor constituted a covered loss. P.F. Chang’s had entered into an agreement with Bank of America Merchant Services that allowed BAMS to charge the company certain fees in the event of a data breach. These fees were mostly calculated pursuant to a formula included in the merchant services agreement and included operational reimbursement fees and fraud recovery fees. For the data breach P.F. Chang’s suffered, these various fees totaled $1,929,921.57. P.F. Chang’s felt their cybersecurity policy covered these losses.
The insurance company, on the other hand, felt these fees fell under the contractual liability exclusion contained in the cyber insurance policy. The applicable language as quoted by the Court stated, “With respect to all Insuring Clauses, [Federal] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement."
Because P.F. Chang’s repeatedly agreed within the merchant services agreement to indemnify BAMS for losses suffered and to pay any resulting fines, fees, or assessments, the Court held that the exclusion prevented recovery under the cyber insurance policy for these damages. The Court also read through the coverage provisions and determined they did not extend coverage to these types of losses either.
This case holds several important lessons for companies seeking to purchase cyber insurance.
More From ECBM's Cyber Team: