Like many people, I can not remember the last time I paid for a dinner out, bought new pants or paid an electricity bill with cash or a check. When I'm not working on behalf of policyholders, I like to travel, so I pay for everything I can with a credit card to earn travel miles. In order for a business owner to receive payment from my credit card transaction, they must enter into an agreement with a third party to facilitate the processing of credit card transactions. To complete these transactions, third-party providers also have separate agreements with credit card associations, such as MasterCard and Visa. MasterCard or Visa have rules that may force the business owner to pay additional fees and assessments in the event of a data breach in order to continue accepting credit cards.
A few years ago P.F. Chang & # 39 ;s was subjected to a data breach when computer hackers obtained and posted approximately 60,000 credit card numbers belonging to their customers on the Internet ("security compromise" or "data breach"). 1 Then P.F. Chang & # 39 ;s made an insurance claim through its cyber security policy provided by Chubb Insurance Company.
Due to the data breach, MasterCard introduced P.F. Chang's third party, which in turn introduced the assessments on P.F. Chang & # 39; s. The assessments involved a fraud recovery estimate of $ 1,716,798.85, an operating compensation assessment of $ 163,122.72 for the data breach and a $ 50,000 case management fee. In order to continue processing credit card transactions, PF Chang had reimbursed its third party for these assessments. P.F. Chang has made an insurance claim for the assessments. Chubb refused to pay the MasterCard assessments and P.F. Chang has brought an action. By a summary judgment, the court found that based on the terms and exceptions to the policy, Chubb was not responsible for covering the assessments and dismissed P.F. Chang trial with prejudice.
Chubb claimed that P.F. Chang's liability for the assessments through agreements with the third party service and therefore liability insurance for it was excluded according to the policy. Chubb supported his argument by citing third-party service agreements, in which P.F. Chang has agreed that the MasterCard assessments can go through. The court agreed with Chubb. The Court reasoned that exceptions to contractual liability apply to the assumption of another's liability, such as an agreement to indemnify or hold another harmless, and that P.F. Chang's third party service agreement met these criteria. The Court supported its reasoning by pointing out that:
In no less than three places in [third-party servicer agreement]P.F. Chang agrees to indemnify or compensate [the third-party servicer] for "fees", "fines," "penalties" or "assessments" imposed on  by [MasterCard] or, in other words, to indemnify [the third-party servicer] … [f] In addition, the court can not find and Chang does not draw the court's attention to any evidence in the minutes that indicates that Chang would have been liable for these [fees and assessments] from its agreement . Although such an exception from such an exception may exist in the law, it is not applicable here. Consequently, the Court must find that the above-mentioned exclusion field covers [the fees and] [a] assessments asserted by Chang.
To accept credit cards, business owners must actually work with third-party service companies, subjecting them to additional charges and costs following a data breach. Regardless of whether the court has made the decision wrong or right, business owners who are exposed to data breaches must be aware of these additional costs and avoid exclusionary language in insurance whenever possible.
1 P.F. Chang & # 39 ;s China Bistro, Inc. v. Federal Ins. Co. No. 15-cv-01322, 2016 WL 3055111 (D. Ariz. 31 May 2016).
2 Fraud Recovery Assessment reflects costs associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. Assessment of Operating Compensation reflects costs of notifying cardholders affected by the security compromise and issuing and delivering debit cards, new account numbers and security codes to these cardholders. The fee for case management is a fixed fee and refers to considerations regarding Chang's compliance with data security standards for the payment card industry.