A data breach at P.F. Chang’s China Bistro, Inc. (P.F. Chang’s), spurred recent rulings in several circuits that highlight cyber insurance policies and customers’ standing to sue.
In June 2014, P.F. Chang’s discovered that computer hackers obtained approximately 60,000 credit card numbers belonging to its customers and posted them on the internet. Subsequently, P.F. Chang’s Mastercard payment processor, Bank of America Merchant Services, LLC (BAMS), demanded payment from P.F. Chang’s for multiple assessment fees related to the fraudulent transactions that Mastercard imposed on BAMS. P.F. Chang’s sued its insurer for indemnification. Whether damages owed to BAMS were covered under the policy was the primary issue for the court. Separately, customers sued P.F. Chang’s for fraudulent transactions on their credit cards, their time and efforts to monitor statements to identify potential fraudulent transactions, and fees associated with credit monitoring. The customers’ standing to sue was a primary issue in that case.
In P.F. Chang’s China Bistro, Inc. v. Fed. Ins. Co., No. CV-15-01322-PHX-SMM (D. Ariz. May 31, 2016), P.F. Chang’s sought indemnification under its cybersecurity insurance policy of nearly $2 million of fraud recovery and related fees assessed by BAMS. P.F. Chang’s argued in favor of indemnification, in part, on the basis that the policy was marketed as “a flexible solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.” The court disagreed, ruling that the damages demanded by BAMS were not covered despite the fact that P.F. Chang’s was liable.
The court granted summary judgment in favor of the defendant insurer, holding that the insurer was not obligated to pay the assessment fees because BAMS did not suffer a “privacy injury” as defined in the policy. Specifically, the court reasoned that the covered “privacy injury” could only be suffered by the person whose records are actually or potentially accessed without authorization, and the stolen records at issue were not BAMS’ records, but rather, were the issuing bank’s records.
Separately, in Lewert, et al., v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), the Court of Appeals for the Seventh Circuit reversed a district court’s decision granting a motion to dismiss for lack of standing in a class action brought by P.F. Chang’s customers. In effect, the court found standing even where some of the alleged damages were speculative. However, other federal appellate courts remain split on this issue.
There was more than one plaintiff customer in Lewert. One alleged that the data breach resulted in four fraudulent transactions on his credit card, which caused him to purchase a credit monitoring service. Another customer did not spot any fraudulent charges on his card but alleged that he spent time and effort monitoring his card statements and credit reports after learning of the data breach. The Seventh Circuit found even the second customer’s allegations were sufficient to support standing, holding that the increased risk of fraudulent charges and identity theft as a result of the data breach was concrete enough to support a lawsuit.
The decision in Lewert lead to the reopening of another action involving an insurer and P.F. Chang’s. In The Travelers Indem. Co. of Connecticut v. P.F. Chang’s China Bistro, Inc., the insurer sought a declaratory judgment disclaiming coverage in class action lawsuits brought by P.F. Chang’s customers subjected to the 2014 data breach. See Travelers Indem. Co. of Connecticut v. P.F. Chang’s China Bistro, Inc., No 3:14-cv-01458-VLB (D. Conn. filed Oct. 2, 2014). The case, which had been stayed pending appeals in three lawsuits that had been dismissed, was reopened after the Lewert decision and was still an active case as of August 9, 2016. See No 3:14-cv-01458-VLB (D.Conn. D.E. 43).
Note, however, that there is a split among circuits on the issue of standing where the basis of the complaint is an increased risk of identity theft as opposed to actual damages. For example, the Third Circuit has held that such risk is a hypothetical, future injury making it insufficient to establish standing. See Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011), cert. denied, 132 S.Ct. 2395 (2012).
Issues related to data breach preparation and response are not yet solidified in nationwide courts. But as cybersecurity policies evolve and the courts gain opportunities to weigh in on these issues, insurers and their customers will need to keep informed of the evolving case law to best prepare for and resolve cybersecurity threats.
Key Words: intellectual property, litigation, cyber, cybersecurity, data breach, identity theft, privacy, insurance, standing