联邦地区法院发现昂贵的信用卡欺诈评估没有网络保险覆盖

在对网络政策所提供的覆盖范围进行深入分析的首批法院判决中,一名联邦法官发现,张PF的政策存在不足。2014年,黑客侵入了PF Chang客户的6万个信用卡号码,并在网上发布了这些号码。之后,该公司寻求在“丘博网络安全”(CyberSecurity by Chubb)保险政策下获得保障。尽管常PF的保险公司联邦保险公司(“联邦”)同意赔偿近170万美元的客户索赔和其他与违约有关的费用,但它拒绝赔偿另外200万美元的费用和信用卡品牌对常PF的评估。上周亚利桑那州的一名联邦地区法官运用亚利桑那州的法律,驳回了张PF的赔偿要求,并对联邦法院作出了简易判决。虽然法院认为这些费用和评估属于承保范围,但法院认为“合同责任”除外禁止承保。

此保险覆盖案件出现在PF Chang 2014的数据泄露之外,我们写的在这里。在违约之后,万事达卡在其协会规则下进行了调查,2015年3月发布了最终报告,将三项评估施加三项评估约为200万美元用于欺诈恢复费。在万事达卡的规则下,施加了这些费用和其他运营评估,对受妥协的商家的信用卡处理器施加,然后抵御商家的信用卡应收款项。像其他信用卡接受商家一样,PF Chang的与其处理器具有主服务协议,其同意支付信用卡协会征收的任何罚款或处罚。PF张在其网络保险单下寻求覆盖范围,以获取这些评估和收取备份。虽然联邦已经报销了PF Chang的常规成本和课程诉讼辩护费,但拒绝支付这些卡协会费用,而PF Chang的起诉。

若有迄今为止的任何案件都密切审查了网络保险政策提供的覆盖范围,这仍然比较新,非标准和高度复杂。Here, PF Chang’s argued that the MasterCard assessment, charged back against it by its credit card acquirer, was recoverable under the “Privacy Injury” coverage of its cyber insurance policy, which provides coverage for claims of injury because of unauthorized access to certain protected information. PF Chang’s also argued that these assessments were covered “Privacy Notification Expenses.”

法院密切审查政策语言,在隐私伤害模块下没有覆盖范围,但确实认为此类评估在隐私通知费用模块下的覆盖范围内下降。但是,保单持有人不应该这样做,因为法院继续发现政策排除消除了PF Chang的所有恢复。The Court held that a policy exclusion for liability assumed under contract, which is found in virtually all form insurance contracts (unless modified by endorsement), barred recovery because PF Chang’s had agreed under the MSA that its credit card acquirer could charge back against it these credit card brand imposed costs and assessments. The court looked to case law discussing this exclusion in the context of commercial general liability policies, noting the absence of any case law discussing this exclusion in a cyber policy. Because it had agreed to this scheme under contract, the court held PF Chang’s was not covered by its cyber insurance.

保单持有人可能会对这一结果感到惊讶。Notwithstanding that Chubb advertised this policy as a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world (see decision at *1-*2), it did not cover a significant data-breach related liability. Credit card fraud recovery assessments issued in the wake of a data breach can be very costly for merchants. An absence of cyber coverage for these fines and penalties would be a significant gap in insurance. Insurers will likely claim that PF Chang’s problem was that it failed to purchase specific coverage for credit card fines and penalties and as a result tried to force these otherwise uncovered contractual liabilities into an ill-suited coverage not meant for those types of costs. The bottom line is that companies that process large numbers of credit card transactions and therefore face a risk of credit card fraud recovery assessments or other PCI fines or penalties in the wake of a data breach, should carefully review the scope of their cyber insurance now to avoid any million dollar surprises later.