P.F. Chang's China Bistro Incorporated v. Federal Insurance Company
Filing
45
IT IS HEREBY ORDERED GRANTING Defendant Federal Insurance Company's Motion for Summary Judgment. (Doc. 22 .) FURTHER ORDERED DENYING Plaintiff P.F. Chang's China Bistro, Inc.'s Unopposed Motion to Modify Case Schedule to Permit the Fi ling of an Amended Complaint (Doc. 44 ) as moot. IT IS FURTHER ORDERED DISMISSING Plaintiff P.F. Chang's China Bistro, Inc.'s complaint with prejudice. The Clerk of Court shall enter judgment in favor of Defendant and terminate the case. Signed by Senior Judge Stephen M McNamee on 5/26/2016. (KMG)
<![CDATA[
1
WO
2
3
4
5
6
IN THE UNITED STATES DISTRICT COURT
7
FOR THE DISTRICT OF ARIZONA
8
9
P.F. Chang's China Bistro, Inc.,
Plaintiff,
10
11
ORDER
v.
12
No. CV-15-01322-PHX-SMM
Federal Insurance Company,
13
Defendant.
14
15
Pending before the Court is Defendant Federal Insurance Company’s (“Federal”)
16
Motion for Summary Judgment. (Doc. 22.) P.F. Chang’s China Bistro, Inc. (“Chang’s”)
17
has responded and the matter is fully briefed. (Docs. 36, 38.) The Court heard Oral
18
Arguments on the motion on April 19, 2016. (Doc. 41.) In essence, the main issue before
19
the Court is whether coverage exists under the insurance policy between Chang’s and
20
Federal for the credit card association assessments that arose from the data breach
21
Chang’s suffered in 2013. The Court now issues following ruling.
22
I. FACTUAL BACKGROUND1
23
A. The CyberSecurity Insurance Policy
24
Federal sold a CyberSecurity by Chubb Policy (“Policy”) to Chang’s corporate
25
parent, Wok Holdco LLC, with effective dates from January 1, 2014 to January 1, 2015.
26
(Doc. 8-1 at 2.) On its website, Federal marketed the Policy as “a flexible insurance
27
solution designed by cyber risk experts to address the full breadth of risks associated with
28
1
The facts are undisputed unless indicated otherwise
1
doing business in today’s technology-dependent world” that “[c]overs direct loss, legal
2
liability, and consequential loss resulting from cyber security breaches.” (Doc. 37-7.)
3
Specific provisions of the Policy will be defined and discussed in greater detail below.
4
During the underwriting processes, Federal classified Chang’s as a high risk, “PCI
5
Level 1”, client because Chang’s conducts more than 6 million transactions per year.
6
(Docs. 37-1 at 121-22, 37-6.) Further, because of the large number of Chang’s
7
transactions conducted with customer credit cards, Federal noted there was high exposure
8
to potential customer identity theft. (Doc. 37-6.) In 2014, Chang’s paid an annual
9
premium of $134,052.00 for the Policy. (Doc. 37-1 at 126.)
10
B. The Master Service Agreement Between Chang’s and BAMS
11
Chang’s and other similarly situated merchants are unable to process credit card
12
transactions themselves. Merchants must enter into agreements with third-party
13
“Servicers” or “Acquirers” who facilitate the processing of credit card transactions with
14
the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo. Here,
15
Chang’s entered into a Master Service Agreement (“MSA”) with Bank of America
16
Merchant Services (“BAMS”) to process credit card payments made by Chang’s
17
customers. (Doc. 23-2.) Under the MSA, Chang’s delivers its customers’ credit card
18
payment information to BAMS who then settles the transaction through an automated
19
clearinghouse; BAMS then credits Chang’s account for the amount of the payment. (Id.)
20
Servicers like BAMS perform their processing obligations pursuant to agreements
21
with the credit card associations (“Associations”), like MasterCard and Visa. (Doc. 24-1.)
22
BAMS’ agreement with MasterCard is governed by the MasterCard Rules, and are
23
incorporated in its MSA with Chang’s. (See Id; Doc. 23-2.) Under the MasterCard Rules,
24
BAMS is obligated to pay certain fees and assessments (“Assessments”) to MasterCard in
25
the event of a data breach or “Account Data Compromise” (“ADC”). (Doc. 24-1 at §
26
10.2) These Assessments include “Operational Reimbursement” fees and “Fraud
27
Recovery” fees, and they are calculated by formulae set forth in the MasterCard Rules.
28
(Id.)
-2-
1
Under the MSA, Chang’s agreed to compensate or reimburse BAMS for “fees,”
2
“fines,” “penalties,” or “assessments” imposed on BAMS by the Associations. (See Doc.
3
23-2 at 9, 18.) Section 13.5 of the Addendum to the MSA reads: “[Chang’s] agrees to pay
4
[BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting
5
from Chargebacks and any other fines, fees or penalties imposed by an Association with
6
respect to acts or omissions of [Chang’s].” (Id. at 9.) Section 5 of Schedule A to the
7
Addendum to the MSA provides: “In addition to the interchange rates, [BAMS] may pass
8
through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but
9
not limited to, new fees, fines, penalties and assessments imposed by the [Associations].”
10
(Id. at 18.)
11
C. The Security Compromise
12
On June 10, 2014, Chang’s learned that computer hackers had obtained and posted
13
on the Internet approximately 60,000 credit card numbers belonging to its customers (the
14
“security compromise” or “data breach”). (Doc. 25-1.) Chang’s notified Federal of the
15
data breach that very same day. (Id.)
16
To date, Federal has reimbursed Chang’s more than $1,700,000 pursuant to the
17
Policy for costs incurred as a result of the security compromise. (Doc. 22 at 9.) Those
18
costs include conducting a forensic investigation into the data breach and the costs of
19
defending litigation filed by customers whose credit card information was stolen, as well
20
as litigation filed by one bank that issued card information that was stolen. (Id.)
21
Following the data breach, on March 2, 2015, MasterCard issued an “ADC
22
Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility
23
Report” to BAMS. (Doc. 26-2.) This MasterCard Report imposed three Assessments on
24
BAMS, a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement
25
Assessment of $163,122.72 for Chang’s data breach, and a Case Management Fee of
26
$50,000. (Id.; Doc. 26-3.) The Fraud Recovery Assessment reflects costs, as calculated
27
by MasterCard, associated with fraudulent charges that may have arisen from, or may be
28
related to, the security compromise. (Doc. 1-1 at ¶20.) The Operational Reimbursement
-3-
1
Assessment reflects costs to notify cardholders affected by the security compromise and
2
to reissue and deliver payment cards, new account numbers, and security codes to those
3
cardholders. (Id. at ¶19) The Case Management Fee is a flat fee and relates to
4
considerations regarding Chang’s compliance with Payment Card Industry Data Security
5
Standards. (Id. at ¶18.)
6
D. The BAMS Letter
7
On March 11, 2015, BAMS sent Chang’s a letter (the “BAMS Letter”) stating:
8
9
10
11
12
13
14
15
MasterCard’s investigation concerning the account data compromise event
involving [Chang’s] is now complete. [BAMS] has been notified by
MasterCard that a case management fee and Account Data Compromise
(ADC) Operational Reimbursement and Fraud Recovery (ORFR) are being
assessed against [BAMS] as a result of the data compromise. In accordance
with your [MSA] you are obligated to reimburse [BAMS] for the following
assessments:
$ 50,000.00 – Case Management Fee
$ 163,122.72 – ADC Operational Reimbursement
$1,716,798.85 – ADC Fraud Recovery
$1,929,921.572
16
(Doc. 26-3.) Chang’s notified Federal of the BAMS Letter on March 19, 2015 and sought
17
coverage for the Assessments. (Doc. 26-4.) Pursuant to the MSA, and in order to continue
18
operations and not lose its ability to process credit card transactions, Chang’s reimbursed
19
BAMS for the Assessments on April 15, 2015. (Doc. 1-1 at ¶24.) Federal denied
20
coverage for the Assessments and Chang’s subsequently filed this lawsuit.
21
22
II. STANDARD OF REVIEW
“The court shall grant summary judgment if the movant shows that there is no
23
genuine dispute as to any material fact and the movant is entitled to judgment as a matter
24
of law.” Fed.R.Civ.P. 56(a). “The substantive law determines which facts are material;
25
only disputes over facts that might affect the outcome of the suit under the governing law
26
properly preclude the entry of summary judgment.” Nat’l Ass’n of Optometrists &
27
28
2
This total is separate from and does not include the $1.7 million Federal has
already paid Chang’s under the Policy.
-4-
1
Opticians v. Harris, 682 F.3d 1144, 1147 (9th Cir. 2012) (citing Anderson v. Liberty
2
Lobby, Inc., 477 U.S. 242, 248 (1986)). To prove the absence of a genuine dispute, the
3
moving party must demonstrate that “the evidence is such that [no] reasonable jury could
4
return a verdict for the nonmoving party.” Liberty Lobby, 477 U.S. at 248. In
5
determining whether a party has met its burden, a court views the evidence in the light
6
most favorable to the non-moving party and draws all reasonable inferences in the non-
7
moving party's favor. Liberty Lobby, 477 U.S. at 255. While a court may consider only
8
admissible evidence in ruling on a motion for summary judgment, the focus is not “on the
9
admissibility of the evidence’s form,” but “on the admissibility of its contents.” Fraser v.
10
Goodale, 342 F.3d 1032, 1036–37 (9th Cir.2003).
11
Federal courts sitting in diversity apply the forum state's choice of law rules to
12
determine controlling substantive law. Klaxon Co. v. Stentor Elec. Mfg. Co. Inc., 313
13
U.S. 487, 496 (1941). Arizona adheres to Restatement (Second) of Conflict of Laws §
14
193 (1971), which states that insurance contracts are generally governed “by the local law
15
of the state which the parties understood was to be the principal location of the insured
16
risk during the term of the policy.” Beckler v. State Farm Mut. Auto. Ins. Co., 195 Ariz.
17
18
19
20
21
22
23
24
25
26
27
28
282, 286, 987 P.2d 768, 772 (App. 1999). Since the principal location of the insured was
in Arizona and the insurance agreement was entered into in Arizona, Arizona law
governs the enforcement of the Policy.
“The traditional view of the law of contracts is that a written agreement adopted
by the parties will be viewed as an integrated contract which binds those parties to the
terms expressed within the four corners of the agreement.” Darner Motor Sales, Inc. v.
Universal Underwriters Ins. Co., 140 Ariz. 383, 390, 682 P.2d 388, 395 (1984). However,
“the usual insurance policy is a special kind of contract,” id., in part because it is not
“arrived at by negotiation between the parties,” Zuckerman v. Transamerica Ins. Co., 133
Ariz. 139, 144, 650 P.2d 441, 446 (1982). Instead, “[i]t is largely adhesive; some terms
are bargained for, but most terms consist of boilerplate, not bargained for, neither read
nor understood by the buyer, and often not even fully understood by the selling agent.”
Darner, 140 Ariz. at 391, 682 P.2d at 396. Moreover, “[t]he adhesive terms generally are
-5-
1
self-protective; their major purpose and effect often is to ensure that the drafting party
2
will prevail if a dispute goes to court.” Gordinier v. Aetna Cas. & Sur. Co., 154 Ariz.
3
266, 271, 742 P.2d 277, 282 (1987). Accordingly, “special contract rules should apply.”
4
Id.
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Interpretation of insurance policies is a question of law. Sparks v. Republic Nat.
Life Ins. Co., 132 Ariz. 529, 534, 647 P.2d 1127, 1132 (1982). “Provisions of insurance
policies are to be construed in a manner according to their plain and ordinary meaning,”
id., but if a clause is reasonably susceptible to different interpretations given the facts of
the case, the clause is to be construed “by examining the language of the clause, public
policy considerations, and the purpose of the transaction as a whole,” State Farm Mut.
Auto. Ins. Co. v. Wilson, 162 Ariz. 251, 257, 782 P.2d 727, 733 (1989). “[T]he general
rule is that while coverage clauses are interpreted broadly so as to afford maximum
coverage to the insured, exclusionary clauses are interpreted narrowly against the
insurer.” Scottsdale Ins. Co. v. Van Nguyen, 158 Ariz. 476, 479, 763 P.2d 540, 543 (App.
1988).
Furthermore, “the policy may not be interpreted so as to defeat the reasonable
expectations of the insured.” Samsel v. Allstate Ins. Co., 204 Ariz. 1, 4, 59 P.3d 281, 284
(2002). “Under this doctrine, a contract term is not enforced if one party has reason to
believe that the other would not have assented to the contract if it had known of that
term.” First Am. Title Ins. Co. v. Action Acquisitions, LLC, 218 Ariz. 394, 400, 187 P.3d
1107, 1113 (2008); accord Averett v. Farmers Ins. Co., 177 Ariz. 531, 533, 869 P.2d 505,
507 (1994) (quoting Gordinier, 154 Ariz. at 272, 742 P.2d at 283); Darner, 140 Ariz. at
392, 682 P.2d at 397. “One of the basic principles which underlies [the doctrine] is
simply that the language in the portion of the instrument that the customer is not
ordinarily expected to read or understand ought not to be allowed to contradict the
bargain made by the parties.” Averett, 177 Ariz. at 533, 869 P.2d at 507 (quoting State
Farm Mut. Auto. Ins. Co. v. Bogart, 149 Ariz. 145, 151, 717 P.2d 449, 455 (1986),
superseded by statute on other grounds as recognized in Consolidated Enters., Inc. v.
-6-
1
Schwindt, 172 Ariz. 35, 38, 833 P.2d 706, 709 (1992)).
2
The insured bears the burden of proving the applicability of the reasonable
3
expectations doctrine at trial. State Farm Fire & Cas. In. Co. v. Grabowski, 214 Ariz.
4
188, 190, 150 P.3d 275, 277 (App. 2007). The doctrine applies only if two predicate
5
conditions are present. First, the insured’s “expectation of coverage must be objectively
6
reasonable.” Millar v. State Farm Fire and Cas. Co., 167 Ariz. 93, 97, 804 P.2d 822, 826
7
(App. 1990). Second, the insurer “must have had a reason to believe that the [insured]
8
would not have purchased the . . . policy if they had known that it included” the
9
complained of provision. Grabowski, 214 Ariz. at 193-94, 150 P.3d at 280-81. Provided
10
both of these conditions are satisfied, “Arizona courts will not enforce even unambiguous
11
boilerplate terms in standardized insurance contracts in a limited variety of situations.”
12
Gordinier, 154 Ariz. at 272, 742 P.2d at 283.
13
Finally, insurers expressly obligate themselves to defend their insureds against any
14
claim of liability potentially covered by the policy. Ariz. Prop. & Cas. Ins. Guar. Fund v.
15
Helme, 153 Ariz. 129, 137, 735 P.2d 451, 459 (1987); United Servs. Auto. Ass’n v.
16
Morris, 154 Ariz. 113, 118, 741 P.2d 246, 250 (1987). The duty to defend is triggered if
17
the complaint “alleges facts which come within the coverage of the liability policy. . .,
18
but if the alleged facts fail to bring the case within the policy coverage, the insurer is free
19
of such obligation.” Kepner v. Western Fire Ins. Co., 109 Ariz. 329, 331, 509 P.2d 222,
20
224 (1973) (quoting C.T. Drechsler, Annotation, Allegations in Third Person’s Action
21
Against Insured as Determining Liability Insurer's Duty to Defend, 50 A.L.R.2d 458 § 3,
22
at 464 (1956)). Indeed, an insurer rightfully refuses to defend only if the facts, including
23
those outside the complaint, indisputably foreclose the possibility of coverage. See
24
Kepner, 109 Ariz. at 331, 509 P.2d at 224. “If the insurer refuses to defend and awaits the
25
determination of its obligation in a subsequent proceeding, it acts at its peril, and if it
26
guesses wrong it must bear the consequences of its breach of contract.” Id. at 332, 509
27
P.2d at 225
28
///
-7-
1
III. ANALYSIS
2
In its Complaint, Chang’s alleges that the Policy’s Insuring Clauses cover each
3
assessment from the BAMS Letter. Specifically, Chang’s claims that Insuring Clause A
4
covers ADC Fraud Recovery Assessment, Insuring Clause B covers the ADC Operational
5
Reimbursement Assessment, and Insuring Clause D.2 covers the Case Management Fee.
6
(Doc. 1-1.) Federal summarily argues that the BAMS Letter and the Assessments set
7
forth therein do not fall within the coverage provided by any of the Policy’s Insuring
8
Clauses. (Doc. 22 at 7.) Additionally, Federal contends that certain exclusions contained
9
in the Policy bar coverage. (Id. at 11-16) The Court will analyze each Policy provision
10
and exclusion in turn. Then the Court will turn to Chang’s final argument that coverage is
11
proper under the reasonable expectation doctrine.
12
A. Insuring Clause A.
13
Insuring Clause A provides that, “[Federal] shall pay for Loss3 on behalf of an
14
Insured on account of any Claim first made against such Insured . . . for Injury.” (Doc.
15
8-1.) In relevant part, Claim means “a written request for monetary damages . . . against
16
an Insured for an Injury.” (Id.) Under the Policy, Injury is a broad term encompassing
17
18
19
20
21
22
23
24
25
26
many types of injuries, including Privacy Injury. (Id.) Privacy Injury “means injury
sustained or allegedly sustained by a Person because of actual or potential unauthorized
access to such Person’s Record, or exceeding access to such Person’s Record.” (Id.)
Person is a natural person or an organization. (Id.) Relevant to this discussion, Record
includes “any information concerning a natural person that is defined as: (i) private
personal information; (ii) personally identifiable information . . . pursuant to any federal,
state . . . statute or regulation, . . . where such information is held by an Insured
Organization or on the Insured Organization’s behalf by a Third Party Service
Provider” or “an organization’s non-public information that is. . . in an Insured’s or
Third Party Service Provider’s care, custody, or control.” (Id.) “Third Party Service
Provider means an entity that performs the following services for, or on behalf of, an
27
28
3
Terms in bold are defined in the Policy.
-8-
1
Insured Organization pursuant to a written agreement: (A) processing, holding or
2
storing information; (B) providing data backup, data storage or data processing services.”
3
(Id.)
4
Federal argues that Insuring Clause A is inapplicable because BAMS, itself, did
5
not sustain a Privacy Injury because it was not its Records that were compromised
6
during the data breach. (Doc. 22 at 8.) Federal therefore contends that BAMS is not even
7
in a position to assert a valid Privacy Injury Claim.
8
Conversely, Chang’s argues that it was the Issuers who suffered a Privacy Injury
9
because it was their Records, constituting private accounts and financial information,
10
which were compromised in the data breach. (Doc. 36 at 6.) Chang’s argument is
11
premised upon the idea that it is immaterial that this Injury first passed through BAMS
12
before BAMS in turn charged Chang’s, because this was done pursuant to industry
13
standards and Chang’s payment to BAMS was functionally equivalent to compensating
14
the Issuers. 4 (See Id.) Basically, Chang’s argues that because a Privacy Injury exists and
15
was levied against it, regardless of who suffered it, the Injury is covered under the
16
Policy. (Id.)
17
18
19
20
21
22
23
24
25
Although the Court is expected to broadly interpret coverage clauses so as to
provide maximum coverage for an insured, a plain reading of the policy leads the Court
to the conclusion that Insuring Clause A does not provide coverage for the ADC Fraud
Recovery Assessment. Scottsdale Ins. Co., 158 Ariz. at 479, 763 P.2d at 543. The Court
agrees with Federal; BAMS did not sustain a Privacy Injury itself, and therefore cannot
maintain a valid Claim for Injury against Chang’s. The definition of Privacy Injury
requires an “actual or potential unauthorized access to such Person’s Record, or
exceeding access to such Person’s Record.” (Doc. 8-1) (emphasis added). The usage of
the word “such” means that only the Person whose Record is actually or potentially
accessed without authorization suffers a Privacy Injury. Here, because the customers’
26
27
28
4
Chang’s bolsters this argument by analogizing it to subrogation in other
insurance contexts, which Federal misinterprets as the crux of Chang’s argument. In
reaching its decision, the Court gave appropriate weight to Chang’s analogy, but does not
believe this matter is governed by any subrogation legal rules.
-9-
1
information that was the subject of the data breach was not part of BAMS’ Record, but
2
rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury.5 Thus,
3
BAMS did not make a valid Claim of the type covered under Insuring Clause A against
4
Chang’s.
5
Contrary to Chang’s assertion, this interpretation is not a “pixel-level view” that
6
“reduce[s] coverage to a mere sliver of what the plain language provides.” (Doc. 36 at 9.)
7
Rather, this is the only result that can be derived from the Policy. It is also worth noting
8
that Federal is not outright denying coverage in its entirety. Federal has reimbursed
9
Chang’s nearly $1.7 million for valid claims brought by injured customers and Issuers.
10
As will be addressed more fully below, if Chang’s, who is a sophisticated party, wanted
11
coverage for this Assessment, it could have bargained for that coverage. However, as is,
12
coverage does not exist under the Policy for the ADC Fraud Recovery Assessment under
13
Insuring Clause A.
14
B. Insuring Clause B.
15
Insuring Clause B provides that “[Federal] shall pay Privacy Notification
16
Expenses incurred by an Insured resulting from [Privacy] Injury.” (Doc. 8-1.) The
17
18
19
20
21
22
23
24
25
26
Policy defines Privacy Notification Expenses as “the reasonable and necessary cost[s]
of notifying those Persons who may be directly affected by the potential or actual
unauthorized access of a Record, and changing such Person’s account numbers, other
identification numbers and security codes. . .” (Id.) Chang’s alleges that the ADC
Operational Reimbursement fee is a Privacy Notification Expense because it compensates
Issuers for the cost of reissuing bankcards and new account numbers and security codes
to Chang’s customers. (Docs. 1-1, 36 at 8.)
In its motion, Federal uses similar argumentation it employed for Insuring Clause
A. Federal contends that The ADC Operational Recovery fee was not personally incurred
by Chang’s, but rather was incurred by BAMS. (Doc. 22 at 10.) Also, Federal argues that
the ADC Operational Recovery fee does not qualify as Privacy Notification Expenses
27
28
5
BAMS also did not sustain any other type of Injury as defined under the Policy.
- 10 -
1
because there is no evidence that the fee was used to “notify[] those Persons who may be
2
directly affected by the potential or actual unauthorized access of a Record, and changing
3
such Person’s account numbers, other identification numbers and security codes.” (Id.)
4
Chang’s counters, stating that Federal’s interpretation of “incur” is too narrow, as
5
the Arizona Supreme Court held that an insured “incurs” an expense when the insured
6
becomes liable for the expense, “even if the expenses in question were paid by or even
7
required by law to be paid by other sources.” (Doc. 36 at 8 (citing Samsel, 204 Ariz. at
8
4-11, 59 P.3d at 284-91)).
9
The Court agrees with Chang’s. Although the ADC Operational Reimbursement
10
fee was originally incurred by BAMS, Chang’s is liable for it pursuant to its MSA with
11
BAMS.
12
In response to Federal’s argument that there is no evidence that the ADC
13
Operational Reimbursement fee was used to compensate Issuers for the costs of notifying
14
about the security compromise and reissuing credit cards to Chang’s customers, Chang’s
15
argues that MasterCard’s Security Rules clearly state that the ADC Operational
16
Reimbursement fee is used for that purpose. (Docs. 36 at 8, 24-1 at 84-88.) Federal does
17
18
19
20
21
22
23
24
25
26
27
28
not direct the Court’s attention to and the Court is unable to find any evidence in the
record where the ADC Operational Reimbursement fee was used for any other purpose.
The evidence shows that MasterCard performed an investigation into the Chang’s data
breach and determined Assessments pursuant to the MasterCard Rules. MasterCard then
furnished a Report to BAMS levying the ADC Operational Reimbursement fee against
BAMS, which it paid and then imposed the Assessment upon Chang’s. (Doc. 26-3.) The
Court does not find this to be a question of fact more suitable for a jury, but rather can
find as a matter of law that coverage exists for the ADC Operational Reimbursement
under Insuring Clause B. However, this finding is subject to the Court’s analysis of the
Policy’s exclusions discussed below.
C. Insuring Clause D.2.
Under Insuring Clause D.2., “[Federal] shall pay: . . . Extra Expenses an Insured
incurs during the Period of Recovery of Services due to the actual or potential
- 11 -
1
impairment or denial of Operations resulting directly from Fraudulent Access or
2
Transmission.” (Doc. 8-1.) Extra Expenses include “reasonable expenses an Insured
3
incurs in an attempt to continue Operations that are over and above the expenses such
4
Insured would have normally incurred. Extra Expenses do not include any costs of
5
updating, upgrading or remediation of an Insured’s System that are not otherwise
6
covered under [the] Policy.” (Id.) In the context of Extra Expenses, Period of Recovery
7
of Services “begins: . . . immediately after the actual or potential impairment or denial of
8
Operations occurs; and will continue until the earlier of . . . the date Operations are
9
restored, . . . to the condition that would have existed had there been no impairment or
10
denial; or sixty (60) days after the date an Insured’s Services are fully restored. . . to the
11
level that would have existed had there been no impairment or denial.” (Id.) Operations
12
are an Insured’s business activities, while Services are “computer time, data processing,
13
or storage functions or other uses of an Insured’s System.” (Id.) Fraudulent Access or
14
Transmission occurs when “a person has: fraudulently accessed an Insured’s System
15
without authorization; Exceeded Authorized Access; or launched a Cyber-attack into
16
an Insured’s System.” (Id.)
17
18
19
20
21
22
23
24
25
26
27
28
Federal claims that Insuring Clause D.2. does not cover the Case Management Fee
because Chang’s has not submitted any evidence that the data breach caused “actual or
potential impairment or denial” of business activities. (Doc. 22 at 11.) Chang’s response
states that the evidence clearly shows that its ability to operate was impaired because
BAMS would have terminated the MSA and eliminated Chang’s ability to process credit
card transactions if it did not pay BAMS pursuant to the BAMS Letter. (Docs. 36 at 10,
23-2.) The MSA provides that Chang’s is not permitted to use another servicer while
contracting with BAMS for its services. (Doc. 23-2 at 3.) Furthermore, in her deposition,
the approving underwriter for Federal, Leah Montgomery, states that she knew Chang’s
transacted much of its business through credit card payments and that Chang’s would be
adversely affected if it was unable to collect payment from credit card transactions. (Doc.
37-1 at 29.)
After reviewing the record, the Court agrees with Chang’s. The evidence shows
- 12 -
1
that Chang’s experienced a Fraudulent Access during the data breach and that its ability
2
to perform its regular business activities would be potentially impaired if it did not
3
immediately pay the Case Management Fee imposed by BAMS. And, this Case
4
Management Fee qualifies as an Extra Expense as contemplated by the Policy.
5
However, Federal argues that Chang’s did not incur this Loss during the Period of
6
Recovery of Services because it did not pay the Case Management Fee until April 15,
7
2015, nearly one year after it discovered the data breach. (Doc. 22 at 11.) Federal argues
8
that because Chang’s paid the Case Management Fee when it did, it falls outside the
9
Period of Recovery of Services, which “begins: . . . immediately after the actual or
10
potential impairment or denial of Operations occurs; and will continue until the earlier
11
of . . . the date Operations are restored, . . . to the condition that would have existed had
12
there been no impairment or denial; or sixty (60) days after the date an Insured’s
13
Services are fully restored. . . to the level that would have existed had there been no
14
impairment or denial.” (Doc. 8-1.) In response, Chang’s contends that its business
15
activities are still not fully restored and that it continues to take steps to remedy the data
16
breach; thus, the Period of Recovery of Services is ongoing. (Doc. 36 at 11.) Because
17
18
19
20
21
22
23
24
25
26
27
28
this is an issue of fact, the Court is unable to resolve it on Summary Judgment.
Accordingly, the Court cannot determine as a matter of law whether the Policy provides
coverage for the Case Management Fee under Insuring Clause D.2.
D. Exclusions D.3.b. and B.2. and Loss Definition
Federal also argues that Exclusions D.3.b. and B.2, as well as the definition of
Loss, bar coverage for all of the Assessments. Exclusion D.3.b. provides, “With respect
to all Insuring Clauses, [Federal] shall not be liable for any Loss on account of any
Claim, or for any Expense . . . based upon, arising from or in consequence of any . . .
liability assumed by any Insured under any contract or agreement.” (Doc. 8-1.) Under
Exclusion B.2., “With respect to Insuring Clauses B through H, [Federal] shall not be
liable for. . . any costs or expenses incurred to perform any obligation assumed by, on
behalf of, or with the consent of any Insured.” (Doc. 8-1.) Additionally, and along the
same vein, Loss under Insuring Clause A does not include “any costs or expenses
- 13 -
1
incurred to perform any obligation assumed by, on behalf of, or with the consent of any
2
Insured.” (Id.) Functionally, these exclusions are the same in that they bar coverage for
3
contractual obligations an insured assumes with a third-party outside of the Policy.
4
Federal contends that the assessments for which coverage is sought arise out of
5
liability assumed by Chang’s to BAMS, thus they are excluded from coverage. (Doc. 22
6
at 12.) Federal supports this argument by citing the MSA, wherein Chang’s agreed that
7
“[BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the Card
8
Organizations, including but not limited to, new fees, fines, penalties and assessment[s].”
9
(Doc. 23-1.) Federal also looks to the BAMS Letter where BAMS tells Chang’s, “[i]n
10
accordance with your Merchant Agreement you are obligated to reimburse [BAMS] for
11
the . . . assessments.” (Doc. 23-8.)
12
Chang’s counters, offering a series of arguments why these exceptions are
13
inapplicable in the present case. First, Chang’s argues that such exclusions do not apply if
14
“the insured is the one who is solely responsible for the injury,” (citing 63 A.L.R.2d 1122
15
A.3d § 2[a]), or, in other words, the exclusions do not apply to obligations the insured is
16
responsible for absent any assumption of liability. (Doc. 36 at 12) (citing Homeowners
17
18
19
20
21
22
23
24
25
26
27
28
Mgmt. Enterp., Inc. v. Mid-Continent Cas. Co., 294 Fed.Appx. 814 821 (5th Cir. 2008)
and Victoria’s Secret Stores, Inc. v. Epstein Contracting, Inc., 2002 WL 723215, *4-5
(Ohio App. April 25, 2002). Chang’s argues that under the principal of equitable
subrogation, it is compelled by “justice and good conscience,” and not contractual
liability, to compensate BAMS for the assessments. (Doc. 36 at 12) (citing Sourcecorp.,
Inc. v. Norcutt, 227 Ariz. 463, 466-67, 258 P.3d 281, 284-85 (App. 2011)). Chang’s
argues this is an exception recognized in the law to contractual liability exclusions of this
nature. (Id.) Additionally, Chang’s argues that its “responsibility for the Loss is the
functional equivalent of compensating for damages suffered by victims of Privacy Injury,
regardless of the MSA.” (Doc. 36 at 12.) Under this argument, Chang’s states that it
could be liable under a variety of theories, including: negligence or particular statutes,
such as A.R.S. § 44-7803, which places responsibility for fraudulent credit card transfers
on merchants as opposed to credit card companies. (Id. at 12-13.) The Court is
- 14 -
1
unconvinced by these arguments.
2
The Court finds that both Exclusions D.3.b. and B.2. as well as the definition of
3
Loss bar coverage. In reaching this decision, the Court turned to cases analyzing
4
commercial general liability insurance policies for guidance, because cybersecurity
5
insurance policies are relatively new to the market but the fundamental principles are the
6
same. Arizona courts, as well as those across the nation, hold that such contractual
7
liability exclusions apply to “the assumption of another’s liability, such as an agreement
8
to indemnify or hold another harmless.” Desert Mountain Properties Ltd. P’ship v.
9
Liberty Mut. Fire Ins. Co., 225 Ariz. 194, 205, 236 P.3d 421, 432 (App. 2010), aff’d, 226
10
Ariz. 419, 250 P.3d 196 (2011) (citing Smithway Motor Xpress, Inc. v. Liberty Mut. Ins.
11
Co., 484 N.W.2d 192, 196 (Iowa 1992); see also, Gibbs M. Smith, Inc. v. U.S. Fid. &
12
Guar. Co., 949 P.2d 337, 341 (Utah 1997); Lennar Corp. v. Great Am. Ins. Co., 200
13
S.W.3d 651, 693 (Tex. App. 2006).
14
Chang’s agreement with BAMS meets this criteria and thus triggers the
15
exclusions. In no less than three places in the MSA does Chang’s agree to reimburse or
16
compensate BAMS for any “fees,” “fines,” “penalties,” or “assessments” imposed on
17
18
19
20
21
22
23
24
25
26
27
28
BAMS by the Associations, or, in other words, indemnify BAMS. (See Doc. 23-2 at 9,
18.) More specifically, Section 13.5 of the Addendum to the MSA reads: “[Chang’s]
agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any
Associations, resulting from Chargebacks and any other fines, fees or penalties imposed
by an Association with respect to acts or omissions of [Chang’s].” (Id. at 9.) Furthermore,
the Court is unable to find and Chang’s does not direct the Court’s attention to any
evidence in the record indicating that Chang’s would have been liable for these
Assessments absent its agreement with BAMS. While such an exception to an exclusion
of this nature may exist in the law, it is not applicable here. Accordingly, the Court must
find that the above referenced exclusions bar coverage for all three Assessments claimed
by Chang’s.
In reaching this conclusion, the Court has followed the dictate that “exclusionary
clauses are interpreted narrowly against the insurer.” Scottsdale Ins. Co., 158 Ariz. at
- 15 -
1
479, 763 P.2d at 543. Yet, even while looking through this deferential lens, the Court is
2
unable to reach an alternative conclusion. Simply put, these exclusions unequivocally bar
3
coverage for the Assessments, including the ADC Operational Reimbursement that the
4
Court said coverage existed for under Insuring Clause B.
5
E. Reasonable Expectation Doctrine
6
Finally, the Court turns to Chang’s claim that in addition to coverage being proper
7
under the Policy, coverage also exists pursuant to the reasonable expectation doctrine.
8
(Doc. 36 at 14.) The doctrine applies only if two predicate conditions are present. First,
9
the insured’s “expectation of coverage must be objectively reasonable.” Millar, 167 Ariz.
10
at 97, 804 P.2d at 826. Second, the insurer “must have had reason to believe that the
11
[insured] would not have purchased the . . . policy if they had known that it included” the
12
complained of provision. Grabowski, 214 Ariz. at 193-94, 150 P.3d at 280-81. Chang’s
13
bears the burden of proving the applicability of the reasonable expectation doctrine. Id.
14
Thus, the starting point for the reasonable expectations analysis is “to determine
15
what expectations have been induced.” Darner, 140 Ariz. at 390, 682 P.2d at 395.
16
Chang’s states that the “dickered deal was for protection against losses resulting from
17
18
19
20
21
22
23
24
25
26
27
28
[sic] a security compromise.” (Doc. 36 at 15.) By this, Chang’s means any and all fees
and losses that flowed from the data breach, including the Assessments. Chang’s directs
the Court’s attention to the deposition of Leah Montgomery, Federal’s approving
underwriter who renewed the Policy that was in effect at the time of the data breach.
There, the evidence shows that when Federal issued the Policy it understood the realities
associated with processing credit card transactions. (See Doc. 37-1.) Federal knew that all
of Chang’s credit card transactions were processed by a Servicer, such as BAMS, and the
particular risks associated with credit card transactions. (Id. at 27, 85.) Federal also knew
that Chang’s, a member of the hospitality industry with a high volume of annual credit
card transactions, was a higher risk entity and therefore paid a significant annual
premium of $134,052.00. (Id. at 29, 75, 126.) Federal was also aware that issuers will
calculate Fraud Recovery and Operational Reimbursement Assessments against
merchants in an effort to recoup losses suffered by security breaches. (Id. at 87-91.)
- 16 -
1
Furthermore, Chang’s also shows that Chubb markets the cyber security insurance policy
2
as one that “address[es] the full breadth of risks associate with doing business in today’s
3
technology-dependent world” and that the policy “Covers direct loss, legal liability, and
4
consequential loss resulting from cyber security breaches.” (Doc. 37-7.)
5
Chang’s then argues that based on all of the above, it possessed the expectation
6
that coverage existed under the Policy for the assessments. But this is a non sequitur
7
conclusion unsupported by the facts as presented. While Federal is aware of the realities
8
of processing credit card transactions and that Chang’s could very well be liable for
9
Assessments from credit card associations passed through to them by Servicers, this does
10
not prove what Chang’s actual expectations were. Nowhere in the record is the Court able
11
to find supporting evidence that during the underwriting process Chang’s expected that
12
coverage would exist for Assessments following a hypothetical data breach. There is no
13
evidence showing that Chang’s insurance agent, Kelly McCoy, asked Federal’s
14
underwriter if such Assessments would be covered during their correspondence. (See
15
Doc. 37-5.) The cybersecurity policy application and related underwriting files are
16
similarly devoid of any supporting evidence. (See Id.; Doc. 37-6.)
17
18
19
20
21
22
23
24
25
26
27
28
Chang’s merely attempts to cobble together such an expectation after the fact,
when in reality no expectation existed at the time it purchased the Policy. There is no
evidence that Chang’s bargained for coverage for potential Assessments, which it
certainly could have done. Chang’s and Federal are both sophisticated parties well versed
in negotiating contractual claims, leading the Court to believe that they included in the
Policy the terms they intended. See Taylor v. State Farm Mut. Auto. Ins. Co., 175 Ariz.
148, 158, 854 P.2d 1134, 1144 (1993); Tucson Imaging Associates, LLC v. Nw. Hosp.,
LLC, No. 2 CA-CV 2006-0125, 2007 WL 5556997, at *6 (Ariz. Ct. App. July 31, 2007).
Because no expectation existed for this type of coverage, the Court is unable to find that
Chang’s meets its burden of satisfying the first predicate condition, objective
reasonableness, to invoke the reasonable expectation doctrine. This obviates the need to
analyze this issue further. Therefore, the Court finds that coverage likewise does not exist
under the reasonable expectation doctrine.
- 17 -
1
IV. CONCLUSION
2
Accordingly, based on the foregoing reasons,
3
IT IS HEREBY ORDERED GRANTING Defendant Federal Insurance
4
Company’s Motion for Summary Judgment. (Doc. 22.)
5
IT IS FURTHER ORDERED DENYING Plaintiff P.F. Chang’s China Bistro,
6
Inc.’s Unopposed Motion to Modify Case Schedule to Permit the Filing of an Amended
7
Complaint (Doc. 44) as moot.
8
IT IS FURTHER ORDERED DISMISSING Plaintiff P.F. Chang’s China
9
Bistro, Inc.’s complaint with prejudice. The Clerk of Court shall enter judgment in favor
10
11
of Defendant and terminate the case.
Dated this 26th day of May, 2016.
12
13
Honorable Stephen M. McNamee
Senior United States District Judge
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
- 18 -
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
