P.F. Chang’s restaurant chain suffered a cyber breach in which about 60,000 credit cards were stolen. The breach only affected 33 of the company’s approximately 400 restaurants, so it could have been much worse, even though it lasted 8 months.
Still, the restaurant spent about $1.7 million recovering from the breach. If the breach hit all of their locations at the same rate, that number might have been around $20 million. This is still small compared to, say, Target.
Chang’s had purchased cyber breach insurance from the Federal Insurance unit of the insurance giant Chubb just in case of an event such as this, but as I have said in the past, cyber breach insurance is not a standard form policy and as a result, you don’t always get what you expect. This is why we recommend conducting a cyber insurance assessment.
As the story moves forward, Bank of America, their credit card processor, fines P.F. Chang’s $1.9 million to cover the costs of reissuing cards and losses. Notice that this number is greater than the rest of the expenses that P.F. Chang’s had from the breach.
P.F. Chang’s paid B of A and then asked Federal Insurance to reimburse them. Federal said no and ultimately, Chang’s sued Federal.
This month a verdict in that suit came in and it validates my comment that you don’t always get what you expect.
There were some interesting twists and turns in the trial.
First, Chubb said that there was no coverage because Bank of America suffered the loss, not Chang’s, even though Chang’s was contractually required to reimburse B of A,
Then Chang’s said it should be covered under the privacy notification clause. This seems a bit strange to me and the answer from the court was no.
Next Chang’s said it should be covered under the business interruption clause. This usually covers extra expenses you have to pay as a result of a covered event. Again, the court said no.
Ultimately, it boiled down to the fact that Chang’s did not have PCI DSS coverage in their policy. Whether they understood that at the time the policy was written or not is unclear. Whether their broker understood that or not is unclear. Whether Federal Insurance understood that and figured it was a great way to limit their liability in case of a breach is unclear.
What IS clear is that P.F. Chang’s gets to cover that check out of their pocket.
While they will not go broke over this, it is a great lesson for other people to make sure that they understand what they are getting, because $1.9 million to cover a breach of only 60,000 cards could sink a lot of companies and 60,000 cards is not a large breach.
This is only one example of how you can go wrong when it comes to buying cyber insurance. The first step is to understand what coverage you need to have. The second step is to make sure that your policy provides that coverage. Outside help may be required in both cases.