Your single source for new lessons on legal technology, e-discovery, and the people innovating behind the scenes.

Cybersecurity, Law Firm, Legal Update

P.F. Chang's, Cyberinsurance Law, and the Reasonable Expectation Doctrine

David Horrigan
David Horrigan
June 7, 2016

While enjoying kung pao chicken and Tsingtao beer at a local P.F. Chang’s restaurant, cyberinsurance probably isn’t on your mind.

Maybe it should be.

A June 2014 data breach compromised about 60,000 credit cards of P.F. Chang’s customers, and it provides a primer on cyberinsurance and the Reasonable Expectation Doctrine of insurance law.

That data breach not only resulted in litigation involving P.F. Chang’s and the firm that sold its cyberinsurance; in a May 31 decision, it brought a judicial examination of the doctrine in P.F. Chang’s China Bistro, Inc. v. Federal Ins. Co., No. CV-15-01322 (D. Ariz. May 31, 2016).

Soy Sauce Cyber Protection

P.F. Chang’s China Bistro Inc., a subsidiary of Wok Holdco LLC, owned the P.F. Chang’s chain of restaurants. Founded by Peter Fleming and Philip Chiang, P.F. Chang’s opened its first restaurant in Scottsdale, Arizona in 1993.

By the beginning of 2012, P.F. Chang’s had opened 204 restaurants in 39 states, and the company had a revenue of $1.2 billion. The ubiquitous China bistro seems to be a fixture in almost every hamlet in America.

As part of Chang’s insurance coverage, Wok Holdco purchased a “CyberSecurity by Chubb” insurance policy from Federal Insurance Company for $134,052 annually, covering the company in the event of a cyber loss.

On the day P.F. Chang’s became aware of the June 2014 credit card breach, the company notified Federal of the potential loss, and Federal investigated the claim and paid P.F. Chang’s approximately $1.7 million on its claim for forensic investigations and litigation costs.

As a result of the data breach, MasterCard charged P.F. Chang’s credit card servicer, Bank of America Merchant Services, approximately $1.9 million in various fees and assessments. P.F. Chang’s Master Service Agreement with Bank of America provided for these assessments in the event of a data breach.

In order to comply with the agreement—and to ensure it would continue to be able to process credit card payments—P.F. Chang’s reimbursed Bank of America for the assessments, and it made an insurance claim with Federal for the fees. Federal denied the claim, and P.F. Chang’s sued.

Cyber Suit

In analyzing P.F. Chang’s claim against Federal, Senior U.S. District Judge Stephen McNamee made some observations about insurance law, noting that insurance policies were essentially contracts of adhesion, written by insurance companies, for insurance companies, and drafted to protect them in the event of litigation.

Thus, the court wrote, insurance policy coverage is interpreted broadly in favor of coverage, and policy exclusions are interpreted narrowly against the insurer.

In addition, policies are interpreted so as not to “defeat the reasonable expectations of the insured.”

Under this so-called Reasonable Expectation Doctrine, a contract term is not enforced if one party has reason to believe the other party would not have agreed to a provision had they known it was in the agreement.

A general theory of the doctrine is that language in the contract a party isn’t expected to read shouldn’t override the intent of the parties. In essence, the doctrine holds, the fine print shouldn’t carry the day.

The court in P.F. Chang’s held that, for the Reasonable Expectation Doctrine to apply, two conditions must be met:

  1. The insured’s expectation of coverage must be reasonable, and
  2. The insurer must have had reason to believe the insured would not have purchased the policy had they known of the provision in question.

Before applying these requirements to the facts in P.F. Chang’s, the court examined how the policy itself provided for coverage.

P.F. Chang’s was out of luck.

The court held that, even interpreted broadly, Federal’s position on the actual policy provisions was correct, in part because Bank of America, the entity demanding payment from P.F. Chang’s, did not sustain a privacy injury.

In making this holding, the court rejected P.F. Chang’s argument that such a reading was a “pixel-level review” that reduces coverage “to a mere sliver of what the plain language provides.”

Although the court held other policy sections provided for coverage of the losses, the court held also that—even with a narrow interpretation of policy exclusions—P.F. Chang’s payments to Bank of America for the MasterCard assessments were excluded by the policy provisions.

Reasonable Expectations? 

P.F. Chang’s last hope was that—despite the policy provisions—the court would side with the bistro under the Reasonable Expectations Doctrine.

P.F. Chang’s lost this argument, too.

The restaurant chain argued that discovery evidence indicated Federal knew P.F. Chang’s used a credit card servicer, such as Bank of America Merchant Services, and that Federal knew of the data breach risks—including credit card servicer assessments—when it sold P.F. Chang’s the policy.

P.F. Chang’s also pointed to Federal’s marketing for its cyberinsurance, which said its insurance “covers direct loss, legal liability, and consequential loss resulting from cyber security breaches.”

Despite this discovery evidence, the court held P.F. Chang’s claim failed the test for the Reasonable Expectation Doctrine because there was no evidence the restaurant chain believed it was getting coverage for credit card assessments after a data breach. A big reason for the court’s decision was P.F. Chang’s sophistication as a corporate litigant.

“There is no evidence that Chang’s bargained for coverage for potential Assessments, which it certainly could have done. Chang’s and Federal are both sophisticated parties well versed in negotiating contractual claims, leading the Court to believe that they included in the Policy the terms they intended,” the court wrote.

Why P.F. Chang’s Matters

Cyberinsurance is a hot topic, and it’s a way businesses—and law firms—believe they can control the risks of handling big data. The district court’s holding in P.F. Chang’s provides some important caveats.

First, even though an insurance company markets its products covering “consequential loss resulting from cyber security breaches,” don’t assume every possible consequence is included in that coverage. Insurance companies can—and will—insert policy exclusions, as Federal did here, that may seem to contradict their marketing efforts.

Second, when purchasing cyberinsurance, many businesses may be deemed sophisticated parties, as P.F. Chang’s was here. As the restaurant chain discovered, being a sophisticated party will hurt your chance of prevailing under the Reasonable Expectations Doctrine because the court may assume you have an army of attorneys reviewing your contracts.

Long story short: cyberinsurance may help you deal with the risks of big data, but proceed with caution.

David Horrigan is Relativity’s discovery counsel and legal education director. An attorney, award-winning journalist, law school guest lecturer, and former e-discovery industry analyst, David has served as counsel at the Entertainment Software Association, reporter and assistant editor at The National Law Journal, and analyst and counsel at 451 Research. The author and co-author of law review articles as well as the annual Data Discovery Legal Year in Review, David is a frequent contributor to Legaltech News, and he was First Runner-Up for Best Legal Analysis in the LexBlog Excellence Awards. His articles have appeared also in The American Lawyer, Corporate Counsel, The New York Law Journal, Texas Lawyer, The Washington Examiner, and others, and he has been cited by media, including American Public Media’s Marketplace, TechRepublic, and The Wall Street Journal. David serves on the Global Advisory Board of ACEDS, the Planning Committee of the University of Florida E-Discovery Conference, and the Resource Board of the National Association of Women Judges. David is licensed to practice law in the District of Columbia, and he is an IAPP Certified Information Privacy Professional/US.

Recommended for you

4 Ways to Move e-Discovery Data That You May Not Know About

June 9, 2017

Now in Relativity Analytics: 3 Customer-Driven Enhancements

June 28, 2017

The latest insights, trends, and spotlights — directly to your inbox.

The Relativity Blog covers the latest in legal tech and compliance, professional development topics, and spotlights on the many bright minds in our space. Subscribe today to learn something new, stay ahead of emerging tech, and up-level your career.

Interested in being one of our authors? Learn more about how to contribute to The Relativity Blog.