Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

P.F. Chang's China Bistro Inc. v. Federal Insurance Co.

United States District Court, D. Arizona

May 26, 2016

P.F. Chang's China Bistro, Inc., Plaintiff,
v.
Federal Insurance Company, Defendant.

          ORDER

          Hon. Stephen M. McNamee, Senior United States District Judge

         Pending before the Court is Defendant Federal Insurance Company’s (“Federal”) Motion for Summary Judgment. (Doc. 22.) P.F. Chang’s China Bistro, Inc. (“Chang’s”) has responded and the matter is fully briefed. (Docs. 36, 38.) The Court heard Oral Arguments on the motion on April 19, 2016. (Doc. 41.) In essence, the main issue before the Court is whether coverage exists under the insurance policy between Chang’s and Federal for the credit card association assessments that arose from the data breach Chang’s suffered in 2013. The Court now issues following ruling.

         I. FACTUAL BACKGROUND[1]

         A. The CyberSecurity Insurance Policy

         Federal sold a CyberSecurity by Chubb Policy (“Policy”) to Chang’s corporate parent, Wok Holdco LLC, with effective dates from January 1, 2014 to January 1, 2015. (Doc. 8-1 at 2.) On its website, Federal marketed the Policy as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.” (Doc. 37-7.) Specific provisions of the Policy will be defined and discussed in greater detail below.

         During the underwriting processes, Federal classified Chang’s as a high risk, “PCI Level 1”, client because Chang’s conducts more than 6 million transactions per year. (Docs. 37-1 at 121-22, 37-6.) Further, because of the large number of Chang’s transactions conducted with customer credit cards, Federal noted there was high exposure to potential customer identity theft. (Doc. 37-6.) In 2014, Chang’s paid an annual premium of $134, 052.00 for the Policy. (Doc. 37-1 at 126.)

         B. The Master Service Agreement Between Chang’s and BAMS

         Chang’s and other similarly situated merchants are unable to process credit card transactions themselves. Merchants must enter into agreements with third-party “Servicers” or “Acquirers” who facilitate the processing of credit card transactions with the banks who issue the credit cards (“Issuers”), such as Chase or Wells Fargo. Here, Chang’s entered into a Master Service Agreement (“MSA”) with Bank of America Merchant Services (“BAMS”) to process credit card payments made by Chang’s customers. (Doc. 23-2.) Under the MSA, Chang’s delivers its customers’ credit card payment information to BAMS who then settles the transaction through an automated clearinghouse; BAMS then credits Chang’s account for the amount of the payment. (Id.)

         Servicers like BAMS perform their processing obligations pursuant to agreements with the credit card associations (“Associations”), like MasterCard and Visa. (Doc. 24-1.) BAMS’ agreement with MasterCard is governed by the MasterCard Rules, and are incorporated in its MSA with Chang’s. (See Id; Doc. 23-2.) Under the MasterCard Rules, BAMS is obligated to pay certain fees and assessments (“Assessments”) to MasterCard in the event of a data breach or “Account Data Compromise” (“ADC”). (Doc. 24-1 at § 10.2) These Assessments include “Operational Reimbursement” fees and “Fraud Recovery” fees, and they are calculated by formulae set forth in the MasterCard Rules. (Id.)

         Under the MSA, Chang’s agreed to compensate or reimburse BAMS for “fees, ” “fines, ” “penalties, ” or “assessments” imposed on BAMS by the Associations. (See Doc. 23-2 at 9, 18.) Section 13.5 of the Addendum to the MSA reads: “[Chang’s] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang’s].” (Id. at 9.) Section 5 of Schedule A to the Addendum to the MSA provides: “In addition to the interchange rates, [BAMS] may pass through to [Chang’s] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations].” (Id. at 18.)

         C. The Security Compromise

         On June 10, 2014, Chang’s learned that computer hackers had obtained and posted on the Internet approximately 60, 000 credit card numbers belonging to its customers (the “security compromise” or “data breach”). (Doc. 25-1.) Chang’s notified Federal of the data breach that very same day. (Id.)

         To date, Federal has reimbursed Chang’s more than $1, 700, 000 pursuant to the Policy for costs incurred as a result of the security compromise. (Doc. 22 at 9.) Those costs include conducting a forensic investigation into the data breach and the costs of defending litigation filed by customers whose credit card information was stolen, as well as litigation filed by one bank that issued card information that was stolen. (Id.)

         Following the data breach, on March 2, 2015, MasterCard issued an “ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report” to BAMS. (Doc. 26-2.) This MasterCard Report imposed three Assessments on BAMS, a Fraud Recovery Assessment of $1, 716, 798.85, an Operational Reimbursement Assessment of $163, 122.72 for Chang’s data breach, and a Case Management Fee of $50, 000. (Id.; Doc. 26-3.) The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. (Doc. 1-1 at ¶20.) The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. (Id at ¶19) The Case Management Fee is a flat fee and relates to considerations regarding Chang’s compliance with Payment Card Industry Data Security Standards. (Id at ¶18.)

         D. The BAMS Letter

         On March 11, 2015, BAMS sent Chang’s a letter (the “BAMS Letter”) stating:

MasterCard’s investigation concerning the account data compromise event involving [Chang’s] is now complete. [BAMS] has been notified by MasterCard that a case management fee and Account Data Compromise (ADC) Operational Reimbursement and Fraud Recovery (ORFR) are being assessed against [BAMS] as a result of the data compromise. In accordance with your [MSA] you are obligated to reimburse [BAMS] for the following assessments:
• $ 50, 000.00 - Case Management Fee
• $ 163, 122.72 - ADC Operational Reimbursement
• $1, 716, 798.85 - ADC Fraud ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.