P.F. Chang’s China Bistro made headlines when it recently reported that 33 of its restaurant locations spanning 18 states suffered a data breach in connection with the restaurant’s point-of-sale payment systems. While the breach was reported in the news media in June of this year, the unlawful access to its systems may have begun months prior to its discovery.
Two putative class action lawsuits were filed in the Northern District of Illinois and a third was filed in the Western District of Washington. These suits allege that personal information of as many as seven million customers may have been stolen as part of the breach.
On notice of these three putative class actions, on October 10, 2014, Travelers Indemnity Company filed a four-count declaratory judgment action in the District Court of Connecticut seeking a declaration that two commercial general liability (CGL) policies issued to P.F. Chang’s in 2013 and 2014 do not afford coverage for the data breach litigation.
Count 1 alleges that the lawsuits do not trigger coverage as they do not allege “bodily injury”, “property damage”, “personal injury”, or “advertising injury” as expressly defined in its CGL policies. Count 2 alleges there is no duty to indemnify as there is no coverage triggered under these policies.
Count 3 alleges that even if the insuring agreement was triggered, Travelers does not owe a duty to defend as coverage is further precluded by exclusions for violation of consumer financial protection laws. The definition of “consumer financial protection law” as used within the Travelers policy exclusions reads, in relevant part, “any…law or regulation that prohibits the collection, dissemination, transmission, distribution or use of ‘consumer financial identity information.’” The Travelers policy further provides the following definition:
“Consumer financial identity information” means any of the following information for a person that is used or collected for the purpose of serving as a factor in establishing such person’s eligibility for personal credit, insurance or employment, or for the purpose of conducting a business transaction:
- Part or all of the account number, the expiration date or the balance of any credit, debit, bank or other financial account;
- Information bearing on a person’s credit worthiness, credit standing or credit capacity;
- Social security number;
- Drivers’ license number;
- Birth date.
Travelers alleges in Count 4 that the exclusions also preclude any duty to indemnify P.F. Chang’s in the pending suits.
Finally, Travelers claims that its policies contain a Liability Self-Funded Retentions Endorsement which provides a $250,000 self-funded retention applicable to each CGL Incident. Travelers alleges that regardless of whether coverage is owed under its CGL policies, it does not owe any defense obligation as this endorsement requires P.F. Chang’s to exhaust the first $250,000 in legal expenses.
Importantly, Travelers emphasizes in its law suit that P.F. Chang’s has cyber liability insurance coverage through a separate carrier on a cyber-policy and, as such, will have cover for the class-actions in any event.
Earlier this year, a New York court ruled that Sony’s CGL insurers had no coverage obligations related to the Play Station breach. As there are multiple cyber insurance products available to companies, CGL insurers will continue to pursue coverage defenses for data breach claims.