In one of the first published rulings on coverage under a stand-alone "cyber" insurance policy, a federal court in Arizona recently applied old-school coverage analysis to a new-school cybersecurity policy in P.F. Chang's China Bistro v. Federal Insurance Co., No. CV-15-01322-PHX-SMM (D. Ari. May 31, 2016).

P.F. Chang's, an Asian-themed US casual dining restaurant chain, purchased a "CyberSecurity by Chubb" insurance policy. The policy was triggered in June 2014, when hackers stole approximately 60,000 customer credit card numbers from P.F. Chang's computer system. P.F. Chang's incurred investigation and remediation expenses as well as costs defending multiple class action lawsuits, all of which its insurer, Federal Insurance Co. (Federal), paid for. However, when P.F. Chang's sought an additional $2 million to cover fees and assessments its credit card service providers had charged back to it, Federal refused to pay, citing the contractual liability exclusion in its policy.

The US District Court for the District of Arizona found that the policy's "Privacy Injury" module did not apply to the loss, but did find coverage under the "Privacy Notification Expenses" module. However, the court also found that the contractual liability exclusion (found in virtually all commercial forms), barred recovery because PF Chang's had agreed that its credit card acquirer could charge back against it these credit card brand imposed costs and assessments. The court stated that it was relying on precedents applying the same exclusion in standard CGL policies.

P.F. Chang's argued that it "reasonably expected" the policy's broad cyber coverage to apply to these fees and assessments, citing Chubb's advertising material, which promised a "flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world." The court rejected this argument in favor of the plain language of the policy.

This case is notable for two reasons. First, it is a reminder that cyber policies, unlike standard CGL and property forms, are still rapidly evolving. thus producing market products and coverages that are inconsistent and varied. Second, precedents applying standard "traditional" form language are still applicable to the same language in the new forms. The more things change, the more they stay the same.

For an in-depth review of cyber coverage products and related court decisions, please refer to our new book, Insurance Coverage for Intellectual Property, Personal and Advertising Injury, Media and Cyber Claims (Lexis 2015).

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.