Opinion
No. CV-15-01322-PHX-SMM
05-26-2016
P.F. Chang's China Bistro, Inc., Plaintiff, v. Federal Insurance Company, Defendant.
ORDER
Pending before the Court is Defendant Federal Insurance Company's ("Federal") Motion for Summary Judgment. (Doc. 22.) P.F. Chang's China Bistro, Inc. ("Chang's") has responded and the matter is fully briefed. (Docs. 36, 38.) The Court heard Oral Arguments on the motion on April 19, 2016. (Doc. 41.) In essence, the main issue before the Court is whether coverage exists under the insurance policy between Chang's and Federal for the credit card association assessments that arose from the data breach Chang's suffered in 2013. The Court now issues following ruling. I. FACTUAL BACKGROUND
The facts are undisputed unless indicated otherwise
A. The CyberSecurity Insurance Policy
Federal sold a CyberSecurity by Chubb Policy ("Policy") to Chang's corporate parent, Wok Holdco LLC, with effective dates from January 1, 2014 to January 1, 2015. (Doc. 8-1 at 2.) On its website, Federal marketed the Policy as "a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world" that "[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches." (Doc. 37-7.) Specific provisions of the Policy will be defined and discussed in greater detail below.
During the underwriting processes, Federal classified Chang's as a high risk, "PCI Level 1", client because Chang's conducts more than 6 million transactions per year. (Docs. 37-1 at 121-22, 37-6.) Further, because of the large number of Chang's transactions conducted with customer credit cards, Federal noted there was high exposure to potential customer identity theft. (Doc. 37-6.) In 2014, Chang's paid an annual premium of $134,052.00 for the Policy. (Doc. 37-1 at 126.)
B. The Master Service Agreement Between Chang's and BAMS
Chang's and other similarly situated merchants are unable to process credit card transactions themselves. Merchants must enter into agreements with third-party "Servicers" or "Acquirers" who facilitate the processing of credit card transactions with the banks who issue the credit cards ("Issuers"), such as Chase or Wells Fargo. Here, Chang's entered into a Master Service Agreement ("MSA") with Bank of America Merchant Services ("BAMS") to process credit card payments made by Chang's customers. (Doc. 23-2.) Under the MSA, Chang's delivers its customers' credit card payment information to BAMS who then settles the transaction through an automated clearinghouse; BAMS then credits Chang's account for the amount of the payment. (Id.)
Servicers like BAMS perform their processing obligations pursuant to agreements with the credit card associations ("Associations"), like MasterCard and Visa. (Doc. 24-1.) BAMS' agreement with MasterCard is governed by the MasterCard Rules, and are incorporated in its MSA with Chang's. (See Id; Doc. 23-2.) Under the MasterCard Rules, BAMS is obligated to pay certain fees and assessments ("Assessments") to MasterCard in the event of a data breach or "Account Data Compromise" ("ADC"). (Doc. 24-1 at § 10.2) These Assessments include "Operational Reimbursement" fees and "Fraud Recovery" fees, and they are calculated by formulae set forth in the MasterCard Rules. (Id.)
Under the MSA, Chang's agreed to compensate or reimburse BAMS for "fees," "fines," "penalties," or "assessments" imposed on BAMS by the Associations. (See Doc. 23-2 at 9, 18.) Section 13.5 of the Addendum to the MSA reads: "[Chang's] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang's]." (Id. at 9.) Section 5 of Schedule A to the Addendum to the MSA provides: "In addition to the interchange rates, [BAMS] may pass through to [Chang's] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations]." (Id. at 18.)
C. The Security Compromise
On June 10, 2014, Chang's learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers (the "security compromise" or "data breach"). (Doc. 25-1.) Chang's notified Federal of the data breach that very same day. (Id.)
To date, Federal has reimbursed Chang's more than $1,700,000 pursuant to the Policy for costs incurred as a result of the security compromise. (Doc. 22 at 9.) Those costs include conducting a forensic investigation into the data breach and the costs of defending litigation filed by customers whose credit card information was stolen, as well as litigation filed by one bank that issued card information that was stolen. (Id.)
Following the data breach, on March 2, 2015, MasterCard issued an "ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report" to BAMS. (Doc. 26-2.) This MasterCard Report imposed three Assessments on BAMS, a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang's data breach, and a Case Management Fee of $50,000. (Id.; Doc. 26-3.) The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. (Doc. 1-1 at ¶20.) The Operational Reimbursement Assessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. (Id. at ¶19) The Case Management Fee is a flat fee and relates to considerations regarding Chang's compliance with Payment Card Industry Data Security Standards. (Id. at ¶18.)
D. The BAMS Letter
On March 11, 2015, BAMS sent Chang's a letter (the "BAMS Letter") stating:
MasterCard's investigation concerning the account data compromise event involving [Chang's] is now complete. [BAMS] has been notified by MasterCard that a case management fee and Account Data Compromise (ADC) Operational Reimbursement and Fraud Recovery (ORFR) are being assessed against [BAMS] as a result of the data compromise. In accordance with your [MSA] you are obligated to reimburse [BAMS] for the following assessments:
(Doc. 26-3.) Chang's notified Federal of the BAMS Letter on March 19, 2015 and sought coverage for the Assessments. (Doc. 26-4.) Pursuant to the MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang's reimbursed BAMS for the Assessments on April 15, 2015. (Doc. 1-1 at ¶24.) Federal denied coverage for the Assessments and Chang's subsequently filed this lawsuit.• $ 50,000.00 - Case Management Fee
• $ 163,122.72 - ADC Operational Reimbursement
• $1,716,798.85 - ADC Fraud Recovery
$1,929,921.57
This total is separate from and does not include the $1.7 million Federal has already paid Chang's under the Policy.
II. STANDARD OF REVIEW
"The court shall grant summary judgment if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). "The substantive law determines which facts are material; only disputes over facts that might affect the outcome of the suit under the governing law properly preclude the entry of summary judgment." Nat'l Ass'n of Optometrists & Opticians v. Harris, 682 F.3d 1144, 1147 (9th Cir. 2012) (citing Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). To prove the absence of a genuine dispute, the moving party must demonstrate that "the evidence is such that [no] reasonable jury could return a verdict for the nonmoving party." Liberty Lobby, 477 U.S. at 248. In determining whether a party has met its burden, a court views the evidence in the light most favorable to the non-moving party and draws all reasonable inferences in the non-moving party's favor. Liberty Lobby, 477 U.S. at 255. While a court may consider only admissible evidence in ruling on a motion for summary judgment, the focus is not "on the admissibility of the evidence's form," but "on the admissibility of its contents." Fraser v. Goodale, 342 F.3d 1032, 1036-37 (9th Cir.2003).
Federal courts sitting in diversity apply the forum state's choice of law rules to determine controlling substantive law. Klaxon Co. v. Stentor Elec. Mfg. Co. Inc., 313 U.S. 487, 496 (1941). Arizona adheres to Restatement (Second) of Conflict of Laws § 193 (1971), which states that insurance contracts are generally governed "by the local law of the state which the parties understood was to be the principal location of the insured risk during the term of the policy." Beckler v. State Farm Mut. Auto. Ins. Co., 195 Ariz. 282, 286, 987 P.2d 768, 772 (App. 1999). Since the principal location of the insured was in Arizona and the insurance agreement was entered into in Arizona, Arizona law governs the enforcement of the Policy.
"The traditional view of the law of contracts is that a written agreement adopted by the parties will be viewed as an integrated contract which binds those parties to the terms expressed within the four corners of the agreement." Darner Motor Sales, Inc. v. Universal Underwriters Ins. Co., 140 Ariz. 383, 390, 682 P.2d 388, 395 (1984). However, "the usual insurance policy is a special kind of contract," id., in part because it is not "arrived at by negotiation between the parties," Zuckerman v. Transamerica Ins. Co., 133 Ariz. 139, 144, 650 P.2d 441, 446 (1982). Instead, "[i]t is largely adhesive; some terms are bargained for, but most terms consist of boilerplate, not bargained for, neither read nor understood by the buyer, and often not even fully understood by the selling agent." Darner, 140 Ariz. at 391, 682 P.2d at 396. Moreover, "[t]he adhesive terms generally are self-protective; their major purpose and effect often is to ensure that the drafting party will prevail if a dispute goes to court." Gordinier v. Aetna Cas. & Sur. Co., 154 Ariz. 266, 271, 742 P.2d 277, 282 (1987). Accordingly, "special contract rules should apply." Id.
Interpretation of insurance policies is a question of law. Sparks v. Republic Nat. Life Ins. Co., 132 Ariz. 529, 534, 647 P.2d 1127, 1132 (1982). "Provisions of insurance policies are to be construed in a manner according to their plain and ordinary meaning," id., but if a clause is reasonably susceptible to different interpretations given the facts of the case, the clause is to be construed "by examining the language of the clause, public policy considerations, and the purpose of the transaction as a whole," State Farm Mut. Auto. Ins. Co. v. Wilson, 162 Ariz. 251, 257, 782 P.2d 727, 733 (1989). "[T]he general rule is that while coverage clauses are interpreted broadly so as to afford maximum coverage to the insured, exclusionary clauses are interpreted narrowly against the insurer." Scottsdale Ins. Co. v. Van Nguyen, 158 Ariz. 476, 479, 763 P.2d 540, 543 (App. 1988).
Furthermore, "the policy may not be interpreted so as to defeat the reasonable expectations of the insured." Samsel v. Allstate Ins. Co., 204 Ariz. 1, 4, 59 P.3d 281, 284 (2002). "Under this doctrine, a contract term is not enforced if one party has reason to believe that the other would not have assented to the contract if it had known of that term." First Am. Title Ins. Co. v. Action Acquisitions, LLC, 218 Ariz. 394, 400, 187 P.3d 1107, 1113 (2008); accord Averett v. Farmers Ins. Co., 177 Ariz. 531, 533, 869 P.2d 505, 507 (1994) (quoting Gordinier, 154 Ariz. at 272, 742 P.2d at 283); Darner, 140 Ariz. at 392, 682 P.2d at 397. "One of the basic principles which underlies [the doctrine] is simply that the language in the portion of the instrument that the customer is not ordinarily expected to read or understand ought not to be allowed to contradict the bargain made by the parties." Averett, 177 Ariz. at 533, 869 P.2d at 507 (quoting State Farm Mut. Auto. Ins. Co. v. Bogart, 149 Ariz. 145, 151, 717 P.2d 449, 455 (1986), superseded by statute on other grounds as recognized in Consolidated Enters., Inc. v. Schwindt, 172 Ariz. 35, 38, 833 P.2d 706, 709 (1992)).
The insured bears the burden of proving the applicability of the reasonable expectations doctrine at trial. State Farm Fire & Cas. In. Co. v. Grabowski, 214 Ariz. 188, 190, 150 P.3d 275, 277 (App. 2007). The doctrine applies only if two predicate conditions are present. First, the insured's "expectation of coverage must be objectively reasonable." Millar v. State Farm Fire and Cas. Co., 167 Ariz. 93, 97, 804 P.2d 822, 826 (App. 1990). Second, the insurer "must have had a reason to believe that the [insured] would not have purchased the . . . policy if they had known that it included" the complained of provision. Grabowski, 214 Ariz. at 193-94, 150 P.3d at 280-81. Provided both of these conditions are satisfied, "Arizona courts will not enforce even unambiguous boilerplate terms in standardized insurance contracts in a limited variety of situations." Gordinier, 154 Ariz. at 272, 742 P.2d at 283.
Finally, insurers expressly obligate themselves to defend their insureds against any claim of liability potentially covered by the policy. Ariz. Prop. & Cas. Ins. Guar. Fund v. Helme, 153 Ariz. 129, 137, 735 P.2d 451, 459 (1987); United Servs. Auto. Ass'n v. Morris, 154 Ariz. 113, 118, 741 P.2d 246, 250 (1987). The duty to defend is triggered if the complaint "alleges facts which come within the coverage of the liability policy. . ., but if the alleged facts fail to bring the case within the policy coverage, the insurer is free of such obligation." Kepner v. Western Fire Ins. Co., 109 Ariz. 329, 331, 509 P.2d 222, 224 (1973) (quoting C.T. Drechsler, Annotation, Allegations in Third Person's Action Against Insured as Determining Liability Insurer's Duty to Defend, 50 A.L.R.2d 458 § 3, at 464 (1956)). Indeed, an insurer rightfully refuses to defend only if the facts, including those outside the complaint, indisputably foreclose the possibility of coverage. See Kepner, 109 Ariz. at 331, 509 P.2d at 224. "If the insurer refuses to defend and awaits the determination of its obligation in a subsequent proceeding, it acts at its peril, and if it guesses wrong it must bear the consequences of its breach of contract." Id. at 332, 509 P.2d at 225 ///
III. ANALYSIS
In its Complaint, Chang's alleges that the Policy's Insuring Clauses cover each assessment from the BAMS Letter. Specifically, Chang's claims that Insuring Clause A covers ADC Fraud Recovery Assessment, Insuring Clause B covers the ADC Operational Reimbursement Assessment, and Insuring Clause D.2 covers the Case Management Fee. (Doc. 1-1.) Federal summarily argues that the BAMS Letter and the Assessments set forth therein do not fall within the coverage provided by any of the Policy's Insuring Clauses. (Doc. 22 at 7.) Additionally, Federal contends that certain exclusions contained in the Policy bar coverage. (Id. at 11-16) The Court will analyze each Policy provision and exclusion in turn. Then the Court will turn to Chang's final argument that coverage is proper under the reasonable expectation doctrine.
A. Insuring Clause A.
Insuring Clause A provides that, "[Federal] shall pay for Loss on behalf of an Insured on account of any Claim first made against such Insured . . . for Injury." (Doc. 8-1.) In relevant part, Claim means "a written request for monetary damages . . . against an Insured for an Injury." (Id.) Under the Policy, Injury is a broad term encompassing many types of injuries, including Privacy Injury. (Id.) Privacy Injury "means injury sustained or allegedly sustained by a Person because of actual or potential unauthorized access to such Person's Record, or exceeding access to such Person's Record." (Id.) Person is a natural person or an organization. (Id.) Relevant to this discussion, Record includes "any information concerning a natural person that is defined as: (i) private personal information; (ii) personally identifiable information . . . pursuant to any federal, state . . . statute or regulation, . . . where such information is held by an Insured Organization or on the Insured Organization's behalf by a Third Party Service Provider" or "an organization's non-public information that is. . . in an Insured's or Third Party Service Provider's care, custody, or control." (Id.) "Third Party Service Provider means an entity that performs the following services for, or on behalf of, an Insured Organization pursuant to a written agreement: (A) processing, holding or storing information; (B) providing data backup, data storage or data processing services." (Id.)
Terms in bold are defined in the Policy.
Federal argues that Insuring Clause A is inapplicable because BAMS, itself, did not sustain a Privacy Injury because it was not its Records that were compromised during the data breach. (Doc. 22 at 8.) Federal therefore contends that BAMS is not even in a position to assert a valid Privacy Injury Claim.
Conversely, Chang's argues that it was the Issuers who suffered a Privacy Injury because it was their Records, constituting private accounts and financial information, which were compromised in the data breach. (Doc. 36 at 6.) Chang's argument is premised upon the idea that it is immaterial that this Injury first passed through BAMS before BAMS in turn charged Chang's, because this was done pursuant to industry standards and Chang's payment to BAMS was functionally equivalent to compensating the Issuers. (See Id.) Basically, Chang's argues that because a Privacy Injury exists and was levied against it, regardless of who suffered it, the Injury is covered under the Policy. (Id.)
Chang's bolsters this argument by analogizing it to subrogation in other insurance contexts, which Federal misinterprets as the crux of Chang's argument. In reaching its decision, the Court gave appropriate weight to Chang's analogy, but does not believe this matter is governed by any subrogation legal rules.
Although the Court is expected to broadly interpret coverage clauses so as to provide maximum coverage for an insured, a plain reading of the policy leads the Court to the conclusion that Insuring Clause A does not provide coverage for the ADC Fraud Recovery Assessment. Scottsdale Ins. Co., 158 Ariz. at 479, 763 P.2d at 543. The Court agrees with Federal; BAMS did not sustain a Privacy Injury itself, and therefore cannot maintain a valid Claim for Injury against Chang's. The definition of Privacy Injury requires an "actual or potential unauthorized access to such Person's Record, or exceeding access to such Person's Record." (Doc. 8-1) (emphasis added). The usage of the word "such" means that only the Person whose Record is actually or potentially accessed without authorization suffers a Privacy Injury. Here, because the customers' information that was the subject of the data breach was not part of BAMS' Record, but rather the Record of the issuing banks, BAMS did not sustain a Privacy Injury. Thus, BAMS did not make a valid Claim of the type covered under Insuring Clause A against Chang's.
BAMS also did not sustain any other type of Injury as defined under the Policy. --------
Contrary to Chang's assertion, this interpretation is not a "pixel-level view" that "reduce[s] coverage to a mere sliver of what the plain language provides." (Doc. 36 at 9.) Rather, this is the only result that can be derived from the Policy. It is also worth noting that Federal is not outright denying coverage in its entirety. Federal has reimbursed Chang's nearly $1.7 million for valid claims brought by injured customers and Issuers. As will be addressed more fully below, if Chang's, who is a sophisticated party, wanted coverage for this Assessment, it could have bargained for that coverage. However, as is, coverage does not exist under the Policy for the ADC Fraud Recovery Assessment under Insuring Clause A.
B. Insuring Clause B.
Insuring Clause B provides that "[Federal] shall pay Privacy Notification Expenses incurred by an Insured resulting from [Privacy] Injury." (Doc. 8-1.) The Policy defines Privacy Notification Expenses as "the reasonable and necessary cost[s] of notifying those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person's account numbers, other identification numbers and security codes. . ." (Id.) Chang's alleges that the ADC Operational Reimbursement fee is a Privacy Notification Expense because it compensates Issuers for the cost of reissuing bankcards and new account numbers and security codes to Chang's customers. (Docs. 1-1, 36 at 8.)
In its motion, Federal uses similar argumentation it employed for Insuring Clause A. Federal contends that The ADC Operational Recovery fee was not personally incurred by Chang's, but rather was incurred by BAMS. (Doc. 22 at 10.) Also, Federal argues that the ADC Operational Recovery fee does not qualify as Privacy Notification Expenses because there is no evidence that the fee was used to "notify[] those Persons who may be directly affected by the potential or actual unauthorized access of a Record, and changing such Person's account numbers, other identification numbers and security codes." (Id.)
Chang's counters, stating that Federal's interpretation of "incur" is too narrow, as the Arizona Supreme Court held that an insured "incurs" an expense when the insured becomes liable for the expense, "even if the expenses in question were paid by or even required by law to be paid by other sources." (Doc. 36 at 8 (citing Samsel, 204 Ariz. at 4-11, 59 P.3d at 284-91)).
The Court agrees with Chang's. Although the ADC Operational Reimbursement fee was originally incurred by BAMS, Chang's is liable for it pursuant to its MSA with BAMS.
In response to Federal's argument that there is no evidence that the ADC Operational Reimbursement fee was used to compensate Issuers for the costs of notifying about the security compromise and reissuing credit cards to Chang's customers, Chang's argues that MasterCard's Security Rules clearly state that the ADC Operational Reimbursement fee is used for that purpose. (Docs. 36 at 8, 24-1 at 84-88.) Federal does not direct the Court's attention to and the Court is unable to find any evidence in the record where the ADC Operational Reimbursement fee was used for any other purpose. The evidence shows that MasterCard performed an investigation into the Chang's data breach and determined Assessments pursuant to the MasterCard Rules. MasterCard then furnished a Report to BAMS levying the ADC Operational Reimbursement fee against BAMS, which it paid and then imposed the Assessment upon Chang's. (Doc. 26-3.) The Court does not find this to be a question of fact more suitable for a jury, but rather can find as a matter of law that coverage exists for the ADC Operational Reimbursement under Insuring Clause B. However, this finding is subject to the Court's analysis of the Policy's exclusions discussed below.
C. Insuring Clause D.2.
Under Insuring Clause D.2., "[Federal] shall pay: . . . Extra Expenses an Insured incurs during the Period of Recovery of Services due to the actual or potential impairment or denial of Operations resulting directly from Fraudulent Access or Transmission." (Doc. 8-1.) Extra Expenses include "reasonable expenses an Insured incurs in an attempt to continue Operations that are over and above the expenses such Insured would have normally incurred. Extra Expenses do not include any costs of updating, upgrading or remediation of an Insured's System that are not otherwise covered under [the] Policy." (Id.) In the context of Extra Expenses, Period of Recovery of Services "begins: . . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of . . . the date Operations are restored, . . . to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured's Services are fully restored. . . to the level that would have existed had there been no impairment or denial." (Id.) Operations are an Insured's business activities, while Services are "computer time, data processing, or storage functions or other uses of an Insured's System." (Id.) Fraudulent Access or Transmission occurs when "a person has: fraudulently accessed an Insured's System without authorization; Exceeded Authorized Access; or launched a Cyber-attack into an Insured's System." (Id.)
Federal claims that Insuring Clause D.2. does not cover the Case Management Fee because Chang's has not submitted any evidence that the data breach caused "actual or potential impairment or denial" of business activities. (Doc. 22 at 11.) Chang's response states that the evidence clearly shows that its ability to operate was impaired because BAMS would have terminated the MSA and eliminated Chang's ability to process credit card transactions if it did not pay BAMS pursuant to the BAMS Letter. (Docs. 36 at 10, 23-2.) The MSA provides that Chang's is not permitted to use another servicer while contracting with BAMS for its services. (Doc. 23-2 at 3.) Furthermore, in her deposition, the approving underwriter for Federal, Leah Montgomery, states that she knew Chang's transacted much of its business through credit card payments and that Chang's would be adversely affected if it was unable to collect payment from credit card transactions. (Doc. 37-1 at 29.)
After reviewing the record, the Court agrees with Chang's. The evidence shows that Chang's experienced a Fraudulent Access during the data breach and that its ability to perform its regular business activities would be potentially impaired if it did not immediately pay the Case Management Fee imposed by BAMS. And, this Case Management Fee qualifies as an Extra Expense as contemplated by the Policy.
However, Federal argues that Chang's did not incur this Loss during the Period of Recovery of Services because it did not pay the Case Management Fee until April 15, 2015, nearly one year after it discovered the data breach. (Doc. 22 at 11.) Federal argues that because Chang's paid the Case Management Fee when it did, it falls outside the Period of Recovery of Services, which "begins: . . . immediately after the actual or potential impairment or denial of Operations occurs; and will continue until the earlier of . . . the date Operations are restored, . . . to the condition that would have existed had there been no impairment or denial; or sixty (60) days after the date an Insured's Services are fully restored. . . to the level that would have existed had there been no impairment or denial." (Doc. 8-1.) In response, Chang's contends that its business activities are still not fully restored and that it continues to take steps to remedy the data breach; thus, the Period of Recovery of Services is ongoing. (Doc. 36 at 11.) Because this is an issue of fact, the Court is unable to resolve it on Summary Judgment. Accordingly, the Court cannot determine as a matter of law whether the Policy provides coverage for the Case Management Fee under Insuring Clause D.2.
D. Exclusions D.3.b. and B.2. and Loss Definition
Federal also argues that Exclusions D.3.b. and B.2, as well as the definition of Loss, bar coverage for all of the Assessments. Exclusion D.3.b. provides, "With respect to all Insuring Clauses, [Federal] shall not be liable for any Loss on account of any Claim, or for any Expense . . . based upon, arising from or in consequence of any . . . liability assumed by any Insured under any contract or agreement." (Doc. 8-1.) Under Exclusion B.2., "With respect to Insuring Clauses B through H, [Federal] shall not be liable for. . . any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured." (Doc. 8-1.) Additionally, and along the same vein, Loss under Insuring Clause A does not include "any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured." (Id.) Functionally, these exclusions are the same in that they bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.
Federal contends that the assessments for which coverage is sought arise out of liability assumed by Chang's to BAMS, thus they are excluded from coverage. (Doc. 22 at 12.) Federal supports this argument by citing the MSA, wherein Chang's agreed that "[BAMS] may pass through to [Chang's] any fees assessed to [BAMS] by the Card Organizations, including but not limited to, new fees, fines, penalties and assessment[s]." (Doc. 23-1.) Federal also looks to the BAMS Letter where BAMS tells Chang's, "[i]n accordance with your Merchant Agreement you are obligated to reimburse [BAMS] for the . . . assessments." (Doc. 23-8.)
Chang's counters, offering a series of arguments why these exceptions are inapplicable in the present case. First, Chang's argues that such exclusions do not apply if "the insured is the one who is solely responsible for the injury," (citing 63 A.L.R.2d 1122 A.3d § 2[a]), or, in other words, the exclusions do not apply to obligations the insured is responsible for absent any assumption of liability. (Doc. 36 at 12) (citing Homeowners Mgmt. Enterp., Inc. v. Mid-Continent Cas. Co., 294 Fed.Appx. 814 821 (5th Cir. 2008) and Victoria's Secret Stores, Inc. v. Epstein Contracting, Inc., 2002 WL 723215, *4-5 (Ohio App. April 25, 2002). Chang's argues that under the principal of equitable subrogation, it is compelled by "justice and good conscience," and not contractual liability, to compensate BAMS for the assessments. (Doc. 36 at 12) (citing Sourcecorp., Inc. v. Norcutt, 227 Ariz. 463, 466-67, 258 P.3d 281, 284-85 (App. 2011)). Chang's argues this is an exception recognized in the law to contractual liability exclusions of this nature. (Id.) Additionally, Chang's argues that its "responsibility for the Loss is the functional equivalent of compensating for damages suffered by victims of Privacy Injury, regardless of the MSA." (Doc. 36 at 12.) Under this argument, Chang's states that it could be liable under a variety of theories, including: negligence or particular statutes, such as A.R.S. § 44-7803, which places responsibility for fraudulent credit card transfers on merchants as opposed to credit card companies. (Id. at 12-13.) The Court is unconvinced by these arguments.
The Court finds that both Exclusions D.3.b. and B.2. as well as the definition of Loss bar coverage. In reaching this decision, the Court turned to cases analyzing commercial general liability insurance policies for guidance, because cybersecurity insurance policies are relatively new to the market but the fundamental principles are the same. Arizona courts, as well as those across the nation, hold that such contractual liability exclusions apply to "the assumption of another's liability, such as an agreement to indemnify or hold another harmless." Desert Mountain Properties Ltd. P'ship v. Liberty Mut. Fire Ins. Co., 225 Ariz. 194, 205, 236 P.3d 421, 432 (App. 2010), aff'd, 226 Ariz. 419, 250 P.3d 196 (2011) (citing Smithway Motor Xpress, Inc. v. Liberty Mut. Ins. Co., 484 N.W.2d 192, 196 (Iowa 1992); see also, Gibbs M. Smith, Inc. v. U.S. Fid. & Guar. Co., 949 P.2d 337, 341 (Utah 1997); Lennar Corp. v. Great Am. Ins. Co., 200 S.W.3d 651, 693 (Tex. App. 2006).
Chang's agreement with BAMS meets this criteria and thus triggers the exclusions. In no less than three places in the MSA does Chang's agree to reimburse or compensate BAMS for any "fees," "fines," "penalties," or "assessments" imposed on BAMS by the Associations, or, in other words, indemnify BAMS. (See Doc. 23-2 at 9, 18.) More specifically, Section 13.5 of the Addendum to the MSA reads: "[Chang's] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang's]." (Id. at 9.) Furthermore, the Court is unable to find and Chang's does not direct the Court's attention to any evidence in the record indicating that Chang's would have been liable for these Assessments absent its agreement with BAMS. While such an exception to an exclusion of this nature may exist in the law, it is not applicable here. Accordingly, the Court must find that the above referenced exclusions bar coverage for all three Assessments claimed by Chang's.
In reaching this conclusion, the Court has followed the dictate that "exclusionary clauses are interpreted narrowly against the insurer." Scottsdale Ins. Co., 158 Ariz. at 479, 763 P.2d at 543. Yet, even while looking through this deferential lens, the Court is unable to reach an alternative conclusion. Simply put, these exclusions unequivocally bar coverage for the Assessments, including the ADC Operational Reimbursement that the Court said coverage existed for under Insuring Clause B.
E. Reasonable Expectation Doctrine
Finally, the Court turns to Chang's claim that in addition to coverage being proper under the Policy, coverage also exists pursuant to the reasonable expectation doctrine. (Doc. 36 at 14.) The doctrine applies only if two predicate conditions are present. First, the insured's "expectation of coverage must be objectively reasonable." Millar, 167 Ariz. at 97, 804 P.2d at 826. Second, the insurer "must have had reason to believe that the [insured] would not have purchased the . . . policy if they had known that it included" the complained of provision. Grabowski, 214 Ariz. at 193-94, 150 P.3d at 280-81. Chang's bears the burden of proving the applicability of the reasonable expectation doctrine. Id.
Thus, the starting point for the reasonable expectations analysis is "to determine what expectations have been induced." Darner, 140 Ariz. at 390, 682 P.2d at 395. Chang's states that the "dickered deal was for protection against losses resulting from [sic] a security compromise." (Doc. 36 at 15.) By this, Chang's means any and all fees and losses that flowed from the data breach, including the Assessments. Chang's directs the Court's attention to the deposition of Leah Montgomery, Federal's approving underwriter who renewed the Policy that was in effect at the time of the data breach. There, the evidence shows that when Federal issued the Policy it understood the realities associated with processing credit card transactions. (See Doc. 37-1.) Federal knew that all of Chang's credit card transactions were processed by a Servicer, such as BAMS, and the particular risks associated with credit card transactions. (Id. at 27, 85.) Federal also knew that Chang's, a member of the hospitality industry with a high volume of annual credit card transactions, was a higher risk entity and therefore paid a significant annual premium of $134,052.00. (Id. at 29, 75, 126.) Federal was also aware that issuers will calculate Fraud Recovery and Operational Reimbursement Assessments against merchants in an effort to recoup losses suffered by security breaches. (Id. at 87-91.) Furthermore, Chang's also shows that Chubb markets the cyber security insurance policy as one that "address[es] the full breadth of risks associate with doing business in today's technology-dependent world" and that the policy "Covers direct loss, legal liability, and consequential loss resulting from cyber security breaches." (Doc. 37-7.)
Chang's then argues that based on all of the above, it possessed the expectation that coverage existed under the Policy for the assessments. But this is a non sequitur conclusion unsupported by the facts as presented. While Federal is aware of the realities of processing credit card transactions and that Chang's could very well be liable for Assessments from credit card associations passed through to them by Servicers, this does not prove what Chang's actual expectations were. Nowhere in the record is the Court able to find supporting evidence that during the underwriting process Chang's expected that coverage would exist for Assessments following a hypothetical data breach. There is no evidence showing that Chang's insurance agent, Kelly McCoy, asked Federal's underwriter if such Assessments would be covered during their correspondence. (See Doc. 37-5.) The cybersecurity policy application and related underwriting files are similarly devoid of any supporting evidence. (See Id.; Doc. 37-6.)
Chang's merely attempts to cobble together such an expectation after the fact, when in reality no expectation existed at the time it purchased the Policy. There is no evidence that Chang's bargained for coverage for potential Assessments, which it certainly could have done. Chang's and Federal are both sophisticated parties well versed in negotiating contractual claims, leading the Court to believe that they included in the Policy the terms they intended. See Taylor v. State Farm Mut. Auto. Ins. Co., 175 Ariz. 148, 158, 854 P.2d 1134, 1144 (1993); Tucson Imaging Associates, LLC v. Nw. Hosp., LLC, No. 2 CA-CV 2006-0125, 2007 WL 5556997, at *6 (Ariz. Ct. App. July 31, 2007). Because no expectation existed for this type of coverage, the Court is unable to find that Chang's meets its burden of satisfying the first predicate condition, objective reasonableness, to invoke the reasonable expectation doctrine. This obviates the need to analyze this issue further. Therefore, the Court finds that coverage likewise does not exist under the reasonable expectation doctrine.
IV. CONCLUSION
Accordingly, based on the foregoing reasons,
IT IS HEREBY ORDERED GRANTING Defendant Federal Insurance Company's Motion for Summary Judgment. (Doc. 22.)
IT IS FURTHER ORDERED DENYING Plaintiff P.F. Chang's China Bistro, Inc.'s Unopposed Motion to Modify Case Schedule to Permit the Filing of an Amended Complaint (Doc. 44) as moot.
IT IS FURTHER ORDERED DISMISSING Plaintiff P.F. Chang's China Bistro, Inc.'s complaint with prejudice. The Clerk of Court shall enter judgment in favor of Defendant and terminate the case.
Dated this 26th day of May, 2016.
/s/_________
Honorable Stephen M. McNamee
Senior United States District Judge