P.F. Chang's China Bistro, Inc. v. Fed. Ins. Co., CV-15-01322-PHX-SMM
| Decision Date | 26 May 2016 |
| Docket Number | No. CV-15-01322-PHX-SMM,CV-15-01322-PHX-SMM |
| Parties | P.F. Chang's China Bistro, Inc., Plaintiff, v. Federal Insurance Company, Defendant. |
| Court | U.S. District Court — District of Arizona |
Pending before the Court is Defendant Federal Insurance Company's ("Federal") Motion for Summary Judgment. (Doc. 22.) P.F. Chang's China Bistro, Inc. ("Chang's") has responded and the matter is fully briefed. (Docs. 36, 38.) The Court heard Oral Arguments on the motion on April 19, 2016. (Doc. 41.) In essence, the main issue before the Court is whether coverage exists under the insurance policy between Chang's and Federal for the credit card association assessments that arose from the data breach Chang's suffered in 2013. The Court now issues following ruling.
Federal sold a CyberSecurity by Chubb Policy ("Policy") to Chang's corporate parent, Wok Holdco LLC, with effective dates from January 1, 2014 to January 1, 2015. (Doc. 8-1 at 2.) On its website, Federal marketed the Policy as "a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated withdoing business in today's technology-dependent world" that "[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches." (Doc. 37-7.) Specific provisions of the Policy will be defined and discussed in greater detail below.
During the underwriting processes, Federal classified Chang's as a high risk, "PCI Level 1", client because Chang's conducts more than 6 million transactions per year. (Docs. 37-1 at 121-22, 37-6.) Further, because of the large number of Chang's transactions conducted with customer credit cards, Federal noted there was high exposure to potential customer identity theft. (Doc. 37-6.) In 2014, Chang's paid an annual premium of $134,052.00 for the Policy. (Doc. 37-1 at 126.)
Chang's and other similarly situated merchants are unable to process credit card transactions themselves. Merchants must enter into agreements with third-party "Servicers" or "Acquirers" who facilitate the processing of credit card transactions with the banks who issue the credit cards ("Issuers"), such as Chase or Wells Fargo. Here, Chang's entered into a Master Service Agreement ("MSA") with Bank of America Merchant Services ("BAMS") to process credit card payments made by Chang's customers. (Doc. 23-2.) Under the MSA, Chang's delivers its customers' credit card payment information to BAMS who then settles the transaction through an automated clearinghouse; BAMS then credits Chang's account for the amount of the payment. (Id.)
Servicers like BAMS perform their processing obligations pursuant to agreements with the credit card associations ("Associations"), like MasterCard and Visa. (Doc. 24-1.) BAMS' agreement with MasterCard is governed by the MasterCard Rules, and are incorporated in its MSA with Chang's. (See Id; Doc. 23-2.) Under the MasterCard Rules, BAMS is obligated to pay certain fees and assessments ("Assessments") to MasterCard in the event of a data breach or "Account Data Compromise" ("ADC"). (Doc. 24-1 at § 10.2) These Assessments include "Operational Reimbursement" fees and "Fraud Recovery" fees, and they are calculated by formulae set forth in the MasterCard Rules. (Id.)
Under the MSA, Chang's agreed to compensate or reimburse BAMS for "fees," "fines," "penalties," or "assessments" imposed on BAMS by the Associations. (See Doc. 23-2 at 9, 18.) Section 13.5 of the Addendum to the MSA reads: "[Chang's] agrees to pay [BAMS] any fines, fees, or penalties imposed on [BAMS] by any Associations, resulting from Chargebacks and any other fines, fees or penalties imposed by an Association with respect to acts or omissions of [Chang's]." (Id. at 9.) Section 5 of Schedule A to the Addendum to the MSA provides: "In addition to the interchange rates, [BAMS] may pass through to [Chang's] any fees assessed to [BAMS] by the [Associations], including but not limited to, new fees, fines, penalties and assessments imposed by the [Associations]." (Id. at 18.)
On June 10, 2014, Chang's learned that computer hackers had obtained and posted on the Internet approximately 60,000 credit card numbers belonging to its customers (the "security compromise" or "data breach"). (Doc. 25-1.) Chang's notified Federal of the data breach that very same day. (Id.)
To date, Federal has reimbursed Chang's more than $1,700,000 pursuant to the Policy for costs incurred as a result of the security compromise. (Doc. 22 at 9.) Those costs include conducting a forensic investigation into the data breach and the costs of defending litigation filed by customers whose credit card information was stolen, as well as litigation filed by one bank that issued card information that was stolen. (Id.)
Following the data breach, on March 2, 2015, MasterCard issued an "ADC Operational Reimbursement/Fraud Recovery Final Acquirer Financial Responsibility Report" to BAMS. (Doc. 26-2.) This MasterCard Report imposed three Assessments on BAMS, a Fraud Recovery Assessment of $1,716,798.85, an Operational Reimbursement Assessment of $163,122.72 for Chang's data breach, and a Case Management Fee of $50,000. (Id.; Doc. 26-3.) The Fraud Recovery Assessment reflects costs, as calculated by MasterCard, associated with fraudulent charges that may have arisen from, or may be related to, the security compromise. (Doc. 1-1 at ¶20.) The Operational ReimbursementAssessment reflects costs to notify cardholders affected by the security compromise and to reissue and deliver payment cards, new account numbers, and security codes to those cardholders. (Id. at ¶19) The Case Management Fee is a flat fee and relates to considerations regarding Chang's compliance with Payment Card Industry Data Security Standards. (Id. at ¶18.)
On March 11, 2015, BAMS sent Chang's a letter (the "BAMS Letter") stating:
(Doc. 26-3.) Chang's notified Federal of the BAMS Letter on March 19, 2015 and sought coverage for the Assessments. (Doc. 26-4.) Pursuant to the MSA, and in order to continue operations and not lose its ability to process credit card transactions, Chang's reimbursed BAMS for the Assessments on April 15, 2015. (Doc. 1-1 at ¶24.) Federal denied coverage for the Assessments and Chang's subsequently filed this lawsuit.
"The court shall grant summary judgment if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed.R.Civ.P. 56(a). "The substantive law determines which facts are material; only disputes over facts that might affect the outcome of the suit under the governing law properly preclude the entry of summary judgment." Nat'l Ass'n of Optometrists &Opticians v. Harris, 682 F.3d 1144, 1147 (9th Cir. 2012) (citing Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986)). To prove the absence of a genuine dispute, the moving party must demonstrate that "the evidence is such that [no] reasonable jury could return a verdict for the nonmoving party." Liberty Lobby, 477 U.S. at 248. In determining whether a party has met its burden, a court views the evidence in the light most favorable to the non-moving party and draws all reasonable inferences in the non-moving party's favor. Liberty Lobby, 477 U.S. at 255. While a court may consider only admissible evidence in ruling on a motion for summary judgment, the focus is not "on the admissibility of the evidence's form," but "on the admissibility of its contents." Fraser v. Goodale, 342 F.3d 1032, 1036-37 (9th Cir.2003).
Federal courts sitting in diversity apply the forum state's choice of law rules to determine controlling substantive law. Klaxon Co. v. Stentor Elec. Mfg. Co. Inc., 313 U.S. 487, 496 (1941). Arizona adheres to Restatement (Second) of Conflict of Laws § 193 (1971), which states that insurance contracts are generally governed "by the local law of the state which the parties understood was to be the principal location of the insured risk during the term of the policy." Beckler v. State Farm Mut. Auto. Ins. Co., 195 Ariz. 282, 286, 987 P.2d 768, 772 (App. 1999). Since the principal location of the insured was in Arizona and the insurance agreement was entered into in Arizona, Arizona law governs the enforcement of the Policy.
"The traditional view of the law of contracts is that a written agreement adopted by the parties will be viewed as an integrated contract which binds those parties to the terms expressed within the four corners of the agreement." Darner Motor Sales, Inc. v. Universal Underwriters Ins. Co., 140 Ariz. 383, 390, 682 P.2d 388, 395 (1984). However, "the usual insurance policy is a special kind of contract," id., in part because it is not "arrived at by negotiation between the parties," Zuckerman v. Transamerica Ins. Co., 133 Ariz. 139, 144, 650 P.2d 441, 446 (1982). Instead, "[i]t is largely adhesive; some terms are bargained for, but most terms consist of boilerplate, not bargained for, neither read nor understood by the buyer, and often not even fully understood by the selling agent." Darner, 140 Ariz. at 391, 682 P.2d at 396. Moreover, "[t]he adhesive terms generally areself-protective; their major purpose and effect often is to ensure that the drafting party will prevail if a dispute goes to ...
To continue reading
Request your trial