View Page As PDF
Share Button
Tweet Button

A lawsuit brought by Travelers Indemnity Co. of Connecticut against restaurant chain P.F. Chang’s China Bistro Inc. could help answer whether a company’s commercial general liability (CGL) policy provides any coverage with respect to data breaches and other cyber-related liabilities. However, even if the federal District Court in Hartford, Connecticut determines in Travelers Indemnity Company of Connecticut v. P.F. Chang's China Bistro, Inc. (Case No. 3:2014 cv 01458) that coverage (in whatever form) exists, companies that want comprehensive protection against cyber-related losses should consider purchasing separate cyber liability policies.

Per a recent Business Insurance article:

"A Travelers Cos. unit has filed suit against restaurant chain P.F. Chang's China Bistro Inc. seeking a judicial declaration that it is not obligated under its commercial general liability policies to provide indemnity coverage or defense costs in connection with a data breach announced earlier this year. Travelers says in a lawsuit filed in federal District Court in Hartford, Connecticut, Oct. 2 that it is not obligated to provide coverage to the Scottsdale, Arizona-based chain under the one-year CGL polices it issued in January 2013 and January 2014. It states the chain has separate cyber coverage with an unidentified insurer."

Prior cases have established that cyber incidents are rarely covered under CGL policies, and companies relying on such policies for cyber coverage are taking on risks that may not be quantifiable.  Accordingly, firms (and, in many cases, their attorneys) should conduct a comprehensive review of their policies to determine what cyber risks are covered.  And specific attention should be paid to whether coverage applies to attacks over time (which occurs in many situations) as opposed to only specific events.  Regardless of how the Connecticut court rules, it seems very unlikely that policies that do not provide specific cyber liability coverage will be of use to companies in the wake of a data breach or other cyber-attack.