<div dir="ltr"><a href="http://www.jdsupra.com/legalnews/know-your-cyber-insurance-gaps-before-a-82371/">http://www.jdsupra.com/legalnews/know-your-cyber-insurance-gaps-before-a-82371/</a><br><br><p>
Data breaches are on the rise throughout the business sector, including the hospitality industry.</p>
<p>
In 2015, in California alone, there were approximately 178 reported
breaches that compromised 24 million records, according to the <a href="https://oag.ca.gov/breachreport2016" target="_blank">California Department of Justice’s Data Breach Report</a>. Attacked businesses on average now incur data breach costs equal to $221 per compromised record, states a <a href="http://www-03.ibm.com/security/data-breach/" target="_blank">2016 study by the Ponemon Institute</a>, and response costs to a data breach average in excess of $7 million.</p>
<p>
The hospitality industry is, in fact, a prime target—dubiously ranking
within the top three industries targeted by hackers, according to the <a href="https://www2.trustwave.com/GSR2016.html" target="_blank">2016 Trustwave Global Security Report</a>.
The primary reason why is that industry players rely on remote access
software to manage numerous geographic locations and payment processing
systems, thereby creating a veritable smorgasbord of hacking entry
points.</p>
<p>
With the proliferation of data breaches, it is no surprise that many
hospitality businesses are turning to cyber insurance in an effort to
defray the risk of significant response costs. However, a recent case
illustrates that securing cyber-insurance is not a guarantee against all
response costs.</p>
<p>
<strong>Case in point</strong><br>
The pertinent facts of the case are recited here. P.F. Chang’s China
Bistro Inc. obtained a cybersecurity policy from Federal Insurance
Company for a period of 1 January 2014 through 2 January 2015. The
policy was marketed as a “flexible insurance solution designed by cyber
risk experts to address the full breadth of risks associated with doing
business in today’s technology-dependent world” that “[c]overs direct
loss, legal liability, and consequential loss resulting from cyber
security breaches.”</p>
<p>
P.F. Chang’s, as the insured, was categorized as a high-risk “PCI Level
1” business because it conducted in excess of six million transactions
per year, many of which involved customer credit cards. At that time,
the company did not process credit card transactions itself, but instead
(like many hospitality businesses) contracted with a third-party vendor
(Bank of America Merchant Services) to facilitate the processing of
those transactions with the various banks issuing the credit cards. P.F.
Chang’s agreed to reimburse Bank of America for any fees, fines,
penalties or assessments imposed on the vendor by any credit card
associations.</p>
<p>
In June 2014, P.F. Chang’s discovered its system had been breached and
thousands of its customers’ credit card numbers had been posted on the
internet. The company immediately notified its insurer.</p>
<p>
In the aftermath of that breach, MasterCard ultimately issued multiple
assessments to Bank of America Merchant Services totaling approximately
$2 million—costs incurred by MasterCard to notify affected cardholders,
reissue and deliver new cards, card numbers, and security codes to
customers, and to reimburse fraudulent charges.</p>
<p>
Bank of America, in turn, demanded reimbursement of those assessments
from P.F. Chang’s—which the company paid. P.F. Chang’s then tendered
those assessment costs to its insurer for reimbursement under its cyber
insurance policy. When its insurer declined to cover the assessment
costs, P.F. Chang’s initiated its lawsuit.</p>
<p>
After reviewing the language of the insurance policy, the court
determined the assessments imposed on Bank of America Merchant Services
(and reimbursed by P.F. Chang’s) were not covered, despite having
directly resulted from the data breach.</p>
<p>
As stated in the policy, the insurer was not liable for “any costs or
expenses incurred to perform any obligation assumed by, on behalf of, or
with the consent of any Insured.” The policy further excluded as a
covered loss, “any costs or expenses incurred to perform any obligation
assumed by, on behalf of, or with the consent of any Insured.”</p>
<p>
The court therefore concluded that those exclusions “bar coverage for
contractual obligations an insured assumes with a third-party outside of
the Policy.” Because P.F. Chang’s Master Service Agreement obligated it
to assume any assessments imposed on Bank of America Merchant Services
(including MasterCard’s $2 million in assessments), those assessments
were not covered by P.F. Chang’s cyber insurance policy.</p>
<p>
It is worth noting, however, that P.F. Chang’s insurer did cover more
than $1.7 million in other breach-related costs, and thus its policy did
provide measurable protection.</p>
<p>
<strong>Know your coverage, protect your business</strong><br>
The hospitality industry is under siege from hackers, and there are a
variety of cyber insurance policies available to industry businesses to
potentially cover breach-related costs. However, unexpected coverage
gaps may exist.</p>
<p>
There are two primary lessons for businesses that have or are interested in securing cyber insurance.</p>
<p>
First, it is imperative that you and your legal team thoroughly review
and understand the scope of any cybersecurity coverage you select,
paying particular attention to the express exclusions.</p>
<p>
Second, if your business contracts with third-party facilitators to
process credit card transactions, you and your legal team must
scrutinize those contracts (and likely others) to assess whether they
potentially create uninsurable losses. Such information not only might
dramatically impact service contract negotiations with your vendors, but
might educate you on what to look for when securing a cybersecurity
policy.</p><br></div>