BreachExchange mailing list archives
Know Your Cyber Insurance Gaps Before a Breach Hits
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Fri, 25 Nov 2016 18:07:48 -0600
http://www.jdsupra.com/legalnews/know-your-cyber-insurance-gaps-before-a-82371/ Data breaches are on the rise throughout the business sector, including the hospitality industry. In 2015, in California alone, there were approximately 178 reported breaches that compromised 24 million records, according to the California Department of Justice’s Data Breach Report <https://oag.ca.gov/breachreport2016>. Attacked businesses on average now incur data breach costs equal to $221 per compromised record, states a 2016 study by the Ponemon Institute <http://www-03.ibm.com/security/data-breach/>, and response costs to a data breach average in excess of $7 million. The hospitality industry is, in fact, a prime target—dubiously ranking within the top three industries targeted by hackers, according to the 2016 Trustwave Global Security Report <https://www2.trustwave.com/GSR2016.html>. The primary reason why is that industry players rely on remote access software to manage numerous geographic locations and payment processing systems, thereby creating a veritable smorgasbord of hacking entry points. With the proliferation of data breaches, it is no surprise that many hospitality businesses are turning to cyber insurance in an effort to defray the risk of significant response costs. However, a recent case illustrates that securing cyber-insurance is not a guarantee against all response costs. *Case in point* The pertinent facts of the case are recited here. P.F. Chang’s China Bistro Inc. obtained a cybersecurity policy from Federal Insurance Company for a period of 1 January 2014 through 2 January 2015. The policy was marketed as a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.” P.F. Chang’s, as the insured, was categorized as a high-risk “PCI Level 1” business because it conducted in excess of six million transactions per year, many of which involved customer credit cards. At that time, the company did not process credit card transactions itself, but instead (like many hospitality businesses) contracted with a third-party vendor (Bank of America Merchant Services) to facilitate the processing of those transactions with the various banks issuing the credit cards. P.F. Chang’s agreed to reimburse Bank of America for any fees, fines, penalties or assessments imposed on the vendor by any credit card associations. In June 2014, P.F. Chang’s discovered its system had been breached and thousands of its customers’ credit card numbers had been posted on the internet. The company immediately notified its insurer. In the aftermath of that breach, MasterCard ultimately issued multiple assessments to Bank of America Merchant Services totaling approximately $2 million—costs incurred by MasterCard to notify affected cardholders, reissue and deliver new cards, card numbers, and security codes to customers, and to reimburse fraudulent charges. Bank of America, in turn, demanded reimbursement of those assessments from P.F. Chang’s—which the company paid. P.F. Chang’s then tendered those assessment costs to its insurer for reimbursement under its cyber insurance policy. When its insurer declined to cover the assessment costs, P.F. Chang’s initiated its lawsuit. After reviewing the language of the insurance policy, the court determined the assessments imposed on Bank of America Merchant Services (and reimbursed by P.F. Chang’s) were not covered, despite having directly resulted from the data breach. As stated in the policy, the insurer was not liable for “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” The policy further excluded as a covered loss, “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” The court therefore concluded that those exclusions “bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.” Because P.F. Chang’s Master Service Agreement obligated it to assume any assessments imposed on Bank of America Merchant Services (including MasterCard’s $2 million in assessments), those assessments were not covered by P.F. Chang’s cyber insurance policy. It is worth noting, however, that P.F. Chang’s insurer did cover more than $1.7 million in other breach-related costs, and thus its policy did provide measurable protection. *Know your coverage, protect your business* The hospitality industry is under siege from hackers, and there are a variety of cyber insurance policies available to industry businesses to potentially cover breach-related costs. However, unexpected coverage gaps may exist. There are two primary lessons for businesses that have or are interested in securing cyber insurance. First, it is imperative that you and your legal team thoroughly review and understand the scope of any cybersecurity coverage you select, paying particular attention to the express exclusions. Second, if your business contracts with third-party facilitators to process credit card transactions, you and your legal team must scrutinize those contracts (and likely others) to assess whether they potentially create uninsurable losses. Such information not only might dramatically impact service contract negotiations with your vendors, but might educate you on what to look for when securing a cybersecurity policy.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Know Your Cyber Insurance Gaps Before a Breach Hits Inga Goddijn (Nov 28)