August 22, 2018 by By Andrew Moss
Businesses that have suffered a data breach know that financial consequences soon follow. They lose customers. Their stock prices fall. They pay forensic firms to conduct investigations. They pay public relations firms to repair their reputations. They hire employees to respond to telephone and email inquiries. The list goes on.
Fortunately, cyber insurance policies can protect businesses from losses associated with data breaches. But, because cyber insurance is still relatively new, the scope of coverage varies from policy to policy. One loss associated with data breaches that cyber insurance policies may not cover adequately—or at all—is liability to financial institutions.
Data breach and liability to financial institutions
When a business suffers a data breach that involves compromised payment card information, financial institutions may claim against the business for compensation.
In 2013, hackers stole the credit and debit card information of approximately 110 million customers of Target Corporation. Issuing banks (banks that issue credit and debit cards to customers) brought a class-action lawsuit against Target for costs associated with replacing the compromised cards and reimbursing customers for fraudulent charges. The issuing banks alleged, among other things, that Target negligently failed to maintain appropriate data security measures and improperly retained card data.
The issuing banks also claimed against Target through another mechanism: card network dispute resolution processes. These processes allow issuing banks that use a card network to claim compensation for losses. Visa’s dispute resolution process is called the Global Compromised Account Recovery program (GCAR) and MasterCard’s is called the Account Data Compromise program (ADC). Both Visa and MasterCard asserted their rights pursuant to the GCAR and ADC programs to assess issuing banks’ losses and collect compensation from Target.
Target disputed Visa’s initial assessment of issuing banks’ losses, but ultimately entered into settlement agreements with Visa and the issuing banks. Through these settlements, Target paid approximately US$63.5 million to issuing banks, who released their claims against Target in the class-action lawsuit. Target also disputed MasterCard’s assessment of issuing banks’ losses and they failed to reach a settlement agreement outside the class-action lawsuit.
In 2016, the United States District Court of Minnesota approved a negotiated settlement of the issuing banks’ class-action lawsuit against Target. Pursuant to the settlement, Target paid approximately US$20 million for the issuing banks’ legal fees and expenses, US$19 million to issuing banks coordinating with MasterCard’s ADC program, and a further US$20 million to an escrow account for remaining issuing banks.
Insurance for liability to financial institutions
Given financial institutions’ expensive claims against businesses resulting from data breaches, businesses might expect cyber insurance policies to clearly and unambiguously define coverage. But that may not always be the case.
In 2014, hackers stole the payment card information of more than 60,000 customers of P.F. Chang’s China Bistro. Prior to the data breach, P.F. Chang’s had purchased a cyber insurance policy from Federal Insurance Company that had been marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world.”
Federal said the policy “[c]overs direct loss, legal liability, and consequential loss resulting from cybersecurity breaches.” However, the policy defined “loss” such that it did not include “any cost or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any insured.” The policy also contained the exclusion clause: “With respect to all Insurance Clauses, [Federal] shall not be liable for any Loss … based upon, arising from or in consequence of any liability assumed by any Insured under any contract or agreement.”
P.F. Chang’s conducted a forensic investigation and defended litigation brought by customers. Federal reimbursed P.F. Chang’s for these losses pursuant to the policy. In 2015, pursuant to the ADC program, MasterCard assessed several losses to issuing banks resulting from the data breach: fraudulent charges, costs to notify cardholders, reissuing and delivering payment cards and account numbers. Mastercard assessed losses of approximately US$2 million.
MasterCard claimed the US$2 million from Bank of America Merchant Services, the acquiring bank used by P.F. Chang’s to process payment card transactions. Bank of America Merchant Services then claimed the US$2 million from P.F. Chang’s, pursuant to their Master Service Agreement. The Master Service Agreement required P.F. Chang’s to reimburse Bank of America Merchant Services for any “fines,” “fees,” “penalties,” or “assessments” imposed by a card network. When P.F. Chang’s attempted to claim the US$2 million loss pursuant to their cyber insurance policy, Federal denied the claim.
P.F. Chang’s sued Federal for breach of contract, and Federal brought a motion for Summary Judgment. Judge McNamee of the United States District Court for the District of Arizona granted Federal’s motion and dismissed P.F. Chang’s lawsuit. Despite the broad language used by Federal to advertise cyber insurance, the policy language barred coverage for any contractual obligations P.F. Chang’s assumed with a third party, such as Bank of America Merchant Services. Judge McNamee said, “Simply put, these exclusions unequivocally bar coverage for [MasterCard’s] assessments.”
Another dispute regarding cyber insurance coverage and liability to financial institutions occurred in Louisiana. In 2013, Hotel Monteleone, a luxury hotel in New Orleans, suffered an attack that compromised hotel guests’ payment card numbers. Visa and MasterCard assessed losses to issuing banks of US$377,000 and US$471,000 respectively, which were claimed against Hotel Monteleone. Hotel Monteleone did not have a cyber insurance policy at that time.
After the attack, the hotel sought to purchase cyber insurance to protect it against losses from future data breaches. Hotel Monteleone contracted with Eustis Insurance, an independent insurance agent, to procure a cyber insurance policy. Eustis, however, lacked expertise concerning cyber insurance policies, so they contracted assistance from R-T Specialty, a wholesale insurance broker that advertised expertise with cyber insurance. Eustis and R-T Specialty procured Ascent’s Cyberpro policy for Hotel Monteleone, issued by certain underwriters at Lloyd’s.
The policy indemnified Hotel Monteleone for up to US$3 million for damages and expenses the hotel would be obligated to pay arising from, among other things: (1) a breach of confidentiality, infringement, or violation of any right to privacy; (2) the misuse or unauthorized access of its computer network; or (3) failure to maintain the security or confidentiality of personally identifiable information stored on its computer network, including under a payment card processing agreement with a financial institution or other payment processor.
The policy also contained an endorsement—“Payment Card Industry Fines or Penalties Endorsement”—that had a US$200,000 sublimit. The endorsement indemnified Hotel Monteleone for monetary fines or penalties issued by “credit card associations” for non-compliance with payment card industry data security standards.
In 2014, Hotel Monteleone discovered it might have suffered a second cyberattack that had compromised payment card information. In 2015, MasterCard assessed several losses to issuing banks resulting from the data breach. MasterCard claimed the assessed amounts from BMO Harris Bank, the acquiring bank used by Hotel Monteleone to process payment card transactions. BMO Harris Bank claimed reimbursement from Hotel Monteleone, and Hotel Monteleone sought coverage from Lloyd’s pursuant to the Cyberpro policy. Lloyd’s said coverage for the assessments was limited to US$200,000, pursuant to the endorsement described above.
In 2015, Hotel Monteleone sued Lloyd’s and Eustis. The hotel argued BMO Harris Bank’s claim against it for reimbursement of MasterCard’s assessments was covered by the Cyberpro policy and the endorsement’s US$200,000 sublimit did not apply. First, the endorsement concerned claims against Hotel Monteleone by “credit card associations,” such as Mastercard. But BMO Harris Bank is an acquiring bank, not a credit card association. Second, the endorsement concerned fines and penalties. Hotel Monteleone argued Mastercard’s assessments did not qualify as fines or penalties. Alternatively, if the Court found the sublimit did apply, Hotel Monteleone argued Eustis was liable for amounts exceeding the sublimit. Hotel Monteleone said Eustis failed to match it with a proper insurance policy to meet its needs.
In 2016, Eustis brought a third party claim against R-T Specialty for its role in procuring the cyber insurance policy. The parties settled the lawsuit for an undisclosed amount.
Andrew Moss is an associate lawyer with Foster & Company in Fredericton, New Brunswick. He specializes in litigation related to insurance coverage, personal injuries, motor vehicle accidents, construction projects and professional negligence.
Copyright © 2018 Transcontinental Media G.P. This article first appeared in the August edition of Canadian Insurance Top Broker magazine
This story was originally published by Canadian Insurance Top Broker.