Know your cyber insurance gaps before a breach hits
Know your cyber insurance gaps before a breach hits
02 NOVEMBER 2016 7:42 AM

The number and frequency of data breaches continue to grow, so hoteliers need to cover themselves adequately or face expensive consequences.

Data breaches are on the rise throughout the business sector, including the hospitality industry.

In 2015, in California alone, there were approximately 178 reported breaches that compromised 24 million records, according to the California Department of Justice’s Data Breach Report. Attacked businesses on average now incur data breach costs equal to $221 per compromised record, states a 2016 study by the Ponemon Institute, and response costs to a data breach average in excess of $7 million.

The hospitality industry is, in fact, a prime target—dubiously ranking within the top three industries targeted by hackers, according to the 2016 Trustwave Global Security Report. The primary reason why is that industry players rely on remote access software to manage numerous geographic locations and payment processing systems, thereby creating a veritable smorgasbord of hacking entry points.

With the proliferation of data breaches, it is no surprise that many hospitality businesses are turning to cyber insurance in an effort to defray the risk of significant response costs. However, a recent case illustrates that securing cyber-insurance is not a guarantee against all response costs.

Case in point
The pertinent facts of the case are recited here. P.F. Chang’s China Bistro Inc. obtained a cybersecurity policy from Federal Insurance Company for a period of 1 January 2014 through 2 January 2015. The policy was marketed as a “flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world” that “[c]overs direct loss, legal liability, and consequential loss resulting from cyber security breaches.”

P.F. Chang’s, as the insured, was categorized as a high-risk “PCI Level 1” business because it conducted in excess of six million transactions per year, many of which involved customer credit cards. At that time, the company did not process credit card transactions itself, but instead (like many hospitality businesses) contracted with a third-party vendor (Bank of America Merchant Services) to facilitate the processing of those transactions with the various banks issuing the credit cards. P.F. Chang’s agreed to reimburse Bank of America for any fees, fines, penalties or assessments imposed on the vendor by any credit card associations.

In June 2014, P.F. Chang’s discovered its system had been breached and thousands of its customers’ credit card numbers had been posted on the internet. The company immediately notified its insurer.

In the aftermath of that breach, MasterCard ultimately issued multiple assessments to Bank of America Merchant Services totaling approximately $2 million—costs incurred by MasterCard to notify affected cardholders, reissue and deliver new cards, card numbers, and security codes to customers, and to reimburse fraudulent charges.

Bank of America, in turn, demanded reimbursement of those assessments from P.F. Chang’s—which the company paid. P.F. Chang’s then tendered those assessment costs to its insurer for reimbursement under its cyber insurance policy. When its insurer declined to cover the assessment costs, P.F. Chang’s initiated its lawsuit.

After reviewing the language of the insurance policy, the court determined the assessments imposed on Bank of America Merchant Services (and reimbursed by P.F. Chang’s) were not covered, despite having directly resulted from the data breach.

As stated in the policy, the insurer was not liable for “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.” The policy further excluded as a covered loss, “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured.”

The court therefore concluded that those exclusions “bar coverage for contractual obligations an insured assumes with a third-party outside of the Policy.” Because P.F. Chang’s Master Service Agreement obligated it to assume any assessments imposed on Bank of America Merchant Services (including MasterCard’s $2 million in assessments), those assessments were not covered by P.F. Chang’s cyber insurance policy.

It is worth noting, however, that P.F. Chang’s insurer did cover more than $1.7 million in other breach-related costs, and thus its policy did provide measurable protection.

Know your coverage, protect your business
The hospitality industry is under siege from hackers, and there are a variety of cyber insurance policies available to industry businesses to potentially cover breach-related costs. However, unexpected coverage gaps may exist.

There are two primary lessons for businesses that have or are interested in securing cyber insurance.

First, it is imperative that you and your legal team thoroughly review and understand the scope of any cybersecurity coverage you select, paying particular attention to the express exclusions.

Second, if your business contracts with third-party facilitators to process credit card transactions, you and your legal team must scrutinize those contracts (and likely others) to assess whether they potentially create uninsurable losses. Such information not only might dramatically impact service contract negotiations with your vendors, but might educate you on what to look for when securing a cybersecurity policy.

David Lee is a partner in Michelman & Robinson, LLP’s Hospitality Department. Michelman & Robinson, LLP, a national law firm with offices in Los Angeles, Orange County, San Francisco, Sacramento and New York. For more information, please visit

The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Bloggers published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.

No Comments

Comments that include blatant advertisements or links to products or company websites will be removed to avoid instances of spam. Also, comments that include profanity, lewdness, personal attacks, solicitations or advertising, or other similarly inappropriate or offensive comments or material will be removed from the site. You are fully responsible for the content you post. The opinions expressed in comments do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Please report any violations to our editorial staff.