Merchants in the hospitality industry are dependent upon accepting payment by credit or debit card. Many customers simply do not carry cash with them, making the ability to accept payment cards a necessity for hospitality businesses.
This trend and the increased volume of payment card transactions greatly increases liability exposures for merchants. Potential liabilities are passed to merchants from banks and payment processors through a contract, as well as how the insurance coverage available to them specifically addresses these contractual exposures.
Third-party claims resulting from credit card data breaches can be much different than those involving other forms of personally identifiable information. Card-issuing banks, merchant banks and payment processers are all addressing their needs for recovery following a payment card breach through a complex contract chain that passes liabilities down to the merchant.
Merchant Services Agreements
Typically, a merchant will enter a merchant services agreement with a payment processor or merchant bank to accept payment via credit and debit card. Issuing banks generally try to seek recovery for card reissuance expenses and fraud through their contracts. The issuing banks do not contract directly with a merchant, but act through intermediaries including the merchant banks or payment processors.
These contracts typically hold banks financially responsible for breaches of payment card data at the merchant level. The merchant banks and payment processors then seek to pass these liabilities down to their merchants through the merchant agreement. Merchant banks and/or payment processors may retain the contractual right to assess the merchant directly, or withhold funds from future transaction charges to force payment.
MasterCard and VISA require merchants accepting payment cards to be in compliance with the Payment Card Industry Data Security Standard (PCI-DSS). The fraud, recovery, and operating expenses that the card brands push down to the merchants arise from a determination following a breach that the merchant was not in compliance with this set of standard rules.
There are four levels of compliance under the PCI-DSS. Entities accepting higher volumes of cards are held to a higher level of compliance standard. Breaches of more than 15,000 cards may qualify for VISA’s Global Compromised Account Recovery Program. Under this recovery process, VISA can levy an assessment that includes fraud recovery and operating expenses. Although the operating expense recovery amount is set at $2.50 per eligible account, the fraud recovery amounts can vary tremendously depending on the breach. Operating expenses alone would total $250,000 in the event of a breach of 100,000 eligible accounts.
Merchants have little ability to challenge these assessments. Their best opportunity to control the scope of a PCI assessment is to obtain a forensic investigator. Following a breach, PCI forensic investigators are brought in to determine whether the merchant was fully compliant with the appropriate level of the PCI-DSS.
Even if the merchant was previously found to be in compliance by a qualified assessor, it is in the best interest of the card brands and banks following a breach to show that the merchant was not so as to trigger the recovery process. It is nearly impossible to dispute their findings, unless the merchant uses another independent forensic investigator to conduct an assessment.
Many policy forms in the marketplace directly exclude contractual indemnities and liability, including that which stems from merchant service agreements. Some policy forms initially grant coverage for breach of contract claims, but then add exclusions concerning key components of this coverage. In addition, some policy forms exclude breach of contract claims with some very narrow carvebacks to the exclusionary wording that may not help the insured much in the event of a payment card breach.
Although most privacy/security insurance policies grant the insured coverage for situations in which they need to incur the first-party costs to notify individuals and extend insureds credit monitoring services, not all will directly respond to the breach of, or the indemnities contained in, a merchant services agreement.
Insureds may not need to directly notify affected individuals in the event of a credit card breach, as the banks will already re-issue cards. Credit monitoring services may not be required either, because a new credit line cannot be fraudulently opened utilizing an exposed credit card number alone.
Agents and brokers know how to navigate the intricacies of the first generation of privacy/security liability policies. Historically, carriers have been concerned with extending large limits for notification and credit monitoring expenses, as these payments are due immediately upon the discovery of a breach of personally identifiable information. These first-party notification expenses are paid without the opportunity to defend the allegations in court.
Due to the lack of opportunity to defend the claim, carriers exhibit some trepidation to risk tremendous amounts of capital to pay these expenses and consequently, brokers and agents negotiate these sub-limits as high as possible on behalf of their clients. Although this focus can benefit an insured in possession of Social Security numbers, healthcare information or other personally identifiable information, agents and brokers also should focus on how policies address contractual liability exposures for the much larger universe of clients that accept payment cards.
A merchant should selectively choose its insurance to ensure it provides the coverage he or she needs for contractual liabilities and indemnities following a payment card breach. Although many policies may partially address this exposure by granting PCI fines and penalties coverage to address that portion of card brand assessments, not all address the full scope of liability passed through the merchant agreements.
Merchants also should realize that banks no longer need to sue in an attempt to prove negligence or other theory of liability after a payment card breach. Once the contractual indemnifications agreed to by their merchants are triggered, the banks are able to seek recovery outside the court system.
Not all privacy/security insurance policies are created equal. The coverage approach is far from standardized throughout the marketplace and can have significant implications if a merchant suffers a data breach. Although the price of these policies can vary greatly, so can the coverage afforded within them. Where notification and credit monitoring coverage may once have been the main or exclusive focus of a coverage placement, the evolution of new privacy/security exposures raises the need for more comprehensive coverage options, especially in the hospitality industry.
Third-Party Liability Threats
Some think that privacy and network security policies have become commoditized during the last several years. Not surprisingly, considering that first-party losses are more certain following a data breach, many brokers pay the most attention to the varying components of these policies that pertain specifically to the first-party breach response costs.
The competition for competitively priced breach notification and credit monitoring limits is fierce. Although this component of the privacy/security insurance policy is crucial to entities holding large volumes of Social Security numbers or personal health information, brokers and policyholders in the hospitality industry must appreciate the importance of broad third-party liability coverage when it comes to credit or debit cards.
Contractual infrastructure stems downward from the major credit card brands, creating contractual indemnities and contractual liabilities, which is an important consideration for brokers soliciting privacy/security liability coverage. Most privacy/security insurance policies do not adequately address these liabilities and in many instances specifically exclude them.