Policyholders should carefully review and understand the potential application of any sublimits included in the individual coverage sections within their cyber insurance policies to ensure the availability of adequate coverage for the variety of losses they may experience as the result of a cyber incident.  A policyholder’s failure to do so may impact its reasonable expectation of coverage and ultimately frustrate the purpose of the intended coverage.

Cyber insurance policies, like most insurance policies, often include “sublimits” within  the overall limit of liability, which limit the amount of insurance available under certain coverage sections or for certain types of loss an insured may experience as a result of a cyber incident. Policyholders who do not understand or fully appreciate how these sublimits may impact their overall coverage may later find themselves engaged in a contentious dispute with their insurer over whether their cyber insurance policy covers only a small fraction of their potential losses or their entire loss. Hotel Monteleone, a historic New Orleans hotel, is currently pursuing just such a case against its insurer, a Lloyd’s of London syndicate, over whether the hotel is entitled to the full $3 million limit of liability in its cyber insurance policy, or instead confined to a mere $200,000 sublimit in connection with a recent cyber incident. New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, et al., No. 2015-11711 (Civ. Dist. Ct. for Orleans Parish, Louisiana).

In 2013, Hotel Monteleone (the “Hotel”) experienced a cyber incident in the form of a data breach and theft of numerous consumer payment card numbers, resulting in losses to  the  Hotel  in  excess of $200,000.  The losses consisted of fraud recovery, operational reimbursement, and case management fees. At the time of the breach, the Hotel did not have cyber insurance. Following the breach, the Hotel sought to protect itself from future cyber incident-related losses, and specifically the types of loss it experienced in 2013, by hiring an insurance broker to procure appropriate cyber insurance on its behalf.

In 2014, the Hotel purchased a CyberPro Insurance Policy from Ascent Underwriting (“Ascent”), a Lloyd’s of London syndicate insurer, for the policy period February 24, 2014 through November  1, 2014 (the “2014 Policy”).  The Hotel paid a premium of over $20,000 for the 2014 Policy, which had a total limit of liability of $3 million and provided security and privacy liability coverage, in relevant part, for “damages and claims expenses. . . arising from an actual or alleged security and privacy wrongful act(s) for which [the policyholder] is legally liable.” 2014 Policy, § I.   The  definition  of “security  and privacy wrongful act” specifically included wrongful acts related to obligations under a contract with a payment card processor:

Your failure to maintain the security or confidentiality of personally identifiable information stored on your computer network under any contract, including but not limited to a payment card processing agreement with a financial institution or other payment processor.

Id., § VII.KK.5.  The 2014 Policy also contained a Payment Card Industry Fines or Penalties Endorsement, subject to a $200,000 coverage limitation, or “sublimit,” for “Payment  Card  Industry  fines or penalties . . . arising solely from a privacy event, or security event.” The endorsement defined “Payment Card Industry fines and penalties” to mean “a written demand received by [the policyholder] by a credit card association for a monetary fine or penalty because of [the policyholder’s] non-compliance with Payment Card Industry Data Security Standards.” Id., Endorsement No. 1. “Credit card association” was separately defined to include the major payment card associations like Visa, MasterCard, and Discover.  Id.

On or around October 17, 2014, the Hotel experienced a second cyber incident in which consumer payment card numbers were again breached and allegedly compromised. As a result of the incident, the Hotel faced liability imposed by means of a written demand from BMO Harris Bank N.A., a payment card processor. The demand alleged that the Hotel had failed to maintain the security and confidentiality of the consumer payment card numbers, and sought damages falling into four different categories: (1) the cost of the fraudulent charges resulting from the 2014 incident, (2) the cost of replacing the compromised consumer payment cards, (3) reimbursement for investigations and other costs incurred by MasterCard in connection with the incident, and (4) costs incurred in connection with the Hotel’s alleged violation of the requirements of the Payment Card Industry Data Security Standards (“PCI DSS”).

In response to the written demand, the  Hotel  sought  coverage  from Ascent under the 2014 Policy, claiming that its losses were due to fraud recovery,  operational  reimbursement,  and case management fees—all of which would be covered by the $3 million limit of liability applicable to the security and privacy liability coverage. According to the Hotel, even the costs incurred as a result of its alleged violation of the PCI DSS requirements fell outside the scope of the $200,000 sublimit under the Payment Card Industry Fines or Penalties Endorsement to the extent costs were paid in response to a demand received from a payment card processor, not a credit card association. In May  2015, Ascent’s claims handler disagreed, stating  that the losses were all subject to the Payment Card Industry Fines or Penalties Endorsement’s $200,000 sublimit.

The Hotel filed suit on December 10,  2015,  seeking a  declaratory  judgment and alleging breach of contract and bad faith against Ascent and, in the alternative, negligent failure to procure insurance coverage against its broker, Eustice Insurance ("Eustice"). In its complaint, the Hotel asserts that  the  sublimit applies only to amounts owed for violations of PCI DSS requirements and only if those amounts result from a written demand received from a credit card association—not a payment card processor like BMO Harris Bank N.A. The Hotel also notes in its complaint that shortly after the 2014 cyber incident, it purchased a new policy from the same insurer, Ascent, for the policy period November 1, 2014 through November 1, 2015 (the “2015 Policy”). The 2015 Policy revised the Payment Card Industry Fines or Penalties  Endorsement  to cover “reimbursements, fraud recoveries or assessments” that the Hotel would owe under the terms of a Merchant Service Agreement with the credit card associations. Pointing to the Endorsement of the same name in the 2014 Policy, which covered only “a monetary fine or penalty,” the  Hotel argues that the  revision to the langauge of the Endorsement in the 2015 Policy makes clear that the 2014 Policy Endorsement is narrower in scope and does not include the types of loss suffered by the Hotel in the 2014 cyber incident.

Although Hotel Monteleone’s suit against Ascent and Eustice is only in the early stages, the case serves as a cautionary tale for policyholders to pay careful attention to any sublimits included as part of the individual coverage sections within their cyber  insurance policies. Conscientious policyholders should ensure that the potential application of a sublimit is clear and does not frustrate their intent in  purchasing the insurance coverage in the first place.