On February 1, 2017, Hunton & Williams LLP's Walter Andrews served on GMBHA's Cyber Liability Panel. The panel highlighted the current threats faced by hospitality insureds and discussed how cyber insurance can help mitigate these risks. A recent case involving a Florida hotel group offers a real-world example of many of the issues the panel discussed, including whether legacy policies, such as a hotel's general liability policy, may provide coverage for cyber liabilities.
On March 27, 2017, St. Paul Fire & Marine Insurance Co. (St. Paul) filed suit against its insured, a subsidiary of the Rosen Hotels and Resorts of Orlando, and asked the court to find that it did not owe coverage for over $2 million in damages incurred by the hotel group resulting from a data breach of the hotel group's credit card payment network. St. Paul had issued a commercial general liability policy to Rosen Millennium, Inc. (Rosen) for the policy period of February 24, 2014, to February 25, 2015. In February 2016, Rosen began receiving reports of unauthorized charges on customers' cards after they had stayed at Rosen's properties. After retaining forensic investigators, Rosen discovered that malware had been installed on its credit card payment network and that cards used at its properties between September 2014 and February 2016 may have been affected by the breach, thus during and after the St. Paul policy period.
Complying with state breach disclosure laws, Rosen disclosed the breach to customers potentially affected, incurring over $100,000 in costs and fees related to the notification. In addition, Visa, MasterCard and American Express then sought substantial damages from Rosen (over $2 million) for the breach. While the complaint filed by St. Paul fails to address the damages in detail, merchant services agreements between the merchant and credit card company typically require the merchant to pay such amounts, referred to as PCI DSS (PCI Data Security Standards) assessments and/or fines, in the event of such a breach. The PCI DSS assessments typically include any counterfeit fraud loss resulting from the fraudulent purchases and related operational and investigative costs incurred by the card company.
In denying coverage, St. Paul asserted that the over $2.4 million damages claimed by Rosen were not covered under the policy "because they do not result from bodily injury, property damage, personal injury, or advertising injury under the Policy." St. Paul further asserted that the "fines and penalties" imposed by Visa, MasterCard and American Express were excluded from coverage under the policy's contract liability exclusion.
Rosen, however, should have strong arguments that the general liability policy's definitions of personal injury liability or advertising injury are broad enough to encompass the cyber breach and resulting damages, including the costs related to notification. While the harder argument for Rosen is overcoming the policy's contract liability exclusion that precludes coverage for "injury or damage for which the protected person has assumed liability under any contract or agreement," Rosen may assert the position that the amounts sought by the credit card companies fit within the exclusion's exception for "injury or damage for which the protected person would have liability without the contract or agreement." While one court disagreed with such an application of this exception in a cyber policy, see P.F. Chang's China Bistro, Inc v. Federal Ins. Co., 2016 WL 3055111 (D. Ariz. May 31, 2016), policyholders should not be dissuaded, as the insurer settled that case after P.F. Chang's appealed the court's ruling, signaling that the insurer perceived some risk that the appellate court disagreed with its position. Indeed, because many cyber breach coverage issues have yet to be tested in Florida courts, corporate insureds should not be discouraged from taking the fight to the insurer in the face of a coverage denial and should consult competent coverage counsel about coverage strategy before a claim is denied.
Further, hospitality insureds should consider cyber-specific policies that may better address evolving cyber risks. Even these products, however, have their limitations, gaps or ambiguities. For example, many cyber policies currently on the market fail to specifically address common liabilities such as PCI DSS assessments by credit card companies or only offer limited coverage for these assessments subject to a sublimit. Cyber insurers, like the insurer in P.F. Chang's, may likewise seek to rely on a contractual liability exclusion to preclude coverage for these damages that may reach into the millions. Knowledgeable coverage counsel and brokers, however, can work together to eliminate these gaps in coverage through policy endorsements--such as enhancements providing coverage for PCI DSS and similar assessments--for hospitality insureds at the time of policy purchase or renewal.