WIN Magazine - Fall 2017 - 25

In 2013, Hotel Monteleone was the
victim of a cyber-attack, which resulted
in PCI liabilities in excess of $200,000.3
After the incident, the hotel purchased
a cyber insurance policy through Eustis
Insurance Co. ("Eustis") to protect itself
against similar future losses. The broker advised the hotel that the policy
would cover against similar losses
in the future and contained general
limits of $3  million. Approximately
one year later, Hotel Monteleone was
again the victim of a cyber-attack.
When the hotel  made a claim for
their losses, the  hotel learned to its
detriment that  the policy contained
a sub-limit  of  $200,000  for  PCI  fines,
penalties and assessments. The hotel
was denied coverage for the very
type of insurance it sought out after
the first loss and in turn sued Eustis.
The case ultimately settled for an
undisclosed amount.

Businesses that process credit card
transactions are required to sign a
"Merchant Services Agreement," contractually agreeing to comply with
the PCI-DSS (Payment Card Industry
Data Security Standards). Credit card
breaches are often discovered after the
business's merchant bank or card brand
finds multiple fraudulent charges used
at one common point. Should the business be the common point, the business itself will be contractually bound
to conduct a forensic investigation to
determine the scope of the breach and
whether the business was PCI-DSS
compliant at the time. These forensic
costs can be extreme. Additionally, the
payment card brands will be looking to
recoup their operational expenses, such
as for card re-issuance, notification or
counterfeit fraud recoveries incurred
in connection with the breach. Also,
any non-compliance with the PCI-DSS
will result in fines, based on the breach
and size of the business. Some insurers
offer coverage for PCI fines and penalties only via a sub-limit. Other insurers
have expanded the coverage to include
fraud assessments, card re-issuance

costs or forensic investigation costs,
either with full policy limits or via a
An example of failing to procure coverage for PCI fines involves P.F. Chang's
("Chang's") which had a cyber insurance policy through Federal Insurance
Co. ("Chubb"). After Chang's purchased
the cyber insurance policy from Chubb,
Chang's experienced a breach in which
hackers obtained 60,000 credit card
numbers belonging to its customers.
Chubb marketed the policy purchased
by Chang's as "a flexible insurance solution designed by cyber risk experts" that
"covers direct loss, legal liability, and
consequential loss resulting from cyber
security breaches." When Chang's sought
$2 million on reimbursement for credit
card related costs, Chubb denied the
coverage. Chubb claimed that Chang's
had no reasonable expectation of coverage. Chang's filed suit against Chubb.
The court granted summary judgment
in favor of Chubb. The case is currently
being appealed by Chang's. The policy
that was sold to Chang's was sold to cover
the full breadth of cyber risks, and yet,
$2 million (and not to mention the subsequent legal fees) was not covered because
of insufficient PCI fines coverage.

Cyber policy representations and warranties often require insureds to represent and warrant they are maintaining
proper administrative and technical security controls. These warranty
statements can be highly technical in
nature. As a result, the insured neither
understands the warranties themselves nor the implications of signing
the warranties.
Columbia Casualty Company v.
Cottage Health Systems ("Cottage")
arises out of a data breach that resulted
in the release of 32,500 patient records.
Cottage had prepared for an event like
this by previously purchasing an insurance policy from Columbia. However,
within that policy Cottage had answered
affirmatively to a series of risk control
assessment questions, which included
implementing and maintaining certain
protocols to help prevent breaches.

Columbia filed a complaint against
Cottage asserting that an exclusion
within the policy provided that Columbia
would not be liable if a loss was the result
of failing to implement and maintain
the protocols. (The court dismissed the
complaint based on an alternative dispute clause in the policy.) This coverage
dispute might have been avoided had
Cottage been advised of what was in
the representations and warranties, and
then simply followed them.

As we said in the last issue of WIN, the
learning curve with cyber insurance
is steep because technology is rapidly
changing; as we have seen even over
the past several months, hackers are
becoming more sophisticated and the
laws are constantly evolving - like the
NAIC Model Law that has now been
released. There is no question that brokers are in a conundrum. No policy is a
one-size fits all in the cyber insurance
world. At a minimum, cyber insurance
brokers should be asking the right questions to ensure the business is covered
for potential losses from a cyber breach.
Rigorous training and education is the
best way for agents and brokers to prepare themselves. As Benjamin Franklin
once said, "An investment in knowledge
pays the best interest."


1 F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp.
3d 602, 608 (D.N.J. 2014).
2 John Jo & Alicia Gilleskie, Cybersecurity Insurance -
One size does not fit all, Smith Anderson, http://
3 New Hotel Monteleone, LLC v. Eustis Insurance, et al.
Copy of Complaint available at

Elizabeth S. Fitch, CIPP/US,
is Managing Partner with
the Righi Fitch Law Group in
Phoenix, AZ, contact her at
Theodore M. Schaer,
CIPP/US is a partner in
the Zarwin, Baum, DeVito,
Kaplan, Schaer & Toddy
law firm in Philadelphia,
PA; contact him at
F A L L 2017 | 25

Table of Contents for the Digital Edition of WIN Magazine - Fall 2017

Do Hurricanes Have a Silver Lining?
Underwriting Marijuana
The Cyber Insurance Conundrum
Writing Data Security Into Law
Gauging Risk, Reaping Reward
Simply Seamless
Moving to the Cloud: 3 Migration Strategy Models and the 6 R’s.
In the WIN-NER’s Circle
WIN Magazine - Fall 2017 - Intro
WIN Magazine - Fall 2017 - bellyband1
WIN Magazine - Fall 2017 - bellyband2
WIN Magazine - Fall 2017 - cover1
WIN Magazine - Fall 2017 - cover2
WIN Magazine - Fall 2017 - 3
WIN Magazine - Fall 2017 - 4
WIN Magazine - Fall 2017 - 5
WIN Magazine - Fall 2017 - 6
WIN Magazine - Fall 2017 - 7
WIN Magazine - Fall 2017 - 8
WIN Magazine - Fall 2017 - 9
WIN Magazine - Fall 2017 - 10
WIN Magazine - Fall 2017 - 11
WIN Magazine - Fall 2017 - Do Hurricanes Have a Silver Lining?
WIN Magazine - Fall 2017 - 13
WIN Magazine - Fall 2017 - 14
WIN Magazine - Fall 2017 - 15
WIN Magazine - Fall 2017 - 16
WIN Magazine - Fall 2017 - Underwriting Marijuana
WIN Magazine - Fall 2017 - 18
WIN Magazine - Fall 2017 - 19
WIN Magazine - Fall 2017 - 20
WIN Magazine - Fall 2017 - 21
WIN Magazine - Fall 2017 - 22
WIN Magazine - Fall 2017 - 23
WIN Magazine - Fall 2017 - The Cyber Insurance Conundrum
WIN Magazine - Fall 2017 - 25
WIN Magazine - Fall 2017 - Writing Data Security Into Law
WIN Magazine - Fall 2017 - 27
WIN Magazine - Fall 2017 - 28
WIN Magazine - Fall 2017 - 29
WIN Magazine - Fall 2017 - 30
WIN Magazine - Fall 2017 - Gauging Risk, Reaping Reward
WIN Magazine - Fall 2017 - 32
WIN Magazine - Fall 2017 - 33
WIN Magazine - Fall 2017 - 34
WIN Magazine - Fall 2017 - 35
WIN Magazine - Fall 2017 - Simply Seamless
WIN Magazine - Fall 2017 - 37
WIN Magazine - Fall 2017 - Moving to the Cloud: 3 Migration Strategy Models and the 6 R’s.
WIN Magazine - Fall 2017 - 39
WIN Magazine - Fall 2017 - In the WIN-NER’s Circle
WIN Magazine - Fall 2017 - 41
WIN Magazine - Fall 2017 - 42
WIN Magazine - Fall 2017 - cover3
WIN Magazine - Fall 2017 - cover4
WIN Magazine - Fall 2017 - outsert1
WIN Magazine - Fall 2017 - outsert2
WIN Magazine - Fall 2017 - outsert3
WIN Magazine - Fall 2017 - outsert4