The hospitality industry is often thought of as one of the most attractive targets for a data breach. It doesn’t take much thought to understand why: the sheer volume of credit card and personally identifiable information that runs through restaurants, bars, hotels, etc, is daunting. When you take into account the information they receive from things like rewards/customer loyalty programs, that figure only continues to grow.
We could write an entire series of blog posts about managing cyber risk for the hospitality industry, but we’re just going to focus on one item for today: coverage for PCI Fines & Penalties. PCI stands for Payment Card Industry (as in the Payment Card Industry Security Standards Council). This organization helps merchants and financial institutions understand and implement best practices for securing the collection, storage, and transmission of payment card data (credit card numbers, pins, expiration dates, etc). When a business decides to offer the option of paying with credit cards, they will work with a financial institution to put a Merchant Services Agreement (MSA) in place. This agreement will dictate the terms of everything from the lease of POS systems, fees charged to swipe credit cards, and the liability of both parties in the event of a data breach. The MSA also will dictate that the merchant is required to comply with PCI security standards.
If you are in the hospitality business, this MSA is a great place to begin assessing your data breach risk. As you review the agreement, you’ll likely find that all of the liability for a data breach has been passed from the financial institution to the merchant who swipes the card (or accepts it online). In addition, if the breach was caused by a lapse in PCI security standards, then the “Card Association” (think: Visa, Mastercard, Europay, etc) will fine your financial institution. Not surprisingly, your financial institution will pass those fines on to you. They can range anywhere from $5,000-100,000 per month that standards were lapsed.
Here are a few key takeaways:
- Review your merchant services agreement and know exactly what liabilities you have retained by signing the agreement. Talk with your advisors to determine your level of comfort with this risk.
- If you have cyber liability insurance, make sure that coverage for PCI Fines & Penalties is included, and make sure it is not sub limited to a prohibitively low amount. While this coverage is typically available from any good cyber carrier, it is not standard on all policies. Read this article about the recent P.F. Chang’s data breach for the most glaring example of this issue.
- Finally, if you don’t have cyber liability insurance, and you do take credit cards, now is the time begin pursuing it. I often hear from my clients, “I don’t need cyber; I’ve got the best IT guys in the business.” That’s good! In cyber, the best defense is a great defense, and a good IT professional is worth their weight in gold. However, even though our office has a sprinkler system, I’m glad that we still have fire insurance. Perfect systems can still fail, just ask the captain of the Titanic. When they do, it’s good to know you have a backstop.
Your Property & Casualty Consultant is happy to discuss your cyber risks and insurance options with you.
Let us know how we can help.