Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: David A. Zetoony, Bryan Cave LLP and Courtney K. Stout, Davis Wright Tremaine LLP.
MOST RETAILERS DO NOT REALIZE THAT BY ACCEPTING credit cards they expose themselves to the risk of a data security breach and significant costs and legal liabilities. This article examines the key risks that a retailer faces following a data security breach of its payment card systems as well as the potential for addressing some of those risks through the purchase of cyber insurance.
The major sources of direct costs for retailers following a data breach often include retaining a forensic investigator certified by the payment card industry (PCI). Costs also typically include retention of a privileged forensic investigator (often by the retailer’s law firm or general counsel); the hiring of outside counsel; public relations and crisis management; and consumer notification, including printing and mailing costs and protection services offered to consumers.
In addition to the direct costs following a data breach, retailers often face three forms of liability from third parties, including:
Payment brands can assess more than 25 different contractual penalties, fines, adjustments, fees, and charges upon a retailer following a PCI data security breach.
Retailers are typically not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach. The fine print in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer.
One source estimates that 60% of all retail transactions involve a payment card—far usurping cash or checks as the preferred method of payment.1 This section explains the key risks that a retailer faces following a data security breach of their payment card systems.
What Are a Retailer’s Major Sources of Direct Costs (First-Party Costs or Claims) Following a Data Breach?
Retailers typically incur significant direct costs upon experiencing a payment card data breach. These often include the following investigation and external vendor costs.
PCI Certified Forensic Investigator
The payment brand’s operating rules permit them to require that a retailer retain one of 14 forensic investigator firms certified by the payment card industry (PCI) council. These PCI-certified forensic investigators (PFIs) must be paid for by a retailer but are required to report their findings to the payment brands. Those findings include the opinion of the PFI as to whether the retailer was in compliance with the PCI data security standards at the time that the breach occurred, when the breach began, how long the breach lasted, and the number of payment cards that may have been exposed in connection with the breach. The payment brands use these findings as a basis for imposing fees.
Privileged Forensic Investigator
In addition to a PFI, many retailers choose to retain a second forensic investigator. The second investigator is often retained by the retailer’s law firm or general counsel and is used to help provide the retailer’s attorneys with facts and information needed to provide legal advice to the retailer. For example, the privileged forensic investigator may review the reports and conclusions of the PFI and provide an opinion as to whether the PFI’s analysis is accurate.
Outside counsel is typically needed to negotiate agreements between the retailer, the PFI, and the privileged forensic investigator. Outside counsel also provides advice and counseling concerning the potential for the third-party claims discussed in the next section and how to minimize any liability relating to such claims.
Public Relations / Crisis Management
Many retailers retain public relations firms that specialize in crisis communications or specifically in communicating about data security breaches to help them disclose the data breach in a manner that minimizes the impact on the retailer’s brand.
Many retailers decide to communicate information about a payment card breach directly to impacted consumers. There are a variety of ways in which such communications can be made. If the retailer decides to communicate directly with consumers, depending upon the quantity of consumers, they may incur significant printing and mailing costs. In addition, some retailers choose to offer impacted consumers credit monitoring, identity theft protection services, or identity theft insurance. The type of services offered, and the duration for which they are offered, impact cost.
What Are a Retailer’s Major Sources of Liability (Third-Party Claims) following a Data Breach?
Following a payment card data breach, retailers often face three forms of liability from third parties: payment card brand fees, regulatory exposure, and class action exposure. Each of these third-party liabilities is summarized below.
Payment Card Brand Fees
Many retailers mistakenly believe that they have no PCIrelated data on their systems and that their payment processor will be liable for any damage arising from a payment card related data breach. Even if the retailer does not knowingly store PCI data, the fact that it is collected by the retailer at the point of sale means that the data exists on the retailer’s network—even if for an extremely short amount of time, sometimes no longer than a millisecond. That is often long enough for malware deployed by hackers to capture payment card data. Indeed, in the past five years, the vast majority of credit card breaches reported by retailers involve a type of malware referred to as ram-scraping, which operates by capturing a consumer’s credit card information right after a credit card is swiped and before it is transferred to the retailer’s payment processor.
When payment card information is stolen from a retailer, it can trigger a series of contractual liabilities that exists across the payment card ecosystem. Specifically, payment brands (Visa, MasterCard, and Discover) have created a number of penalties that they impose upon the banks with which they do business following a credit card breach at a retailer. These penalties take many different forms and are described under many different names by the payment brands. Although they are collectively referred to in this article as fees, the following provides an example of the different categories of penalties that can be imposed by just one payment brand:
Although they are referred to by many different names, most of the fees are purportedly designed to reimburse the payment brands for costs that they may incur as a result of a breach that occurs at a retailer. The payment brands impose the fees on the merchant bank that permitted the retailer to access the payment card networks and with whom the payment brands have a contractual relationship.
Although the fees are imposed on merchant banks, merchant banks are not expected to pay them. Almost all merchant banks protect themselves from the cost of the fees by contractually requiring the third-party payment processors that work directly with a retailer to process credit card transactions to reimburse the bank if fees are assessed. Third-party payment processors, in turn, protect themselves by contractually requiring that a retailer reimburse them for the fees. As a result, most retailers end up paying the full cost of the fees imposed by the payment brands.
Numerous federal and state agencies have overlapping jurisdiction over retailers. This includes, among others, the FTC, the SEC, and state attorneys general. When a large-scale payment card breach occurs, it is not unusual for more than one agency to investigate the incident.
Class Action Litigation
While only 14.5% of publicly reported breaches relate to the retail industry, nearly 80% of data security breach class actions target retailers. Plaintiffs' attorneys have asserted 24 different legal theories, but there is a growing trend toward lawsuits primarily premised upon theories of negligence, contract, deception, or unfairness. Although the majority of suits that are filed following a payment card breach are dismissed or settled, the costs to defend and settle such claims can be significant.
Is a Retailer Shielded from Liability by Its Card Processor or Device Manufacturers?
Many retailers believe that they will not have liability for a payment card data breach because the companies that provided them with the services, hardware, or software that they use to process credit card transactions will be responsible in the event of a data security breach. As with any contract, the fine print in the contracts for these products or services typically includes a number of provisions that place the liability for a breach on the retailer. These include the following:
Do Your Existing Policies Cover Data Breaches?
Most retailers know they need insurance to cover traditional risks such as fire, theft, or personal injury. Many retailers are not certain whether they need to purchase insurance to cover the risk of a data breach, and many assume that such risk is already covered by their existing insurance policies.
In analyzing whether your general insurance policies cover the risk of a data breach, retailers should consider the following:
Do You Need Cyber Insurance?
Recently, industry regulators and government agencies weighed in on the value to companies of insurance that is specifically designed to cover part, or all, of the costs of a data security breach (cyber insurance). In September 2015, Deputy Treasury Secretary Sarah Raskin asked the insurance industry to help protect against cyber threats.3 In addition, the SEC has started to focus on cybersecurity in its examination procedures, and examiners now gather information on cybersecurity controls—including specific information related to cyber insurance and coverage.4 While in 2014 only 31% of companies had purchased cyber insurance,5 the percentage has risen significantly due to a number of factors, such as the increased cost of data breaches, the growing number of insurance companies offering cyber insurance policies, and the improved breadth of coverage available. In determining whether you need cyber insurance, retailers should ask the following questions:
Answering these questions can be difficult. The first-party and third-party costs that an organization might incur can differ dramatically depending on the industry in which your organization operates and the quantity of credit card transactions that your organization processes. Furthermore, cyber insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (the amount of money for which the organization is responsible before the policy provides reimbursement to the organization).
Look for variety in both coverage breadth and breach response service features.
The cyber insurance market has evolved considerably, and there is much variety in both coverage breadth and breach response service features. Companies should not be too quick to accept policy forms with sublimits, stacking retentions, and limiting definitions/exclusions. There are several markets, including many Lloyd’s syndicates, which will write policies with broad insuring agreements and without these drawbacks. This allows the insured to deploy its coverage resources commensurate with the nature and scope of the breach event. Costs for forensic investigations, notification (statutory and voluntary), identity theft restoration services, regulatory investigations, as well as PCI fines, penalties, and assessments (fraud costs and card reissuance fees) are very significant individually as well as collectively.
Even after a company obtains a cyber insurance policy, it must continue to evaluate data security risks and to assess coverage accordingly. Saving a little in premium on the front end can often lead to costly, uninsured, or underinsured expenses.
Watch out for problem language buried in policy definitions, especially if damages is defined to exclude PCI fines, penalties, or assessments.
Additional information concerning how to prepare for, and respond to, a data breach—including how to evaluate cyber insurance—can be found in the Data Security Breaches: Incident Preparedness and Response Handbook, published by the Washington Legal Foundation.6
Pratt’s Privacy and Cybersecurity Law Report, Volume 2-5, Number 04.
David A. Zetoony, a partner at Bryan Cave LLP and the leader of the firm’s global data-privacy and security practice, advises clients on how to comply with state and federal privacy, security, and advertising laws; represents clients before the Federal Trade Commission; and defends national class actions. He may be contacted at email@example.com. Courtney K. Stout is counsel at Davis Wright Tremaine LLP, where she is a privacy and security attorney advising clients in the technology, data security, and financial services industries. She may be contacted at firstname.lastname@example.org. Suzanne Gladle, ARM, the director of Cyber Program Operations at McGriff, Seibels & Williams, Inc., contributed to this article. She may be contacted at email@example.com.
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Planning for and Managing a Data Breach > Articles > Preparing a Data Breach Avoidance & Response Plan
For a detailed listing of state data breach notification requirements, see
> CHART – OVERVIEW OF STATE DATA BREACH LAWS
RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Planning for & Managinga Data Breach > Practice Notes > Planning for & Managing a Data Breach
For more assistance in preparing a data breach notification letter, see
> PREPARING A BREACH NOTIFICATION LETTER
RESEARCH PATH: Intellectual Property & Technology> Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach
Copyright © 2016. Matthew Bender & Company, Inc., a member of the RELX Group. All rights reserved. Materials reproduced from Pratt’s Privacy and Cybersecurity Law Report with permission of Matthew Bender & Company, Inc. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole in in part, without prior written consent of Matthew Bender & Company, Inc.
1. Claes Bell, Cash No Longer King In Retail, Bankrate.com (June 6, 2012), http://www.bankrate.com/financing/banking/cash-no-longer-king-in-retail/. 2. See, e.g., Acuity v. All-America Phillips Flower Shop, Compl. Ill Cir. Ct., (seeking declaratory action that tangible property does not include electronic data). 3. Remarks by Deputy Secretary Sarah Bloom Raskin at The Center for Strategic and International Studies Strategic Technologies Program (Sept. 10, 2015). 4. U.S. Securities and Exchange Commission, Office of Compliance Inspections and Examinations (OCIE) 2015 Cybersecurity Examination Initiative (Sept. 15, 2015). 5. Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysist 22 (May 2014). 6. Washington Legal Foundation, Data Security Breaches – Incident Preparedness and Response (2014), https://www.bryancave.com/images/content/2/2/v2/2285/DataBreachHandbookValdeteroandZetoony.pdf.