Credit Card Data Breaches: Protecting Companies from Hidden Surprises

Posted on 11-08-2016

 

By: David A. Zetoony, Bryan Cave LLP and Courtney K. Stout, Davis Wright Tremaine LLP.

MOST RETAILERS DO NOT REALIZE THAT BY ACCEPTING credit cards they expose themselves to the risk of a data security breach and significant costs and legal liabilities. This article examines the key risks that a retailer faces following a data security breach of its payment card systems as well as the potential for addressing some of those risks through the purchase of cyber insurance.

The major sources of direct costs for retailers following a data breach often include retaining a forensic investigator certified by the payment card industry (PCI). Costs also typically include retention of a privileged forensic investigator (often by the retailer’s law firm or general counsel); the hiring of outside counsel; public relations and crisis management; and consumer notification, including printing and mailing costs and protection services offered to consumers.

In addition to the direct costs following a data breach, retailers often face three forms of liability from third parties, including:

  • Payment card brand fees
  • Regulatory costs arising from investigations by the Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and state attorneys general
  • Class action exposure

Payment brands can assess more than 25 different contractual penalties, fines, adjustments, fees, and charges upon a retailer following a PCI data security breach.

Retailers are typically not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach. The fine print in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer.

Assessing the Risk to a Retailer from a Credit Card Data Breach

One source estimates that 60% of all retail transactions involve a payment card—far usurping cash or checks as the preferred method of payment.1 This section explains the key risks that a retailer faces following a data security breach of their payment card systems.

What Are a Retailer’s Major Sources of Direct Costs (First-Party Costs or Claims) Following a Data Breach?

Retailers typically incur significant direct costs upon experiencing a payment card data breach. These often include the following investigation and external vendor costs.

PCI Certified Forensic Investigator

The payment brand’s operating rules permit them to require that a retailer retain one of 14 forensic investigator firms certified by the payment card industry (PCI) council. These PCI-certified forensic investigators (PFIs) must be paid for by a retailer but are required to report their findings to the payment brands. Those findings include the opinion of the PFI as to whether the retailer was in compliance with the PCI data security standards at the time that the breach occurred, when the breach began, how long the breach lasted, and the number of payment cards that may have been exposed in connection with the breach. The payment brands use these findings as a basis for imposing fees.

Privileged Forensic Investigator

In addition to a PFI, many retailers choose to retain a second forensic investigator. The second investigator is often retained by the retailer’s law firm or general counsel and is used to help provide the retailer’s attorneys with facts and information needed to provide legal advice to the retailer. For example, the privileged forensic investigator may review the reports and conclusions of the PFI and provide an opinion as to whether the PFI’s analysis is accurate.

Outside Counsel

Outside counsel is typically needed to negotiate agreements between the retailer, the PFI, and the privileged forensic investigator. Outside counsel also provides advice and counseling concerning the potential for the third-party claims discussed in the next section and how to minimize any liability relating to such claims.

Public Relations / Crisis Management

Many retailers retain public relations firms that specialize in crisis communications or specifically in communicating about data security breaches to help them disclose the data breach in a manner that minimizes the impact on the retailer’s brand.

Consumer Notification

Many retailers decide to communicate information about a payment card breach directly to impacted consumers. There are a variety of ways in which such communications can be made. If the retailer decides to communicate directly with consumers, depending upon the quantity of consumers, they may incur significant printing and mailing costs. In addition, some retailers choose to offer impacted consumers credit monitoring, identity theft protection services, or identity theft insurance. The type of services offered, and the duration for which they are offered, impact cost.

What Are a Retailer’s Major Sources of Liability (Third-Party Claims) following a Data Breach?

Following a payment card data breach, retailers often face three forms of liability from third parties: payment card brand fees, regulatory exposure, and class action exposure. Each of these third-party liabilities is summarized below.

Payment Card Brand Fees

Many retailers mistakenly believe that they have no PCIrelated data on their systems and that their payment processor will be liable for any damage arising from a payment card related data breach. Even if the retailer does not knowingly store PCI data, the fact that it is collected by the retailer at the point of sale means that the data exists on the retailer’s network—even if for an extremely short amount of time, sometimes no longer than a millisecond. That is often long enough for malware deployed by hackers to capture payment card data. Indeed, in the past five years, the vast majority of credit card breaches reported by retailers involve a type of malware referred to as ram-scraping, which operates by capturing a consumer’s credit card information right after a credit card is swiped and before it is transferred to the retailer’s payment processor.

When payment card information is stolen from a retailer, it can trigger a series of contractual liabilities that exists across the payment card ecosystem. Specifically, payment brands (Visa, MasterCard, and Discover) have created a number of penalties that they impose upon the banks with which they do business following a credit card breach at a retailer. These penalties take many different forms and are described under many different names by the payment brands. Although they are collectively referred to in this article as fees, the following provides an example of the different categories of penalties that can be imposed by just one payment brand:

  • Security Requirements Noncompliance Fee. Discover Merchant Operating Regulations (Release 14.1) Rules 14.3.2, 14.3.3, 14.4, 17.6.
  • Validation of Security Requirements Noncompliance Fee. Discover Merchant Operating Regulations Rules (Release 14.1) Rule 14.2.
  • Data Security Breach Fee. Discover Merchant Operating Regulations (Release 14.1) Rule 14.3.3.
  • Other Fees and Penalties. Discover Merchant Operating Regulations (Release 14.1) Rule 17.6.

Although they are referred to by many different names, most of the fees are purportedly designed to reimburse the payment brands for costs that they may incur as a result of a breach that occurs at a retailer. The payment brands impose the fees on the merchant bank that permitted the retailer to access the payment card networks and with whom the payment brands have a contractual relationship.

Although the fees are imposed on merchant banks, merchant banks are not expected to pay them. Almost all merchant banks protect themselves from the cost of the fees by contractually requiring the third-party payment processors that work directly with a retailer to process credit card transactions to reimburse the bank if fees are assessed. Third-party payment processors, in turn, protect themselves by contractually requiring that a retailer reimburse them for the fees. As a result, most retailers end up paying the full cost of the fees imposed by the payment brands.

Regulatory Costs

Numerous federal and state agencies have overlapping jurisdiction over retailers. This includes, among others, the FTC, the SEC, and state attorneys general. When a large-scale payment card breach occurs, it is not unusual for more than one agency to investigate the incident.

Class Action Litigation

While only 14.5% of publicly reported breaches relate to the retail industry, nearly 80% of data security breach class actions target retailers. Plaintiffs' attorneys have asserted 24 different legal theories, but there is a growing trend toward lawsuits primarily premised upon theories of negligence, contract, deception, or unfairness. Although the majority of suits that are filed following a payment card breach are dismissed or settled, the costs to defend and settle such claims can be significant.

Is a Retailer Shielded from Liability by Its Card Processor or Device Manufacturers?

Many retailers believe that they will not have liability for a payment card data breach because the companies that provided them with the services, hardware, or software that they use to process credit card transactions will be responsible in the event of a data security breach. As with any contract, the fine print in the contracts for these products or services typically includes a number of provisions that place the liability for a breach on the retailer. These include the following:

  • The processor’s or device manufacturer’s liability for any data breach is often limited to three to twelve months of the fees that a retailer has paid.
  • The liability for any payment card brand fees is placed squarely on the retailer or is within this liability cap. No warranties or indemnities for data security or a breach thereof are included.
  • The vendor is not contractually obligated to comply with the Payment Card Industry Data Security Standard (PCI DSS). Any custom code written to install the device or any custom interface between the retailer’s system and the payment application is typically excluded from any PCI DSS warranty or contractual obligation. In fact, there are often express disclaimers from any PCI noncompliance or breach arising out of this custom code.

Addressing Insurance Coverage

Do Your Existing Policies Cover Data Breaches?

Most retailers know they need insurance to cover traditional risks such as fire, theft, or personal injury. Many retailers are not certain whether they need to purchase insurance to cover the risk of a data breach, and many assume that such risk is already covered by their existing insurance policies.

In analyzing whether your general insurance policies cover the risk of a data breach, retailers should consider the following:

  • Several companies have argued that their losses from a data breach should be covered as “property damage” or “tangible property” under commercial general liability policies (CGL). Most insurers take the position that standard CGL coverage items do not include data security; the result has been several high-profile coverage actions. The outcomes of those suits have been mixed. While some courts have sided with policyholders, others have sided with insurers.2
  • Other companies have tried to argue that the disclosure of personal information as a result of a data breach constitutes “personal & advertising injury” under media liability policies. This too has led to coverage actions with mixed results.
  • Insurance companies are trying to avoid these types of coverage actions by drafting explicit exclusions in most CGL and media policies that make clear that cyber events— including data breaches—are not covered unless the insured has purchased a separate cyber policy or cyber endorsement. The result is that companies with more recently drafted policies are less able to argue that traditional CGL or media policies cover data security breaches.

Do You Need Cyber Insurance?

Recently, industry regulators and government agencies weighed in on the value to companies of insurance that is specifically designed to cover part, or all, of the costs of a data security breach (cyber insurance). In September 2015, Deputy Treasury Secretary Sarah Raskin asked the insurance industry to help protect against cyber threats.3 In addition, the SEC has started to focus on cybersecurity in its examination procedures, and examiners now gather information on cybersecurity controls—including specific information related to cyber insurance and coverage.4 While in 2014 only 31% of companies had purchased cyber insurance,5 the percentage has risen significantly due to a number of factors, such as the increased cost of data breaches, the growing number of insurance companies offering cyber insurance policies, and the improved breadth of coverage available. In determining whether you need cyber insurance, retailers should ask the following questions:

  • What are the first-party costs that my organization would incur in the event of a typical data breach and in the event of a catastrophic data breach?
  • Without insurance, would those first-party costs pose a significant risk to my organization, my capital flow, or my earnings?
  • Does the cyber insurance policy I am considering cover those first-party costs?
  • What are the total third-party costs that my organization would incur in the event of a typical data breach and in the event of a catastrophic data breach?
  • Without insurance, would those third-party costs pose a significant risk to my organization, my capital flow, or my earnings?
  • Does the cyber insurance policy I am considering adequately cover the third-party costs that we might incur?
  • Are any of our regulators adding cyber insurance as a key factor in evaluating a company’s cyber preparedness?

Answering these questions can be difficult. The first-party and third-party costs that an organization might incur can differ dramatically depending on the industry in which your organization operates and the quantity of credit card transactions that your organization processes. Furthermore, cyber insurance policies differ dramatically in terms of what they cover, what they exclude, and the amount of retentions (the amount of money for which the organization is responsible before the policy provides reimbursement to the organization).

Practical Tips for Coverage Selection

Look for variety in both coverage breadth and breach response service features.

The cyber insurance market has evolved considerably, and there is much variety in both coverage breadth and breach response service features. Companies should not be too quick to accept policy forms with sublimits, stacking retentions, and limiting definitions/exclusions. There are several markets, including many Lloyd’s syndicates, which will write policies with broad insuring agreements and without these drawbacks. This allows the insured to deploy its coverage resources commensurate with the nature and scope of the breach event. Costs for forensic investigations, notification (statutory and voluntary), identity theft restoration services, regulatory investigations, as well as PCI fines, penalties, and assessments (fraud costs and card reissuance fees) are very significant individually as well as collectively.

Even after a company obtains a cyber insurance policy, it must continue to evaluate data security risks and to assess coverage accordingly. Saving a little in premium on the front end can often lead to costly, uninsured, or underinsured expenses.

Watch out for problem language buried in policy definitions, especially if damages is defined to exclude PCI fines, penalties, or assessments.

Additional information concerning how to prepare for, and respond to, a data breach—including how to evaluate cyber insurance—can be found in the Data Security Breaches: Incident Preparedness and Response Handbook, published by the Washington Legal Foundation.6

Pratt’s Privacy and Cybersecurity Law Report, Volume 2-5, Number 04.


David A. Zetoony, a partner at Bryan Cave LLP and the leader of the firm’s global data-privacy and security practice, advises clients on how to comply with state and federal privacy, security, and advertising laws; represents clients before the Federal Trade Commission; and defends national class actions. He may be contacted at david.zetoony@bryancave.com. Courtney K. Stout is counsel at Davis Wright Tremaine LLP, where she is a privacy and security attorney advising clients in the technology, data security, and financial services industries. She may be contacted at courtneystout@dwt.com. Suzanne Gladle, ARM, the director of Cyber Program Operations at McGriff, Seibels & Williams, Inc., contributed to this article. She may be contacted at sgladle@mcgriff.com.


To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Planning for and Managing a Data Breach > Articles > Preparing a Data Breach Avoidance & Response Plan

Related Content

For a detailed listing of state data breach notification requirements, see

> CHART – OVERVIEW OF STATE DATA BREACH LAWS

RESEARCH PATH: Intellectual Property & Technology > Privacy & Data Security > Planning for & Managinga Data Breach > Practice Notes > Planning for & Managing a Data Breach

For more assistance in preparing a data breach notification letter, see

> PREPARING A BREACH NOTIFICATION LETTER

RESEARCH PATH: Intellectual Property & Technology> Privacy and Data Security > Planning for & Managing a Data Breach > Practice Notes > Planning for & Managing a Data Breach


Copyright © 2016. Matthew Bender & Company, Inc., a member of the RELX Group. All rights reserved. Materials reproduced from Pratt’s Privacy and Cybersecurity Law Report with permission of Matthew Bender & Company, Inc. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole in in part, without prior written consent of Matthew Bender & Company, Inc.


1. Claes Bell, Cash No Longer King In Retail, Bankrate.com (June 6, 2012), http://www.bankrate.com/financing/banking/cash-no-longer-king-in-retail/. 2. See, e.g., Acuity v. All-America Phillips Flower Shop, Compl. Ill Cir. Ct., (seeking declaratory action that tangible property does not include electronic data). 3. Remarks by Deputy Secretary Sarah Bloom Raskin at The Center for Strategic and International Studies Strategic Technologies Program (Sept. 10, 2015). 4. U.S. Securities and Exchange Commission, Office of Compliance Inspections and Examinations (OCIE) 2015 Cybersecurity Examination Initiative (Sept. 15, 2015). 5. Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysist 22 (May 2014). 6. Washington Legal Foundation, Data Security Breaches – Incident Preparedness and Response (2014), https://www.bryancave.com/images/content/2/2/v2/2285/DataBreachHandbookValdeteroandZetoony.pdf.