Cyber Insurance for Fines and Penalties Part II – Self-Regulating Organization Assessments, Including PCI-DSS Fines and Penalties, Insurance Policyholder Advocate
Merchants that honor payment cards are sponsored into a payment card network by an "acquiring bank", with whom the merchant enters into a merchant services agreement ("MSA"). At the time of a sale, merchants submit card information to the acquiring bank, which then passes it through the payment card network to the cardholder's payment card issuer, called the "issuing bank". Once approved, the funds follow the same path in reverse.
In the event of a data breach, a payment card brand may assess fines or other amounts on the acquiring bank. The acquiring bank will then deduct that assessment directly from the merchant's account. Litigation sometimes ensues.
Coverage is available under cyber liability policies for these assessments. For example, one common form provides coverage: "To indemnify the Insured for PCI Fines, Expenses and Costs . . . which the Insured shall become legally obligated to pay . . . ."
However, some policies may not provide such coverage except via endorsement. For example, another widely used form provides:
"Except as otherwise indicated below, the Underwriter will not pay any [loss amounts] . . . based upon, arising out of, or attributable to any taxes, fines or penalties imposed by any self-regulating organization including but not limited to the PCI Security Standards Council or similar organization, or any rules, programs, by-laws, policies, procedures, regulations or requirements established or imposed by any payment card company."
For a policyholder that seeks coverage for PCI fines and penalties, it is critical to match the potential source of obligation and assessment against the source of insurance. If, for example, an amount is assessed against a merchant under a MSA, but that amount does not fall precisely within the insurance policy terms, there is a risk of a coverage dispute. Consider the phrasing of two competing coverage forms:
PCI Fines/Penalties means any fine or penalty expressly defined and quantified under the Payment Card Company Rules for a violation of a PCI Standard; however, PCI Fines/Penalties will not mean and We will not be obligated to pay: . . . any amounts not expressly defined under the Payment Card Company Rules for a violation of a PCI Standard; . . .[or] any amounts representing a discretionary fine, whether such amount is assessed against You or a merchant bank or payment processor with whom You have a written agreement to pay such fines . . .
"Loss" means . . . amounts payable in connection with a PCI-DSS Assessment. . . ."PCI-DSS Assessment" means any written demand received by an Insured from a Payment Card Association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an "Acquiring Bank") for a monetary assessment (including a contractual fine or penalty) in connection with an Insured's non-compliance with PCI Data Security Standards which resulted in a Security Failure or Privacy Event.
Example 1 requires the fine or penalty to be "expressly defined and quantified", whereas Example 2 appears to use language that is more broad. Moreover, Example 1 appears to require a violation of a PCI Standard, whereas Example 2 includes amounts payable "in connection with" a PCI-DSS Assessment.
Insurance questions can arise when: (1) it is not clear exactly what has been assessed; (2) the authority for the assessment is itself unclear; or (3) the policy language is too constrained. A federal district court addressed this situation in a non-insurance context as part of the Schnuck Markets security breach. In Schnuck Markets, Inc. v. First Data Merchant Data Svcs. Corp., 4:13-CV-2226-JAR (E.D. Mo. Jan. 15, 2015), a grocery store chain reportedly suffered a serious cyber attack that compromised the data for numerous payment card holders. Following a PCI-DSS investigation and adjudication through private processes, the payment card brands assessed an amount believed to be several million dollars against the acquiring bank for purposes of reimbursing the issuing banks. The acquiring banks and processors thereafter sought indemnity from the merchant, which claimed to have a limitation of liability of $500,000, with two exceptions: (1) a $3 million limit for PCI-DSS noncompliance; and (2) no limit of liability for "third party fees, and fees, fines or penalties" assessed by the card brands.
The court considered whether amounts assessed by two payment card processors against Schnuck, the merchant, were "fees, fines or penalties" within the meaning of an indemnification given by the merchant. The court observed that the MSA and associated documents never defined "fees, fines or penalties," resulting in a consideration of the "ordinary meaning" of the phrase. The court then reasoned that, because the dictionary definition of fines and penalties means "to punish," that amounts paid to reimburse the issuing banks for their losses are not punishments. Therefore, the court concluded, the amounts assessed against the merchants were not "fines or penalties." (The court also concluded that the assessments were not "fees" because the assessments were not imposed against the merchant in return for a service.)
As a consequence of an apparent ambiguity in the source of payment card brand assessments, and the absence of defined terms for "fees, fines and penalties," the merchant in Schnuck Markets was able to shield itself from an indemnification obligation in excess of the $500,000 limitation. However, these same factors illustrate the importance of wording in the case of coverage for PCI-DSS fines and penalties.
Cyber insurance is available to soften the blow of PCI-DSS non-compliance assessments that occur in the wake of a cyber attack or other breach. Policyholders should consider reviewing their policies against their MSA and associated documents, and to test policy language against probable loss scenarios, to maximize the prospect of an insurance recovery.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.