“To Be ExSPECted? Contractual Liability Exclusion Bars PCI Fine Coverage Again”

In Spec’s Family Partners v. The Hanover Insurance Company, the Southern District of Texas became the second court to grapple with the interaction among Payment Card Industry (PCI) fines, payment card processor contracts and the infamous contractual liability exclusion that is still present in many cyberinsurance policies.

You can read about the first court to do so here.  Spoiler: also no coverage.

Spec’s, a family-owned retail chain, suffered two data breaches of its payment card system resulting in the loss of customer information and credit card numbers.  Spec’s processed its credit transactions through a third party, First Data Merchant Services.  Following the breaches, First Data was fined almost $10 million by MasterCard and Visa.  First Data invoked the indemnification provision in its processor agreement and demanded that Spec’s pay the fines.

Spec’s tendered to Hanover, arguing that its policy covered PCI fines like the ones levied by MasterCard and Visa.  The court, however, found that the fines were levied against First Data, not Spec’s.  Because First Data was demanding contractual indemnification from Spec’s, and Spec’s was seemingly not directly responsible for the fines, the Court held that the policy’s contractual liability exclusion barred coverage.  NOTE: The Spec’s decision is currently on appeal in the Fifth Circuit.

Increasingly, businesses buy explicit PCI fine coverage, believing that this additional protection, often at an additional cost, protects them from one of the most dangerous looming cyber liabilities in the retail industry.  PCI fines are difficult to predict as far as amount and almost impossible to fight at the administrative level.  They are, however, increasingly likely to follow data breaches that compromise credit information.  Because many businesses utilize intermediary payment card processors, these fines are often assessed against third party processors rather than insureds.  And then you’re in the same boat as Spec’s.

Unless.

Policy language should recognize business realities so that the party bearing ultimate responsibility for PCI fines and purchasing coverage for them gets what it reasonably expected it was buying.  While there may be a contract between the retailor and the fines, it’s clear where ultimate liability will land.  Policies purporting to sell PCI fine coverage should therefore be equally clear in providing coverage when this increasingly familiar fact pattern falls into place.