Everyone is a potential target to a cyberattack! We hear and read about cyber security every day. In fact, we hear and read about it so much that it has become a nuisance in our daily lives. The hospitality industry accounted for the second largest share of data breaches among all others last year. Since we all do business through the internet, we must protect ourselves from those who want to harm us and steal from us. Not every policy refunds losses from cyberattack loss. Cyber insurance can be a very small investment to secure your business when compared to the cost of a breach. Orlando Sentinel breaks down costs associated with a data breach at Rosen Hotel & Resorts last year – fees that could ultimately affect your hotel company in the event of an attack.
A data breach at Rosen Hotels & Resorts last year threatens to cost the company more than $2.4 million, according to Rosen’s insurance company.
Visa and Mastercard have slapped Rosen with $1 million fees. Its insurance company, St. Paul Fire & Marine, is refusing to cover the damages, saying Rosen didn’t buy the right policy. And the costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.
The lawsuit also underscores the fact that commercial liability insurance often doesn’t cover a company for a data breach.
Rosen warned its customers in March 2016 that its payment data “may have been” breached by malware programs that started about 18 months earlier.
A report sponsored by IBM last year said that the average total cost of a data breach, worldwide, is about $4 million.
The insurance lawsuit was filed Monday in Orlando federal court against Rosen’s sister company Rosen Millennium Technology Group. The technology company includes hotel founder Harris Rosen as chairman and president, along with other Rosen Hotels executives. Mary Deatrick, spokeswoman for Rosen, said the company declines to comment on the litigation.
The insurance company says Rosen had a commercial general liability policy that doesn’t cover the data breach incident, but the lawsuit gives no further reason for St. Paul’s decision.
“A significant breach will cost a company millions of dollars between forensic firm costs, attorney’s fees, notification services, regulatory fines and damages from civil lawsuits. The policies don’t need to be huge, but they should be buying something,” Saikali said.
Chris Burgio, vice president at Marsh & McLennan in Fort Lauderdale, sells data breach insurance. He said more firms are buying data breach policies, but recent studies show only about 20 percent of companies have them. A study by Marsh in 2016 said the hospitality industry was among the slowest to buy insurance for data breaches, with only 15 percent of hospitality and gaming companies buying specific policies for data breaches.
Any detailed information about the cost of a data breach can be a cautionary tale to other companies, payment industry consultant Allen Weinberg said.
“All these companies dread data breaches. They have to hire outside help. It’s a big headache,” Weinberg said. “The fines are usually related to the cards that were compromised. I believe the proceeds are used in part to compensate the banks and issuers to re-issue cards.”
St. Paul Fire & Marine is seeking a judge’s order declaring that Rosen’s policy doesn’t require St. Paul to cover the costs of the data breach, which spanned September 2, 2014, through February 18, 2016. According to the suit, Rosen asked the insurance company for information about its coverage, and the company responded with a denial-of-coverage letter.
Rosen has several hotel properties in Central Florida, including the 1,500-room Rosen Centre on International Drive.
In a news release announcing the breach, Rosen said it had been informed of a “pattern of unauthorized charges occurring on payment cards after they had been used by some of our guests during their stay,” and that “an unauthorized person installed malware” on its payment-card network, which searched for data read from the magnetic strip of payment cards.
Weinberg said it’s possible that Rosen’s customer-payment data was stolen but wasn’t used for a period of time.
Since 2015, the banking industry has recommended using cards with micro-chips instead of magnetic strips. As of October 2015, banks and payment companies have said they will hold merchants liable for stolen data from magnetic-strip cards.
Last year, Rosen said it had implemented “enhanced security measures” to help prevent data theft. It had also set up a dedicated hotline for a period time for customers with questions about the breach.