A data breach at Rosen Hotels & Resorts last year threatens to cost the company more than $2.4 million, according to Rosen's insurance company.
Visa and Mastercard have slapped Rosen with $1 million fees. Its insurance company, St. Paul Fire & Marine, is refusing to cover the damages, saying Rosen didn't buy the right policy. And the costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.
The lawsuit also underscores the fact that commercial liability insurance often doesn't cover a company for a data breach.
Rosen warned its customers in March 2016 that its payment data "may have been" breached by malware programs that started about 18 months earlier.
According to the new lawsuit, Rosen has since been hit with a pair of $1 million fines from Visa and Mastercard; a $128,830 fine from American Express; $50,000 in attorneys' fees; $40,000 in costs to send notifications to clients; $15,000 in fees to a crisis-management firm; and a bill for $150,000 to a data-forensics team that identified the breach.
A report sponsored by IBM last year said that the average total cost of a data breach, worldwide, is about $4 million.
The insurance lawsuit was filed Monday in Orlando federal court against Rosen's sister company Rosen Millennium Technology Group. The technology company includes hotel founder Harris Rosen as chairman and president, along with other Rosen Hotels executives. Mary Deatrick, spokeswoman for Rosen, said the company declines to comment on the litigation.
The insurance company says Rosen had a commercial general liability policy that doesn't cover the data breach incident, but the lawsuit gives no further reason for St. Paul's decision.
Companies failing to buy insurance for data breaches creates a big problem in corporate America, said Alfred Saikali, an attorney who specializes in cyber security law at the Miami office of Shook Hardy & Bacon.
"A significant breach will cost a company millions of dollars between forensic firm costs, attorney's fees, notification services, regulatory fines and damages from civil lawsuits. The policies don't need to be huge, but they should be buying something," Saikali said.
Chris Burgio, vice president at Marsh & McLennan in Fort Lauderdale, sells data breach insurance. He said more firms are buying data breach policies, but recent studies show only about 20 percent of companies have them. A study by Marsh in 2016 said the hospitality industry was among the slowest to buy insurance for data breaches, with only 15 percent of hospitality and gaming companies buying specific policies for data breaches.
Any detailed information about the cost of a data breach can be a cautionary tale to other companies, payment industry consultant Allen Weinberg said.
"All these companies dread data breaches. They have to hire outside help. It's a big headache," Weinberg said. "The fines are usually related to the cards that were compromised. I believe the proceeds are used in part to compensate the banks and issuers to re-issue cards."
St. Paul Fire & Marine is seeking a judge's order declaring that Rosen's policy doesn't require St. Paul to cover the costs of the data breach, which spanned September 2, 2014, through February 18, 2016. According to the suit, Rosen asked the insurance company for information about its coverage, and the company responded with a denial-of-coverage letter.
Rosen has several hotel properties in Central Florida, including the 1,500-room Rosen Centre on International Drive.
In a news release announcing the breach, Rosen said it had been informed of a "pattern of unauthorized charges occurring on payment cards after they had been used by some of our guests during their stay," and that "an unauthorized person installed malware" on its payment-card network, which searched for data read from the magnetic strip of payment cards.
Weinberg said it's possible that Rosen's customer-payment data was stolen but wasn't used for a period of time.
Since 2015, the banking industry has recommended using cards with micro-chips instead of magnetic strips. As of October 2015, banks and payment companies have said they will hold merchants liable for stolen data from magnetic-strip cards.
Last year, Rosen said it had implemented "enhanced security measures" to help prevent data theft. It had also set up a dedicated hotline for a period time for customers with questions about the breach.