Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises March 9, 2016 Debit and credit cards are now the primary form of retail Authors/Presenters payment. One source estimates that 60 percent of all retail transactions involve a payment card – far surpassing cash or checks as the preferred method of payment.1 Most retailers do not realize, however, that by accepting credit cards, they expose themselves to the risk of a data security breach and significant potential costs and legal liabilities. David Zetoony and Courtney Stout’s whitepaper2, Credit Card Data Breaches: David A. Zetoony Partner Boulder, Colorado david.zetoony@bryancave.com Protecting Your Company from the Hidden Surprises, explains the key risks that a retailer faces following a data security breach of its payment card systems as well as the potential for addressing some of those risks through the purchase of cyber-insurance. The whitepaper is divided into two parts with the first part assessing the risk to a retailer from a credit card data breach and the second addressing insurance coverage gaps. In the first part, the authors spell out the major sources of direct costs for retailers following a data breach.

These costs always include the retaining of a PCI (payment card industry) certified forensic investigator as required by the PCI Council. Costs also typically include the retaining of Page 1 of 2 . a privileged forensic investigator (often by the retailer’s law firm or general counsel); the hiring of outside counsel; public relations and crisis management; and consumer notification including printing and mailing costs and protection services offered to consumers. In addition to the direct costs following a data breach, retailers often face three forms of liability from third parties: payment card brand fees; regulatory costs arising from investigations from the FTC, SEC and State Attorneys General, for example; and class action exposure. Payments brands can assess more than 25 different contractual penalties, fines, adjustments, fees and charges upon a retailer following a PCI data security breach. Contrary to what many retailers believe, retailers are typically not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach. The “fine print” in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer. In the second part of the whitepaper, the authors provide readers with a checklist to help them evaluate whether a cyber-insurance policy is needed, and if the policy they are considering provides appropriate coverage, retention and limits in light of the costs detailed earlier. Click here to read the full whitepaper. [1] Claes Bell, “Cash No Longer King In Retail,” Bankrate.com (June 6, 2012). [2] Suzanne Gladle of McGriff, Seibels & Williams, Inc. contributed to the whitepaper. RELATED PRACTICES Antitrust and Competition Data Privacy and Security Team Page 2 of 2 .