MERCHANT DATA SECURITY POLICY
Please read the entire policy to determine the named insured's rights and duties and what is and what is not covered under this policy. Words and phrases that appear in boldface are defined in Clause II., DEFINITIONS.
In consideration of the payment of the premium and in reliance upon the statements in the application and its attachments and the material incorporated therein, and made a part hereof,
we agree as follows:
I. INSURING AGREEMENTS
A. Data Security Event Expenses
We shall pay the
named insured for all reasonable
security event expenses and
post event services expenses resulting from any
data security event first discovered by the
named insured during the
policy period and reported to
us within the
notice period.
II. DEFINITIONS
A. Bank card means a financial transaction card, including a debit card, credit card or prepaid card, issued by a
card association or a financial institution as a member of a
card association.
B. Cardholder means a natural person or entity to which a
bank card has been issued.
C. Cardholder Information means the data contained on a
bank card, or otherwise provided to a
merchant, that is required by the
card association or the
named insured in order to process, approve and/or settle a
bank card transaction.
D. Card association means each of Visa International, MasterCard Worldwide, Discover Financial Services, JCB, American Express and any similar credit or debit card association that is a participating organization of the PCI Security Standards Council.
E. Card association assessment means a monetary assessment, fee, fine or penalty levied against a
merchant or the
named insured by a
card association as the result of (i) a
data security event or (ii) a security assessment conducted as the result of a
data security event. The
card association assessment shall not exceed the maximum monetary assessment, fee, fine or penalty permitted upon the occurrence of a
data security event by the applicable rules or agreement in effect as of the inception date of the
policy period for such
card association.
F. Card replacement expenses means the costs that the
named insured or a
merchant are required to pay by the
card association to replace compromised
bank cards as the result of (i) a
data security event or (ii) a security assessment conducted as the result of a
data security event.
G. Data security event means the actual or suspected unauthorized access to or use of
cardholder information, arising out of a
merchant's possession of or access to such
cardholder information, which has been reported (a) to a
card association by a
merchant or the
named insured or (b) to the
merchant or the
named insured by a
card association. All
security event expenses and
post event services expenses resulting from the same, continuous, related or repeated event or which arise from the same, related or common nexus of facts, will be deemed to arise out of one
data security event.
H. Forensic audit expenses means the costs of a security assessment conducted by a qualified security assessor approved by a
card association or the PCI Security Standards Council to determine the cause and extent of a
data security event.
I. Merchant means each and every entity that enters into an agreement pursuant to which the
named insured processes
bank card transactions on behalf of such entity.
J. Named insured means the entity indicated in Item 1. of the Declarations.
K. Notice period means the sixty (60) day period of time the
named insured shall have to notify
us that a
data security event has occurred. The
notice period shall commence immediately upon first discovery of the
data security event by the
named insured.
L. Policy means this
policy and any endorsements attached hereto, together with the application with any attachments thereto and material incorporated therein.
M. Policy period means the period commencing on the effective date specified in Item 2. of the Declarations and ending on the earlier of either the expiration date specified in Item 2 of the Declarations or the effective date of cancellation of this
policy.
N. Pollutants means, but are not limited to, any solid, liquid, gaseous, biological, radiological or thermal irritant or contaminant, including smoke, vapor, dust, fibers, mold, spores, fungi, germs, soot, fumes, asbestos, acids, alkalis, chemicals and waste. "Waste" includes, but is not limited to, materials to be recycled, reconditioned or reclaimed and nuclear materials.
O. Post event services expenses means reasonable fees and expenses incurred by the
named insured or a
merchant with
our prior written consent, for any service specifically approved by
us in writing, including without limitation, identity theft education and assistance and credit file monitoring. Such services
must be provided by or on behalf of the
named insured or a
merchant within one (1) year following discovery of a
data security event covered under this
policy to a
cardholder whose
cardholder information is the subject of that
data security event for the primary purpose of mitigating the effects of such
data security event.
P. Security event expenses means
card association assessments,
forensic audit expenses and
card replacement expenses
Q. We,
us and
our mean the insurer issuing this
policy.
III. DUTIES IN THE EVENT OF A DATA SECURITY EVENT
A. Before coverage will apply under this
policy, the
named insured shall notify
us in writing as soon as practicable within the
notice period of an actual or alleged
data security event first discovered by the
named insured during the
policy period. Notice must include:
- The name of the merchant;
- A description of the data security event;
- The number of cardholders affected by the data security event; and
- A copy of all notices and correspondence from the named insured, the merchant, or a card association concerning the data security event.
B. Under all circumstances, the
named insured shall not admit any liability, assume any financial obligation, pay any money, or incur any expense in connection with any
data security event without
our prior written consent. If the
named insured does, it will be at the
named insured's own expense.
C. The
named insured shall take reasonable steps to prevent a
data security event and to mitigate the loss arising out of a
data security event, including without limitation, following the procedures required by a
card associations in the event of a
data security event. In all events, no
named insured shall take any action, or fail to take any action, without
our prior written consent, which prejudices
our rights under this
policy.
IV. ADDITIONAL OBLIGATIONS
In addition to all other duties and obligations contained elsewhere in this
policy:
A. The
named insured shall provide
us written notice, on a quarterly basis, of the number of
merchants under contract to receive
bank card processing services from the
named insured as of the last day of the calendar quarter. The
named insured shall provide
us with such notice within fifteen (15) business days after the end of each calendar quarter.
B. The
named insured shall allow
us to examine and audit all of its records that relate to this
policy.
We may conduct the audits during regular business hours during the
policy period and within three (3) years after the
policy period ends; and
C. The
named insured shall pay all premium under this
policy when due. The
named insured shall also be responsible for the giving and receiving of any notice under this
policy, including, but not limited to, notice of a
data security event and any
claim arising out of such
data security event.
V. EXCLUSIONS
This
policy shall not apply to:
A. any
security event expenses and
post event services expenses arising out of or resulting, directly or indirectly, from any dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law, if committed by the
named insured's:
- directors, officers, trustees, governors, management committee members, members of the management board or partners (or the equivalent positions), whether acting alone or in collusion with other persons; or
- employees (other than officers) if any of the named insured's elected or appointed officers possessed knowledge of any such:
a) dishonest, fraudulent, malicious, or criminal or malicious act, error or omission;
b) intentional or knowing violation of the law or the privacy policy of the named insured, or
c) gaining of any profit or advantage to which the named insured is not legally entitled; prior to or at
the time (a), (b) or (c) above were committed;
B. any
data security event caused by or resulting, directly or indirectly, from an act, error or omission of the
named insured, including, without limitation, (i) the disclosure of any
cardholder information by the
named insured, its employees or any person or entity to whom the
named insured provides
cardholder information, or (ii) any failure of the
named insured's security, computer system or payment processing network; provided however, this exclusion does not apply to the actual or alleged failure of the
named insured to monitor the operations of, or the security procedures
or computer systems used by, any
merchant;
C. any
security event expenses and
post event services expenses arising out of or resulting from a
claim, suit, action or proceeding against the
named insured or a
merchant that is brought by or on behalf of any federal, state or local government agency;
D. any
data security event relating to a
merchant which has experienced a prior
data security event unless such
merchant was later certified as PCI compliant by a qualified security assessor;
E. any
data security event arising out of a
merchant allowing any party (other than its employees or the
named insured)
to hold or
access
cardholder information;
F. any
data security event involving: (i) a
merchant categorized by any
card association as "Level 1" or (ii) a
merchant that processed more than six million (6,000,000)
bank card transactions during the twelve month period prior to the
policy period;
G. any expenses, other than
security event expenses and
post event services expenses, incurred by the
named insured or a
merchant, arising out of or resulting, directly or indirectly, from a
data security event, including without limitation, expenses incurred to bring a
merchant into compliance with the PCI Data Security Standard or any similar security standard;
H. any
security event expenses, and
post event services expenses arising out of or resulting, directly or indirectly, from physical injury, sickness, disease, disability, shock or mental anguish sustained by any person, including without limitation, required care, loss of services or death at any time resulting therefrom;
I. any
security event expenses, and
post event services expenses arising out of or resulting, directly or indirectly, from any of the following:
- fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God or any other physical event, however caused;
- strikes or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions; or
- electrical or mechanical failures, including any electrical power interruption, surge, brownout or blackout; a failure of telephone lines, data transmission lines, satellites or other infrastructure comprising or supporting the Internet, unless such lines or infrastructure were under the named insured's operational control;
J. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the presence of or the actual, alleged or threatened discharge, dispersal, release or escape of pollutants (including nuclear materials), or any direction or request to test for, monitor, clean up, remove, contain, treat, detoxify or neutralize pollutants, or in any way respond to or assess the effects of pollutants;
K. any
data security event that was not properly reported to
us during the
notice period;
L. any
data security event occurring before the effective date of the agreement between the
relevant
merchant and the
named insured to process
bank card transactions, or after the termination of such agreement;
M. any expenses incurred for, or as a result of, regularly scheduled, recurring or routine security assessments, regulatory examinations, inquiries or compliance activities;
N. any (1) gaining of a profit or advantage to which the
named insured is not legally entitled; or (2) the
named insured's expenses or charges, including employee compensation and benefits, overhead, over-charges or cost over-runs;
O. any liability or obligation of the
named insured under any contract or agreement; however, this exclusion shall not apply to (i) liability the
named insured would have in the absence of such contract or agreement, (ii) liability or obligation under any customer processing agreement with a
merchant, or (iii) any agreement with a
card association relating to the
named insured's processing and settling of transactions involving
bank cards issued or authorized by such
card association;
P. any
data security event that first occurred prior to the Retroactive Date set forth in Item 5. of the Declarations;
Q. any
security event expenses, and
post event services expenses arising out of or resulting, directly or indirectly, from the infringement of copyright, patent, trademark, trade secret or other intellectual property rights; or
R. any
security event expenses, and
post event services expenses alleging, arising out of or resulting, directly or indirectly, from any discrimination against any person or entity on any basis, including but not limited to: race, creed, color, religion, ethnic background, national origin, age, handicap, disability, sex, sexual orientation or pregnancy.
VI. LIMITS OF INSURANCE
A. The Aggregate Limit of Insurance indicated in Item 3.A. of the Declarations of this
policy will be the most
we shall pay for all coverages combined, regardless of the number of
data
security events, regulatory actions,
merchants, persons, or entities covered by this
policy and regardless of the total of all
security event expenses and
post event services expenses resulting from all
data security events first discovered by the
named insured during the
policy period and reported to us within the
notice period.
B. All
security event expenses and
post event services expenses resulting from the same, continuous, related or repeated
data security event shall be subject to the terms, conditions, exclusions and Aggregate Limit of Insurance of the policy issued by
us to the
named insured in effect at the time the first such
data security event is first discovered by the
named insured.
C. The most
we shall pay for the total of all
security event expenses and
post event services expenses arising out of or relating to any
merchant is the Per
Merchant Sublimit of Insurance indicated in Item 3.B. of the Declarations; regardless of the number of
data security events first discovered by the
named insured during the
policy period and reported to
us within the
notice period. The Per
Merchant Sublimit of Insurance is part of, and not in addition to the Aggregate Limit of Insurance.
VIII. OTHER PROVISIONS AFFECTING COVERAGE
A. Coverage Territory
Subject to its terms, conditions and exclusions, this
policy
applies to a
data security event occurring, and
security event expenses and
post event services expenses incurred, anywhere in the world.
B. Legal Action Against Us
- With respect to Insuring Agreement
I. A., no person or organization has a right under this policy:a) to join us as a party or otherwise bring us into a suit asking for damages from the named insured; or
b) to sue us on this policy unless all of its terms have been fully complied with. A person or organization may sue us to recover on an agreed settlement or on a final judgment against the named insured obtained after an actual trial; but we will not be liable for amounts that
are not payable under the terms of this policy or that are in excess of the applicable Limit of Insurance. An
agreed settlement means a settlement and release of liability signed by us, the named insured and the claimant or the claimant's legal representative.
- Except as provided in paragraph IX.H. of this policy, with respect to Insuring Agreements I.B., no legal action may be brought or made against us under this policy unless:
a) there has been full compliance with all of the terms of this policy; and
b) the action is brought within two (2) years after the date on which a data security event is first discovered by the named insured.
C. Subrogation
In the event of any payment under this
policy,
we shall be subrogated to the extent of such payment, to all rights of recovery of the
named insured arising out of a covered
data security event. The
named insured shall do whatever is necessary, including signing documents, to help
us obtain any recovery
we may seek. To the extent
we make a payment under this
policy and, prior or subsequent to such payment, the
named insured receives any amount from any other person or entity in connection with or arising out of the
data security event with respect to which
we made such payment, the
named insured shall immediately remit such amount to
us up to the amount of
our payment.
Notwithstanding the foregoing, to the extent the
named insured waives its right to recover
security event expenses or
post event services expenses from a
merchant in connection with the coverage provided under this
policy,
we shall also waive
our right of recovery for any such amounts from such merchant.
D. Other Insurance
This
policy shall be primary with respect to any other valid and collectible insurance available to the
named insured, unless such other valid and collectible insurance is also stated to be primary. In that case,
we will share with all other insurance by the method described below.
- If all of the other insurance permits contribution by equal shares, we will follow this method also. Under this approach, each insurer shall contribute equal amounts in excess of the applicable Retention until it
has paid its applicable limit of insurance or none of the loss remains, whichever comes first.
- If any of the other insurance does not permit contribution by equal shares, we will contribute by limits. Under this method, each insurer's share shall be based on the ratio of its applicable limit of insurance to the total applicable limits of insurance of all insurers.
E. Assignment
This
policy and any rights provided by this insurance are not assignable
without
our written consent.
F. Changes
Changes to the provisions of this
policy shall be made only by written endorsement issued by
us and made a part of this
policy.
G. Reimbursement
Payments made under this
policy to or on behalf of the
named insured shall be repaid to
us by the
named insured in the event and to the extent that the
named insured shall not be entitled to such payment.
H. Alternative Dispute Resolution
It is hereby understood and agreed that all disputes or differences which may arise under or in connection with this
policy, whether arising before or after termination of this policy, including any determination of the amount of
security event expenses and
post event services expenses, must first be submitted to the non-binding mediation process as set forth in this clause.
The non-binding mediation will administered by any mediation facility to which
we and the
named insured mutually agree, in which all implicated
insureds and
we shall try in good faith to settle the dispute by mediation in accordance with the American Arbitration Association's ("AAA") then-prevailing
Commercial Mediation Rules. The parties shall mutually agree on the selection of a mediator. The mediator shall have knowledge of the legal, corporate management, or insurance issues relevant to the matters in dispute. The mediator shall also give due
consideration to the general principles of the law of the state where the
named insured is incorporated in the
construction or interpretation of the provisions of this policy. In the event that such non-binding mediation does not result in a settlement of the subject dispute or difference:
- either party shall have the right to commence a judicial proceeding; or
- either party shall have the right, with all other parties consent, to commence an arbitration proceeding with the AAA that will be submitted to an arbitration panel of three (3) arbitrators as follows:
(a) the insured shall select one (1) arbitrator;
(b) we shall select one (1) arbitrator; and
(c) said arbitrators shall mutually agree upon the selection of the third arbitrator. The arbitration shall be conducted in accordance with the AAA's then prevailing Commercial Arbitration Rules. provided, however, that no such judicial or arbitration proceeding shall be commenced until at least ninety (90) days after the date the non-binding mediation shall be deemed concluded or terminated. Each party shall share equally the expenses of the non-binding mediation. The non-binding mediation may be commenced in New York, New York; Atlanta, Georgia; Chicago, Illinois; Denver, Colorado; or in the state indicated in Item 1 of the Declarations as the mailing address for the named insured.
I. Title of Paragraphs
The titles of the various clauses and paragraphs of this
policy and endorsements, if any, attached to this
policy, are inserted solely for convenience or reference and are not to be deemed in any way to limit or expand the provisions to which they relate, and are not part of this
policy.
J. Cancellation
There shall be no coverage for any
data security event first discovered by the
named insured
after the effective date and time of the expiration, cancellation or non-renewal of this
policy.
This
policy may be canceled by the
named insured by surrender of this
policy to
us or by giving written notice to
us stating when thereafter such cancellation shall be effective. This
policy may not be canceled by
us at any time during the
policy period, provided however, we may cancel for non-payment of premium by delivering to the
named insured by registered, certified, or other first class mail or other reasonable delivery method at the address of the
named insured set forth in Item 1 of the Declarations, written notice, stating when, not less than ten (10) days thereafter, the cancellation shall be effective. The mailing of such notice, as aforesaid, shall be sufficient proof of notice. This
policy shall be deemed canceled at the date and hour specified in such notice. If the period of limitation relating to the giving of notice for cancellation by
us, as set forth above, is also set forth in any controlling law, the period set forth above shall be deemed to be amended so as to be equal to the minimum period of
limitation set forth in such controlling law if it is a longer period.
K. Organizational Changes
If during the policy period:
- the named insured shall consolidate with, merge into, or sell all or substantially all of its assets to any other person or entity or group of persons or entities acting in concert; or
- any person or entity or group of persons or entities acting in concert shall acquire securities or voting rights
which result in ownership or voting control by other entities or persons of more than fifty percent (50%) of the outstanding securities representing the rights to vote for the election of the named insured's directors;
(any of such events being a "
transaction"), then this
policy shall continue in full force and effect as to
data security events occurring on or after the Retroactive Date and prior to the effective time of the
transaction; provided that such
data security event is first discovered prior to the effective time of the
transaction and otherwise reported to us during the
notice period and in accordance with the terms and conditions of this
policy. There shall be no coverage afforded by any
provision of this
policy for any
data security event that is first discovered, or that occurs, on or after the effective time of the
transaction, unless (i) within thirty (30) days of such
transaction we have been provided with full particulars of the
transaction, the related entities and any other information requested by
us, and (ii) the
named insured or its successor, has agreed to any additional premium and amendments to this policy required by
us.
Post-
transaction coverage
as described above is conditioned upon the
named insured or its successor paying when due any additional premium required by
us. This policy may not be canceled after the effective time of a
transaction and the entire premium for this
policy shall be deemed earned as of such time.