MERCHANT DATA SECURITY POLICY

Please read the entire policy to determine the named insured's rights and duties and what is and what is not covered under this policy. Words and phrases that appear in boldface are defined in Clause II., DEFINITIONS. In consideration of the payment of the premium and in reliance upon the statements in the application and its attachments and the material incorporated therein, and made a part hereof, we agree as follows:  

I. INSURING AGREEMENTS

A. Data Security Event Expenses We shall pay the named insured for all reasonable security event expenses and post event services expenses resulting from any data security event first discovered by the named insured during the policy period and reported to us within the notice period.  

II. DEFINITIONS

A. Bank card means a financial transaction card, including a debit card, credit card or prepaid card, issued by a card association or a financial institution as a member of a card association.
 
B. Cardholder means a natural person or entity to which a bank card has been issued.
 
C. Cardholder Information means the data contained on a bank card, or otherwise provided to a merchant, that is required by the card association or the named insured in order to process, approve and/or settle a bank card transaction.
 
D. Card association means each of Visa International, MasterCard Worldwide, Discover Financial Services, JCB, American Express and any similar credit or debit card association that is a participating organization of the PCI Security Standards Council.
 
E. Card association assessment means a monetary assessment, fee, fine or penalty levied against a merchant or the named insured by a card association as the result of (i) a data security event or (ii) a security assessment conducted as the result of a data security event. The card association assessment shall not exceed the maximum monetary assessment, fee, fine or penalty permitted upon the occurrence of a data security event by the applicable rules or agreement in effect as of the inception date of the policy period for such card association.
 
F. Card replacement expenses means the costs that the named insured or a merchant are required to pay by the card association to replace compromised bank cards as the result of (i) a data security event or (ii) a security assessment conducted as the result of a data security event.
 
G. Data security event means the actual or suspected unauthorized access to or use of cardholder information, arising out of a merchant's possession of or access to such cardholder information, which has been reported (a) to a card association by a merchant or the named insured or (b) to the merchant or the named insured by a card association. All security event expenses and post event services expenses resulting from the same, continuous, related or repeated event or which arise from the same, related or common nexus of facts, will be deemed to arise out of one data security event.
 
H. Forensic audit expenses means the costs of a security assessment conducted by a qualified security assessor approved by a card association or the PCI Security Standards Council to determine the cause and extent of a data security event.
 
I. Merchant means each and every entity that enters into an agreement pursuant to which the named insured processes bank card transactions on behalf of such entity.
 
J. Named insured means the entity indicated in Item 1. of the Declarations.
 
K. Notice period means the sixty (60) day period of time the named insured shall have to notify us that a data security event has occurred. The notice period shall commence immediately upon first discovery of the data security event by the named insured.
 
L. Policy means this policy and any endorsements attached hereto, together with the application with any attachments thereto and material incorporated therein.
 
M. Policy period means the period commencing on the effective date specified in Item 2. of the Declarations and ending on the earlier of either the expiration date specified in Item 2 of the Declarations or the effective date of cancellation of this policy.
 
N. Pollutants means, but are not limited to, any solid, liquid, gaseous, biological, radiological or thermal irritant or contaminant, including smoke, vapor, dust, fibers, mold, spores, fungi, germs, soot, fumes, asbestos, acids, alkalis, chemicals and waste. "Waste" includes, but is not limited to, materials to be recycled, reconditioned or reclaimed and nuclear materials.
 
O. Post event services expenses means reasonable fees and expenses incurred by the named insured or a merchant with our prior written consent, for any service specifically approved by us in writing, including without limitation, identity theft education and assistance and credit file monitoring. Such services must be provided by or on behalf of the named insured or a merchant within one (1) year following discovery of a data security event covered under this policy to a cardholder whose cardholder information is the subject of that data security event for the primary purpose of mitigating the effects of such data security event.
 
P. Security event expenses means card association assessments, forensic audit expenses and card replacement expenses
 
Q. We, us and our mean the insurer issuing this policy.  

III. DUTIES IN THE EVENT OF A DATA SECURITY EVENT

A. Before coverage will apply under this policy, the named insured shall notify us in writing as soon as practicable within the notice period of an actual or alleged data security event first discovered by the named insured during the policy period. Notice must include:
  1. The name of the merchant;
  2. A description of the data security event;
  3. The number of cardholders affected by the data security event; and
  4. A copy of all notices and correspondence from the named insured, the merchant, or a card association concerning the data security event.
B. Under all circumstances, the named insured shall not admit any liability, assume any financial obligation, pay any money, or incur any expense in connection with any data security event without our prior written consent. If the named insured does, it will be at the named insured's own expense.
 
C. The named insured shall take reasonable steps to prevent a data security event and to mitigate the loss arising out of a data security event, including without limitation, following the procedures required by a card associations in the event of a data security event. In all events, no named insured shall take any action, or fail to take any action, without our prior written consent, which prejudices our rights under this policy.  

IV. ADDITIONAL OBLIGATIONS

In addition to all other duties and obligations contained elsewhere in this policy:
 
A. The named insured shall provide us written notice, on a quarterly basis, of the number of merchants under contract to receive bank card processing services from the named insured as of the last day of the calendar quarter. The named insured shall provide us with such notice within fifteen (15) business days after the end of each calendar quarter.
 
B. The named insured shall allow us to examine and audit all of its records that relate to this policy. We may conduct the audits during regular business hours during the policy period and within three (3) years after the policy period ends; and
 
C. The named insured shall pay all premium under this policy when due. The named insured shall also be responsible for the giving and receiving of any notice under this policy, including, but not limited to, notice of a data security event and any claim arising out of such data security event.
 

V. EXCLUSIONS

This policy shall not apply to: A. any security event expenses and post event services expenses arising out of or resulting, directly or indirectly, from any dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law, if committed by the named insured's:
  1. directors, officers, trustees, governors, management committee members, members of the management board or partners (or the equivalent positions), whether acting alone or in collusion with other persons; or

    2.  
  2. employees (other than officers) if any of the named insured's elected or appointed officers possessed knowledge of any such: a) dishonest, fraudulent, malicious, or criminal or malicious act, error or omission; b) intentional or knowing violation of the law or the privacy policy of the named insured, or c) gaining of any profit or advantage to which the named insured is not legally entitled; prior to or at the time (a), (b) or (c) above were committed;
B. any data security event caused by or resulting, directly or indirectly, from an act, error or omission of the named insured, including, without limitation, (i) the disclosure of any cardholder information by the named insured, its employees or any person or entity to whom the named insured provides cardholder information, or (ii) any failure of the named insured's security, computer system or payment processing network; provided however, this exclusion does not apply to the actual or alleged failure of the named insured to monitor the operations of, or the security procedures or computer systems used by, any merchant;
 
C. any security event expenses and post event services expenses arising out of or resulting from a claim, suit, action or proceeding against the named insured or a merchant that is brought by or on behalf of any federal, state or local government agency;
 
D. any data security event relating to a merchant which has experienced a prior data security event unless such merchant was later certified as PCI compliant by a qualified security assessor;
 
E. any data security event arising out of a merchant allowing any party (other than its employees or the named insured) to hold or access cardholder information;
 
F. any data security event involving: (i) a merchant categorized by any card association as "Level 1" or (ii) a merchant that processed more than six million (6,000,000) bank card transactions during the twelve month period prior to the policy period;
 
G. any expenses, other than security event expenses and post event services expenses, incurred by the named insured or a merchant, arising out of or resulting, directly or indirectly, from a data security event, including without limitation, expenses incurred to bring a merchant into compliance with the PCI Data Security Standard or any similar security standard;
 
H. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from physical injury, sickness, disease, disability, shock or mental anguish sustained by any person, including without limitation, required care, loss of services or death at any time resulting therefrom;
 
I. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from any of the following:
  1. fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God or any other physical event, however caused;

    2.  
  2. strikes or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions; or

    3.  
  3. electrical or mechanical failures, including any electrical power interruption, surge, brownout or blackout; a failure of telephone lines, data transmission lines, satellites or other infrastructure comprising or supporting the Internet, unless such lines or infrastructure were under the named insured's operational control;
J. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the presence of or the actual, alleged or threatened discharge, dispersal, release or escape of pollutants (including nuclear materials), or any direction or request to test for, monitor, clean up, remove, contain, treat, detoxify or neutralize pollutants, or in any way respond to or assess the effects of pollutants;
 
K. any data security event that was not properly reported to us during the notice period;
 
L. any data security event occurring before the effective date of the agreement between the relevant merchant and the named insured to process bank card transactions, or after the termination of such agreement;
 
M. any expenses incurred for, or as a result of, regularly scheduled, recurring or routine security assessments, regulatory examinations, inquiries or compliance activities;
 
N. any (1) gaining of a profit or advantage to which the named insured is not legally entitled; or (2) the named insured's expenses or charges, including employee compensation and benefits, overhead, over-charges or cost over-runs;
 
O. any liability or obligation of the named insured under any contract or agreement; however, this exclusion shall not apply to (i) liability the named insured would have in the absence of such contract or agreement, (ii) liability or obligation under any customer processing agreement with a merchant, or (iii) any agreement with a card association relating to the named insured's processing and settling of transactions involving bank cards issued or authorized by such card association;
 
P. any data security event that first occurred prior to the Retroactive Date set forth in Item 5. of the Declarations;
 
Q. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the infringement of copyright, patent, trademark, trade secret or other intellectual property rights; or
 
R. any security event expenses, and post event services expenses alleging, arising out of or resulting, directly or indirectly, from any discrimination against any person or entity on any basis, including but not limited to: race, creed, color, religion, ethnic background, national origin, age, handicap, disability, sex, sexual orientation or pregnancy.  

VI. LIMITS OF INSURANCE

A. The Aggregate Limit of Insurance indicated in Item 3.A. of the Declarations of this policy will be the most we shall pay for all coverages combined, regardless of the number of data security events, regulatory actions, merchants, persons, or entities covered by this policy and regardless of the total of all security event expenses and post event services expenses resulting from all data security events first discovered by the named insured during the policy period and reported to us within the notice period.
 
B. All security event expenses and post event services expenses resulting from the same, continuous, related or repeated data security event shall be subject to the terms, conditions, exclusions and Aggregate Limit of Insurance of the policy issued by us to the named insured in effect at the time the first such data security event is first discovered by the named insured.
 
C. The most we shall pay for the total of all security event expenses and post event services expenses arising out of or relating to any merchant is the Per Merchant Sublimit of Insurance indicated in Item 3.B. of the Declarations; regardless of the number of data security events first discovered by the named insured during the policy period and reported to us within the notice period. The Per Merchant Sublimit of Insurance is part of, and not in addition to the Aggregate Limit of Insurance.  

VIII. OTHER PROVISIONS AFFECTING COVERAGE

A. Coverage Territory Subject to its terms, conditions and exclusions, this policy applies to a data security event occurring, and security event expenses and post event services expenses incurred, anywhere in the world.
 
B. Legal Action Against Us
    1. With respect to Insuring Agreement I. A., no person or organization has a right under this policy:a) to join us as a party or otherwise bring us into a suit asking for damages from the named insured; or b) to sue us on this policy unless all of its terms have been fully complied with. A person or organization may sue us to recover on an agreed settlement or on a final judgment against the named insured obtained after an actual trial; but we will not be liable for amounts that are not payable under the terms of this policy or that are in excess of the applicable Limit of Insurance. An agreed settlement means a settlement and release of liability signed by us, the named insured and the claimant or the claimant's legal representative.

      2.  
    2. Except as provided in paragraph IX.H. of this policy, with respect to Insuring Agreements I.B., no legal action may be brought or made against us under this policy unless: a) there has been full compliance with all of the terms of this policy; and b) the action is brought within two (2) years after the date on which a data security event is first discovered by the named insured.
  C. Subrogation In the event of any payment under this policy, we shall be subrogated to the extent of such payment, to all rights of recovery of the named insured arising out of a covered data security event. The named insured shall do whatever is necessary, including signing documents, to help us obtain any recovery we may seek. To the extent we make a payment under this policy and, prior or subsequent to such payment, the named insured receives any amount from any other person or entity in connection with or arising out of the data security event with respect to which we made such payment, the named insured shall immediately remit such amount to us up to the amount of our payment. Notwithstanding the foregoing, to the extent the named insured waives its right to recover security event expenses or post event services expenses from a merchant in connection with the coverage provided under this policy, we shall also waive our right of recovery for any such amounts from such merchant.
 
D. Other Insurance This policy shall be primary with respect to any other valid and collectible insurance available to the named insured, unless such other valid and collectible insurance is also stated to be primary. In that case, we will share with all other insurance by the method described below.
  1. If all of the other insurance permits contribution by equal shares, we will follow this method also. Under this approach, each insurer shall contribute equal amounts in excess of the applicable Retention until it has paid its applicable limit of insurance or none of the loss remains, whichever comes first.
  2. If any of the other insurance does not permit contribution by equal shares, we will contribute by limits. Under this method, each insurer's share shall be based on the ratio of its applicable limit of insurance to the total applicable limits of insurance of all insurers.
E. Assignment This policy and any rights provided by this insurance are not assignable without our written consent.
 
F. Changes Changes to the provisions of this policy shall be made only by written endorsement issued by us and made a part of this policy.
 
G. Reimbursement Payments made under this policy to or on behalf of the named insured shall be repaid to us by the named insured in the event and to the extent that the named insured shall not be entitled to such payment.
 
H. Alternative Dispute Resolution It is hereby understood and agreed that all disputes or differences which may arise under or in connection with this policy, whether arising before or after termination of this policy, including any determination of the amount of security event expenses and post event services expenses, must first be submitted to the non-binding mediation process as set forth in this clause. The non-binding mediation will administered by any mediation facility to which we and the named insured mutually agree, in which all implicated insureds and we shall try in good faith to settle the dispute by mediation in accordance with the American Arbitration Association's ("AAA") then-prevailing Commercial Mediation Rules. The parties shall mutually agree on the selection of a mediator. The mediator shall have knowledge of the legal, corporate management, or insurance issues relevant to the matters in dispute. The mediator shall also give due consideration to the general principles of the law of the state where the named insured is incorporated in the construction or interpretation of the provisions of this policy. In the event that such non-binding mediation does not result in a settlement of the subject dispute or difference:
  1. either party shall have the right to commence a judicial proceeding; or

    2.  
  2. either party shall have the right, with all other parties consent, to commence an arbitration proceeding with the AAA that will be submitted to an arbitration panel of three (3) arbitrators as follows: (a) the insured shall select one (1) arbitrator; (b) we shall select one (1) arbitrator; and (c) said arbitrators shall mutually agree upon the selection of the third arbitrator. The arbitration shall be conducted in accordance with the AAA's then prevailing Commercial Arbitration Rules. provided, however, that no such judicial or arbitration proceeding shall be commenced until at least ninety (90) days after the date the non-binding mediation shall be deemed concluded or terminated. Each party shall share equally the expenses of the non-binding mediation. The non-binding mediation may be commenced in New York, New York; Atlanta, Georgia; Chicago, Illinois; Denver, Colorado; or in the state indicated in Item 1 of the Declarations as the mailing address for the named insured.
I. Title of Paragraphs The titles of the various clauses and paragraphs of this policy and endorsements, if any, attached to this policy, are inserted solely for convenience or reference and are not to be deemed in any way to limit or expand the provisions to which they relate, and are not part of this policy.
 
J. Cancellation There shall be no coverage for any data security event first discovered by the named insured after the effective date and time of the expiration, cancellation or non-renewal of this policy. This policy may be canceled by the named insured by surrender of this policy to us or by giving written notice to us stating when thereafter such cancellation shall be effective. This policy may not be canceled by us at any time during the policy period, provided however, we may cancel for non-payment of premium by delivering to the named insured by registered, certified, or other first class mail or other reasonable delivery method at the address of the named insured set forth in Item 1 of the Declarations, written notice, stating when, not less than ten (10) days thereafter, the cancellation shall be effective. The mailing of such notice, as aforesaid, shall be sufficient proof of notice. This policy shall be deemed canceled at the date and hour specified in such notice. If the period of limitation relating to the giving of notice for cancellation by us, as set forth above, is also set forth in any controlling law, the period set forth above shall be deemed to be amended so as to be equal to the minimum period of limitation set forth in such controlling law if it is a longer period.
 
K. Organizational Changes If during the policy period:
  1. the named insured shall consolidate with, merge into, or sell all or substantially all of its assets to any other person or entity or group of persons or entities acting in concert; or

    2.  
  2. any person or entity or group of persons or entities acting in concert shall acquire securities or voting rights which result in ownership or voting control by other entities or persons of more than fifty percent (50%) of the outstanding securities representing the rights to vote for the election of the named insured's directors;
(any of such events being a "transaction"), then this policy shall continue in full force and effect as to data security events occurring on or after the Retroactive Date and prior to the effective time of the transaction; provided that such data security event is first discovered prior to the effective time of the transaction and otherwise reported to us during the notice period and in accordance with the terms and conditions of this policy. There shall be no coverage afforded by any provision of this policy for any data security event that is first discovered, or that occurs, on or after the effective time of the transaction, unless (i) within thirty (30) days of such transaction we have been provided with full particulars of the transaction, the related entities and any other information requested by us, and (ii) the named insured or its successor, has agreed to any additional premium and amendments to this policy required by us. Post-transaction coverage as described above is conditioned upon the named insured or its successor paying when due any additional premium required by us. This policy may not be canceled after the effective time of a transaction and the entire premium for this policy shall be deemed earned as of such time.