PCI Coverage in your Cyber Policy?


PCI (or Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment. If you have a data breach related to credit card transactions/information, the credit card brands (they are behind the PCI standards) could assess fines if they audit / find you are not in compliance with the security standards for your “level” of card processing.  Most of our Real Estate agency clients are considered Level 4 which means they process less than 20,000 transactions a year which has a lower level of compliance. Click here for PCI level and compliance information.

Since, Cyber Liability and PCI are related, PBI Group’s cyber liability policy has an available endorsement to help provide protection. In general, this coverage pays for fines and penalties assessed by the credit card brands (Visa, Master Card, etc) to your credit card processing bank which are often passed to the real estate agency.

Some Policy Definitions*:

Payment Card means an authorized account, or evidence of an account, for a credit card, debit card, charge card, fleet card or stored value card between a payment card brand (including, but not limited to Visa, Inc., MasterCard Incorporated, Discover Financial Services, American Express Company or JCB Company, Ltd.) and its customer.

Payment Card Industry Data Security Standard means the rules, regulations, standards or guidelines adopted or required by the Payment Card Brand or the Payment Card Industry Data Security Standards Council relating to data security and the safeguarding, disclosure and handling of Personal Information.

Payment Card Loss means monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries which You become legally obligated to pay as a result of Your actual or alleged failure: of Network Security; or to properly handle, manage, store, destroy or otherwise control Personal Information, where such amount is determined pursuant to a payment card processing agreement between You and a payment card brand, a mobile payment services merchant agreement between You and a payment services provider, or demanded in writing from an issuing or acquiring bank that processes Your Payment Card transactions, due to Your actual or alleged non-compliance with the Payment Card Industry Data Security Standards, EMV specifications, or mobile payment security requirementsPayment Card Loss shall not include subsequent fines or assessments for continued noncompliance with the Payment Card Industry Data Security Standard, EMV Specifications, or a mobile payment services merchant agreement. Payment Card Loss also shall not include costs or expenses incurred to update or otherwise improve privacy or network security controls, policies or procedures to a level beyond that which existed prior to the loss event or to be compliant with Payment Card Industry

*Policy Language from Victor O. Schinnerer & Company


Wire Fraud Scam Getting Worse: New Twist

Here is a recent situation which unfortunately impacted one of our clients and worth sharing in the hope that increased awareness will limit the chance of this happening again. This situation is a twist on the traditional wire fraud scam and shows how far the bad guys are willing to go to steal from your clients.

The title company involved on a transaction was breached by bad guys who found out the specifics of a closing coming up at our insured’s real estate agency.  Instead of the bad guys sending a fraudulent email posing as the title agency they called the agent of the buyer to communicate the updated wiring information for the funds needed to close.  The realtor took the telephone call thinking it was the title company and relayed the information to the buyer who in turned wired the closing funds to a fraudulent bank account.  Luckily a majority of the funds were recovered but not after considerable effort and expense. What makes this more concerning than most wire fraud situations is that neither the E&O policy or the Cyber Liability policy were willing to cover the lost funds.

What makes this different?

An important distinction here is that bad guys are learning that real estate agents are not trusting email as a communication tool for wiring instructions and are adapting by making telephone calls, falsely representing the title company. This is a disturbing new development. Please communicate this to your agents.

How did their liability policies respond?

  • Cyber liability policies are triggered when the insured has a situation where a breach is suspected. In this situation, the cyber policy triggered to provide forensic services to determine the origin of the breach which ended up being the title company. At that point, the policy stops covering any liability since the insured’s systems were not compromised. It is worth noting that even if the bad guys sent an email from the title company to the agent, instead of the telephone call, the cyber policy would not have provided cover for the same reason. No Breach No Cover.
  • The E&O policy has a specific exclusion for any liability resulting from wire transfers. These exclusions are becoming more common in E&O policies since carriers are not interested in the exposure related to wire transfer fraud.

What can you do to protect yourself?

  • Do not get involved in any communication of wire instructions to your client. This includes text messages, email and telephone calls.
  • Create a Fund Transfer Pledge with your clients.
  • If you receive communication regarding a closing, be sure to call the related party by dialing a number that is NOT part of the recent communication since it is likely that telephone number goes directly to the bad guys. Call another number you have on file.

Orbitz.com: The Latest Breach Victim

What happened at Orbitz?

Reports from March 20 state that up to 880,000 payment card numbers and related information could’ve been exposed in a data breach. Orbitz, which is owned by Expedia, apparently had two different data disclosures.

In the first disclosure, an attacker may have accessed customers’ personal information for some purchases made on orbitz.com between Jan. 1, 2016, and June 22, 2016, according to news reports.

In the second disclosure, customer data from other travel sites that used Orbitz to book travel between Jan. 1, 2016, and Dec. 22, 2016, may have been compromised, according to published reports. One of the affected sites was the American Express site Amextravel.com.

The related information that could have been exposed includes:
Customer’s full name
Date of Birth
Phone number
Email Address
Physical or billing address