Rosen Hotels sued over data-breach payments

A data breach at Rosen Hotels & Resorts last year threatens to cost the company more than $2.4 million. St. Paul Fire & Marine Insurance has filed a lawsuit asking a Florida judge to formally state that the insurance company is not responsible for paying any costs related to the breach.

The lawsuit, filed in the U.S. District Court Middle District of Florida, Orlando Division, is being brought against Rosen Millennium Technology Group, a sister company to the resort with which it shares several key executives, according to the Orlando Sentinel

According to the new lawsuit, Rosen has been hit with a $1 million fine each from Visa and MasterCard; a $128,830 fine from American Express; $50,000 in attorneys’ fees; $40,000 in costs to send notifications to clients; $15,000 in fees to a crisis-management firm; and a bill for $150,000 to a data-forensics team that identified the breach. The costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.

In the suit, St. Paul's is claiming a data breach and any ensuing losses are outside the scope of the commercial general liability policy and it wants a judgment by the court confirming this stance. 

Back in early 2016, Rosen disclosed a data breach that impacted an unknown number of guest credit cards. The upscale hospitality provider said that the cards were compromised by malware on the payment network.

Chris Burgio, VP at Marsh & McLennan in Fort Lauderdale, which sells data breach insurance, told the Orlando Sentinel that more firms are buying data breach policies, but recent studies show only about 20 percent of companies have them. A study by Marsh in 2016 showed the hospitality industry was among the slowest to buy insurance for data breaches, with only 15 percent of hospitality and gaming companies buying specific policies for data breaches.

This is the latest confirmed breach in a string of acknowledged breaches: Kimpton Hotels, HEI Hotels and Resorts, Millennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice), Golden Nugget hotels, Mandarin Oriental, Omni Hotels, and White Lodging all have been victims of data breaches.

In addition to data-breach insurance, there are other steps hotels can take to minimize risk. These include understanding the risk of a data breach, having a strict online policy bolstered by strong employee training, updating machines and technology, and being prepared in case you are targeted.