Rosen Hotels sued over data-breach payments

Rosen Plaza hotel

A data breach at Rosen Hotels & Resorts last year threatens to cost the company more than $2.4 million. St. Paul Fire & Marine Insurance has filed a lawsuit asking a Florida judge to formally state that the insurance company is not responsible for paying any costs related to the breach.

The lawsuit, filed in the U.S. District Court Middle District of Florida, Orlando Division, is being brought against Rosen Millennium Technology Group, a sister company to the resort with which it shares several key executives, according to the Orlando Sentinel

According to the new lawsuit, Rosen has been hit with a $1 million fine each from Visa and MasterCard; a $128,830 fine from American Express; $50,000 in attorneys’ fees; $40,000 in costs to send notifications to clients; $15,000 in fees to a crisis-management firm; and a bill for $150,000 to a data-forensics team that identified the breach. The costs could continue to grow if Rosen faces additional legal claims from customers, according to the lawsuit.

Virtual Event

HOTEL OPTIMIZATION PART 2 | Now Available On-Demand

Survival in these times is highly dependent on a hotel's ability to quickly adapt and pivot their business to meet the current needs of travelers and the surrounding community. Join us for Optimization Part 2 – a FREE virtual event – as we bring together top players in the industry to discuss alternative uses when occupancy is down, ways to boost F&B revenue, how to help your staff adjust to new challenges and more, in a series of panels focused on how you can regain profitability during this crisis.


In the suit, St. Paul's is claiming a data breach and any ensuing losses are outside the scope of the commercial general liability policy and it wants a judgment by the court confirming this stance. 

Back in early 2016, Rosen disclosed a data breach that impacted an unknown number of guest credit cards. The upscale hospitality provider said that the cards were compromised by malware on the payment network.

Chris Burgio, VP at Marsh & McLennan in Fort Lauderdale, which sells data breach insurance, told the Orlando Sentinel that more firms are buying data breach policies, but recent studies show only about 20 percent of companies have them. A study by Marsh in 2016 showed the hospitality industry was among the slowest to buy insurance for data breaches, with only 15 percent of hospitality and gaming companies buying specific policies for data breaches.

This is the latest confirmed breach in a string of acknowledged breaches: Kimpton Hotels, HEI Hotels and Resorts, Millennium Hotels & Resorts North America, the Hard Rock Hotel & Casino in Las Vegas (twice), Trump Hotels (twice), Golden Nugget hotels, Mandarin Oriental, Omni Hotels, and White Lodging all have been victims of data breaches.

In addition to data-breach insurance, there are other steps hotels can take to minimize risk. These include understanding the risk of a data breach, having a strict online policy bolstered by strong employee training, updating machines and technology, and being prepared in case you are targeted. 

Suggested Articles

Lodging owners who have the appropriate resources and capital have an opportunity to renovate at an accelerated rate and at more competitive prices.

The £18.4 million fine stems from a data breach discovered after the company purchased Starwood Hotels & Resorts Worldwide.

There are both positive and negative aspects to utilizing preferred equity capital, but it is often the best way to maintain ownership of the asset.