The Grail Law Firm recently represented a hospitality industry merchant who suffered a sizeable data breach that led to the compromise of credit card information of thousands of the merchant’s customers. Based on a forensic investigation, the credit card companies alleged that our client had inadequate network security to detect and prevent the breach. As a result, the companies sued our client for the replacement cost of the customers’ cards and the reimbursement of the cardholders’ fraudulent charges—a combined amount totaling in the high six figures.

But most merchants don’t realize they suffer the cost of this fraud when the credit card companies come knocking to charge back 100% of the losses—sometimes a third, a half, or a larger annual percentage of your total annual sales.

When that happened to the Grail Law Firm’s hospitality industry client, management came to us for relief.

First, we engaged a respected, nationally known computer security consultant to assist us in contesting the card companies’ claims. He succeeded after another expert failed to identify how and when the breach of our clients’ network occurred. We identified the network security measures the client had taken to minimize the scope and duration of the breach, and were able to present both scenarios in terms that could be understood.

Post-breach, we assisted the client in implementing necessary network security measures and practices to become PCI DSS compliant. Working alongside our consultant, the client’s computer security personnel, and the client’s “clearing” agent for credit charges, we challenged the card companies’ assessment of card replacement and fraud liability against our client, and we assisted with identifying and perfecting available claims for coverage.

Our efforts led to a substantial reduction in our clients’ liability. We worked with our client in making successful arguments to their cybersecurity insurer regarding coverage of the data breach caused losses.

Read the latest about why cybersecurity insurance is necessary for any small business handling credit card data, and how companies should think about—or their counsel can advise them about—mitigating their risk.