Foregenix Merchant Breach Protection Program - Terms & Conditions
The following Terms apply to Customers who have purchased service packages or services that also contain “Breach Protection and are participating in the Foregenix Breach Protection Program ("Program") offered by Foregenix.
Description of the Program
Foregenix’ Breach Protection Program ("the Program") is a limited warranty of Foregenix services to Merchants (collectively “Merchants”). Often in the PCI compliance industry, a Merchant’s credit card processor, acquiring bank, independent sales organization, or merchant services provider (collectively “Acquirer”) may contract and/or pay Foregenix for the services, for which Foregenix provides the Breach Protection Program as a limited warranty.
A Merchant that is enrolled in Foregenix’ services for a minimum of 3 months and suffers a data breach while enrolled will be reimbursed by Foregenix for certain expenses described below and subject to the terms and conditions in this Agreement.
The Program is not available to level 1 Merchants, as level 1 Merchants are defined by the card brands. The Program is available to Merchants globally that have enrolled in and paid (or whose Acquirer has paid) Foregenix for the Services which explicitly include the limited warranty from the Foregenix Data Breach Protection Program. As a limited warranty of its services, Foregenix provides Merchants from £5,000 up to £50,000 ("Program Limit") per Merchant of breach protection, or reimbursement, subject to the terms and limitations described more fully below. The level of breach protection (from £5,000 up to £50,000) will be defined in the product/service description when purchased from Foregenix. Foregenix will reimburse Merchants only for the following costs and expenses actually incurred and timely reported (see Section 5 below) by Merchants in connection with a properly reported data breach:
• Penalties or fines charged to Merchant by Visa, MasterCard, Discover, American Express, or JCB directly or through an Acquirer. A fine or penalty by a card brand must not exceed the maximum monetary assessment, fine, fee, or penalty permitted by applicable rules or agreements in effect as of the inception date of this Agreement.
• Costs of a forensic investigation conducted by a PCI Forensic Investigator approved by the PCI Security Standards Council.
• The costs associated with replacing credit cards that were compromised in a breach.
• If approved in writing by Foregenix, notification costs, victim cost reimbursement, or identity theft monitoring and services.
Breach Protection is Not Insurance
The Program is not insurance. Neither Acquirer nor Merchants have insurance as a result of this Agreement. The Program is backed by an insurance policy (the "Policy") from AIG Specialty Insurance Company, an insurance company subsidiary of American International Group, Inc. ("AIG"). Neither Acquirer nor the merchants are an "insured" or beneficiary under the Policy and nothing in this Agreement creates a relationship between Acquirer or the merchant and AIG (or any other AIG affiliate). Neither AIG nor Foregenix is providing Acquirer or merchants with insurance pursuant to a contractual agreement. Elmore ("Elmore"), an insurance brokerage firm, acts as the claim and payment processor under the Program.
The Program Limit.
The Program Limit is the most any Merchant can recover for each merchant identification number during a twelve (12) month period for any or all such costs or expenses, combined, and regardless of the number of data security events discovered or regulatory actions taken.
Acquirer and a compromised Merchant are required to provide Foregenix with any documentation, invoice, or other evidence required by Foregenix within thirty (30) days of discovery or suspicion of a breach or compromise.
The Program reimburses Merchants only if a Merchant provides a timely (within 30 days) notification and complete report of a data security event or regulatory action as soon as the Merchant become aware of such event or action. Merchants will need to provide details on the data security event or regulatory action including, but not limited to: a complete description of the data security event or regulatory action, all documents relating to the data security event or regulatory action, and any other pertinent information requested by or on behalf of Foregenix. To report a data security event or regulatory action under the Program, contact Foregenix at: Breach_Reporting@Foregenix.com.
Merchants must provide invoices of costs described in Section 1 above to Foregenix in a timely manner – within 30 days. Merchants may email Foregenix Data Breach Department at the email address above, or by certified mail to 8-9 High Street, Marlborough, Wiltshire, SN8 1AA, United Kingdom. Once an invoice is received by Foregenix, that invoice will be provided to AIG for an evaluation to determine whether or not the payment is covered by the policy. If AIG determines that coverage exists, then AIG will provide Foregenix with a cheque covering the costs in the invoice. Foregenix will only provide payment to a compromised Merchant if coverage is found to exist by AIG. If coverage is denied by AIG, Foregenix will not provide payment to a compromised Merchant.
Limitation of Liability for the Program.
Acquirer and Merchants assume sole responsibility and liability for making timely and complete claims under the Program, providing necessary or requested data and information, and otherwise complying with the terms and conditions set forth in the Program. FOREGENIX SHALL HAVE NO LIABILITY TO ANY MERCHANT UNDER THE PROGRAM IN THE EVENT, AND TO THE FULLEST EXTENT, THAT AIG DENIES COVERAGE UNDER THE POLICY FOR ANY GIVEN DATA SECURITY EVENT OR REGULATORY ACTION. FOREGENIX' DUTY TO PROVIDE PAYMENTS TO ANY MERCHANT FOR COSTS ARISING FROM ANY DATA SECURITY EVENT OR REGULATORY ACTION UNDER THE PROGRAM WILL BE MADE ONLY AFTER, AND TO THE EXTENT THAT, FOREGENIX RECEIVES PAYMENT FROM AIG UNDER THE POLICY.
Exclusions to The Program
A. any data security event relating to a merchant which has experienced a prior data security event unless such merchant was later certified as PCI compliant by a qualified security assessor;
B. any data security event arising out of a merchant allowing any party (other than its employees) to hold or access cardholder information; provided, however, that this exclusion shall not apply to a merchant using a certified PCI compliant payment service provider to accept bank card payments on behalf of such merchant;
C. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from physical injury, sickness, disease, disability, shock or mental anguish sustained by any person, including without limitation, required care, loss of services or death at any time resulting therefrom;
D. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from any of the following:
• fire, smoke, explosion, lightning, wind, water, flood, earthquake, volcanic eruption, tidal wave, landslide, hail, an act of God or any other physical event, however caused;
• strikes or similar labor action, war, invasion, act of foreign enemy, hostilities or warlike operations (whether declared or not), civil war, mutiny, civil commotion assuming the proportions of or amounting to a popular rising, military rising, insurrection, rebellion, revolution, military or usurped power, or any action taken to hinder or defend against these actions; or
• electrical or mechanical failures, including any electrical power interruption, surge, brownout or blackout; a failure of telephone lines, data transmission lines, satellites or other infrastructure comprising or supporting the Internet, unless such lines or infrastructure were under the named insured’s operational control;
E. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the presence of or the actual, alleged or threatened discharge, dispersal, release or escape of pollutants (including nuclear materials), or any direction or request to test for, monitor, clean up, remove, contain, treat, detoxify or neutralize pollutants, or in any way respond to or assess the effects of pollutants;
F. any data security event that was not reported to us during the notice period;
G. any data security event occurring before the effective date of the agreement with the relevant merchant or after the termination of such agreement;
H. any expenses incurred for, or as a result of, regularly scheduled, recurring or routine security assessments, regulatory examinations, inquiries or compliance activities;
I. any data security event that first occurred prior to the agreement with the merchant.
J. any security event expenses, and post event services expenses arising out of or resulting, directly or indirectly, from the infringement of copyright, patent, trademark, trade secret or other intellectual property rights;
K. any security event expenses, and post event services expenses alleging, arising out of or resulting, directly or indirectly, from any discrimination against any person or entity on any basis, including but not limited to: race, creed, color, religion, ethnic background, national origin, age, handicap, disability, sex, sexual orientation or pregnancy; or
L. any fines, penalties or assessments levied against the named insured that are not the direct result of a data security event.