Companies target each other in data breach disputesReprints
Get a handle on cyber risks pre-emptively when making deals with business partners to help mitigate commercial liability disputes, says data security attorney Mitzi L. Hill of Taylor English Duma L.L.P.
It is difficult to escape the headlines about computer data security, especially regarding credit card breaches, that have dominated the media since Target Corp. was hacked in late 2013. In response, plaintiffs’ lawyers have brought class-action lawsuits by the dozens against hacked retailers.
The real next frontier in security breach exposure is likely to come from commercial claims, however, not from consumer claims. Why is that, and what can you do about it?
The consumer bar has been trying for years to tap privacy and data security, with fairly limited success. Although a few high-profile cases have settled, the track record for consumer suits has not been strong. This is due to a number of factors, but mainly because we have no single national law governing data breach issues, and we haven’t seen quantifiable harm to individuals after most reported breaches.
As a result, the class actions coming into court are based on laws not designed for electronic data issues. Also, despite persistent headlines about hacking, there has been no pattern of demonstrable consumer injuries: no mass unauthorized use of Social Security numbers, no wave of fraudulent charges to stolen credit cards. Absent specific laws regarding what constitutes protected data, what standard of care has been violated, and what actual harm has occurred, our courts have been reluctant so far to impose liability relating to consumer data breaches.
In the meantime, though, commercial liability disputes are starting to hit the courts, and are much more likely to catch the attention of the judiciary.
Disputes about commercial risk allocation are as old as contracts. They are familiar to judges. They involve sophisticated parties. And nearly every commercial agreement has risk allocation language in it. That gives the parties a way to frame an argument, and a judge a way to analyze and interpret their intent in light of the facts after a breach. In addition, the harms are quantifiable: “it costs my business X dollars directly and Y dollars to cover and mitigate” is easy for a judge to understand.
This means that your informational technology and related agreements are increasingly likely to determine your risks in the case of a breach. The highest-profile example is the issuing banks behind the cards exposed in the Target hack. They sued Target to recover the direct costs they incurred from the breach (new cards, customer relations). Target tried to have the claims dismissed. The court refused. How should this unfold: Does Target, arguably a victim, have to pay costs its vendors incurred? And how will provisions in old agreements be interpreted regarding allocation of risk (post-breach costs) between parties?
Vendor management is likely to become increasingly important as an overall risk management strategy — one that also includes technological protection for personal information, employee training, insurance coverage, and enterprise planning. Standardizing the “asks” in your purchasing contracts and clauses may go a long way toward managing risk.
There are several provisions to consider. Obtaining them all is highly unlikely, unless you have enormous negotiating leverage. Consider this a menu, and see what is available based on the relationship and equities between you and your
Representations and warranties
At minimum, the vendor should “rep and warrant” that security will perform according to agreed-upon specifications. Ideally, the vendor will have its own (higher) standards that address how secure the system is and what level of effort would be required to penetrate it. A middle ground might be a warranty of performance to “industry standard.” In addition to a security warranty, you may want to consider whether you need a warranty as to data integrity: that the vendor’s system will not allow your data to suffer loss, impairment, corruption, or similar.
Whether a vendor warrants any standards of security or data integrity, consider asking for coverage of your losses in case of an incident that occurs because of the vendor. Ideally, there would be no limits on the vendor’s liability for any indemnity given, but that is likely to be the subject of negotiation.
Also consider a requirement of relevant insurance. “Relevant” insurance probably is a cyber liability policy. It is increasingly rare that commercial general liability or professional liability will cover any cyber incident. Cyber policies often are sold modularly. Like a homeowner’s policy that does not cover flood, a cyber policy may not cover indirect losses such as business interruption, or losses due to employee malfeasance, or a particular kind of peril like a hack, for example.
Duty to notify and investigate
In addition, you may want to ensure that your vendor has a duty to notify you of any suspected incident and to investigate or assist your investigation. This is because the patchwork of state laws that specify how to respond to a breach could permit a vendor to delay notice to you, or to decide that notice is not required. Either way, you are deprived of the right to make a timely decision as to whether you have any duty to notify your customers or other third parties of an incident.
Undertakings regarding data
If your vendor is storing your data or has any unique instance of it, consider whether you should obtain a commitment from the vendor that covers several things. Data back-up and accessibility obligations would require the vendor to ensure that there is a second copy of your data available, updated, and accessible at all times in case of emergency or incident in the vendor’s primary network.
A promise to return a useable electronic copy of your data to you after expiration or termination also puts the onus on your vendor to maintain the integrity and comprehensiveness of your data. This indirectly affords you additional protection that the vendor can and will perform with respect to security and access.
Employee and contractor confidentiality
Finally, ensure that the confidentiality obligations in your standard agreements address appropriately any electronic data to which vendors, their contractors and employees will have access. All relevant persons should be covered, and the definition of “confidential information” should be adequate to protect the sensitive personal data in your care.
No single measure, or combination of measures, can protect you completely from the exposure that comes with a breach.
Working to standardize the protections you receive from vendors may, however, help you plan. It also may be a factor in your underwriting risks as you pursue your own cyber insurance policies.
Mitzi L. Hill is an attorney at Atlanta-based Taylor English Duma L.L.P. where she focuses her practice on data security and privacy. She has experience assisting clients in responding to data breaches, entertainment and media issues, as well as technology licensing and development. She can be reached at firstname.lastname@example.org and 678-336-7272.