By: Ryan Malone
Whether designing websites, updating mailing lists, or printing customers’ receipts, many businesses are surprised to learn that state and federal privacy laws may apply to some of their most ordinary tasks. Under Minnesota law, for example, businesses must take measures to protect all “personal information,” and are subject to specific reporting requirements if this information is breached.1 Because “personal information” includes social security numbers, debit and credit card numbers, and any type of electronic password,2 privacy obligations almost certainly apply to any modern business, regardless of its size.
If you own or operate a business, you likely have taken some measures to avoid the legal and reputational consequences of a data breach. Maybe you have hired a Chief Information Security Officer, revised your company’s social media policy, or even simply updated your anti-virus software. No matter what your business does or how large it is, you will need to develop the best data security strategy you can. To do so, consider discussing the following items with your security team and attorneys, particularly before finalizing contracts with vendors and other service providers.3
- Choice-of-law clauses
For businesses operating throughout the country, a choice-of-law provision in contracts with customers and vendors may help to ensure your business is held to the same legal standard in every agreement. Securing this consistency may help prevent unwelcome surprises following a breach (apart from the unwelcome breach itself), such as which fines and reporting requirements may apply. For example, Massachusetts requires all businesses to develop a “comprehensive” written security policy.4 If your company does business in Massachusetts, applying a different state’s law may avoid the need to update your security policy. Have your attorney explain the benefits and risks of choice-of-law clauses and ask about which state’s standards may be the fairest for your business and vendors to apply.
- Indemnity and security requirements
Whenever your company hands over the keys to confidential data, whether to a vendor or perhaps to a security tester (discussed below), you will want to limit or eliminate the risk of liability for a breach. One way to do so is to request an indemnity clause in the contract, which would hold the other party liable for damages caused by a data breach. The other side may not always agree, but given the severe consequences of a breach, it almost always makes sense to ask.
Even if you cannot secure a full indemnity agreement from your vendor, your contract should at least hold the vendor to a reasonable security standard. This may include requiring the vendor to adhere to all applicable state, federal, and/or international security laws, and you should view the contract as an opportunity to define on your terms what additional security measures must be taken.
Of course, assurances from another party will do little good without assets to back them up. In many cases, a contract should require parties to provide proof that they have sufficient insurance, particularly cyber liability insurance, to cover losses for which they may be liable.
- Insurance coverage
Many insurers now offer cyber and privacy policies that would cover a business for its liability to those impacted by a data breach. These policies may be crucial to an effective security plan, because data breaches may not be covered by standard commercial general liability (“CGL”) or errors and omissions (“E&O”) policies. Even worse, some policies may not cover loss of business income following a breach, which could prove devastating. It is good practice to consult with your insurance agents and your attorneys to assess whether your business is covered in the event of a data breach. As discussed above, businesses should conduct a similar review for any party that may have access to their data and insist that the other party provides some proof of adequate insurance coverage.
- Security Testing
Though insurance and indemnity agreements are critical to help minimize the damage after a breach, it’s always better to avoid the damage altogether. This is why many businesses hire experts to perform “vulnerability assessments” or “penetration tests” to help identify and eliminate security weaknesses. As strange as it may seem that business are in a way “paying to be hacked,” in some cases they may even be required to do so. For example, last year New York adopted regulations requiring banks, insurers, and other financial services providers to conduct, at the very least, annual penetration tests and bi-annual vulnerability assessments.5 Although New York was the first state to require such measures, it likely will be far from the last.6 Additionally, in data breach lawsuits throughout the nation, plaintiffs have claimed that these security testing services may be “industry standard” practices.7 When reviewing your data security strategy with your experts and attorneys, be sure to speak with them about what testing standards may apply to your businesses, and how to go about meeting those standards. Also consider how the issues discussed above, such as choice-of-law and indemnity clauses, may apply to contracts with security testing providers.
- Merger and acquisition agreements
If acquisitions are part of your business’s growth strategy, it is imperative that you and your attorneys review the target’s data security practices and risks as part of your due diligence. In the recent Marriot data breach, for example, hackers may have accessed Marriot customer information through Starwood, a company Marriot acquired in 2016.8 Because acquiring companies may assume liabilities of the company it acquired,9 you and your attorneys may want to reconsider or renegotiate the deal if the acquired company’s data security may be compromised.
These steps are just a few of the critical measures your business may need to take to protect its data and avoid calamity.
If you have any questions regarding the content of this article or other cyber security topics, please contact the author at (651) 227-9411.
1 Minn. Stat. §§ 325E.61, 13.055.
2 Minn. Stat. § 325E.61, subd. e.
3 The Target data breach, which originated with one of Target’s HVAC vendors, is the quintessential cautionary tale of what can go wrong when vendors have access to your confidential information.
4 201 Mass. Code Regs. 17.04.
5 N.Y. Comp. Codes R. & Regs. tit. 23, § 500.05.
6 See, e.g., Wash. Admin. Code §§ 82-75-430, 82-75-440 (2018) (containing Washington’s rules requiring annual penetration testing); N.J. Admin. Code § 13:69D-2.4 (2018) (containing New Jersey’s rule requiring land-based casinos to perform mandatory penetration testing to promote confidence in the New Jersey casino industry); Information Security and Privacy Requirements for Contractors, 2017 Tex. Reg. Text 457187 (NS) (proposed May 12, 2017, withdrawn July 14, 2017) (containing Texas’ proposed rule requiring contractors of the Department of Housing and Community Affairs to conduct internet security scans and internal network vulnerability assessments); Idaho Exec. Order No. 2017-02 (Jan. 6, 2017), https://gov.idaho.gov/mediacenter/execorders/eo17/EO%202017-02.pdf. (containing Idaho’s rule requiring the State Department of Administration to facilitate annual penetration tests and vulnerability scans on state technology systems).
7 Antman v. Uber Techs., Inc., No. 3:15-CV-01175-LB, 2015 WL 6123054, at *3 (N.D. Cal. Oct. 19, 2015); Compl., In re: The Home Depot, Inc. Customer Data Sec. Breach Litig., No. 1:14-md-02583-TWT, 2015 WL 10213204 (N.D. Ga. May 1, 2015); Second Am. Class Action Compl., Torres v. Wendy's Int’l LLC, No. 6:16-cv-210-PGB-DCI, 2017 WL 1532422 (M.D. Fla. Apr. 3, 2017).
8 Sara Merken, Marriott Hack Highlights Cybersecurity Risks in Acquisitions (1), Bloomberg Law (Nov. 30, 2018), https://news.bloomberglaw.com/privacy-and-data-security/marriott-hack-highlights-cybersecurity-risks-in-acquisitions-1.
9 In Minnesota, for example, where one corporation sells or otherwise transfers all of its assets to another corporation, the buyer generally is not liable for the liabilities of the seller, but there are exceptions to this rule. Dunn v. Nat'l Beverage Corp., 729 N.W.2d 637, 644 (Minn. Ct. App. 2007), aff'd, 745 N.W.2d 549 (Minn. 2008) (citing J.F. Anderson Lumber Co. v. Myers, 206 N.W.2d 365, 370 (Minn. 1973)).