Companies target each other in data breach disputes

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20150426/ISSUE0401/150429948/companies-target-each-other-in-data-breach-disputes


It is difficult to escape the headlines about computer data security,
especially regarding credit card breaches, that have dominated the media
since Target Corp. was hacked in late 2013. In response, plaintiffs’
lawyers have brought class-action lawsuits by the dozens against hacked
retailers.

The real next frontier in security breach exposure is likely to come from
commercial claims, however, not from consumer claims. Why is that, and what
can you do about it?

The consumer bar has been trying for years to tap privacy and data
security, with fairly limited success. Although a few high-profile cases
have settled, the track record for consumer suits has not been strong. This
is due to a number of factors, but mainly because we have no single
national law governing data breach issues, and we haven’t seen quantifiable
harm to individuals after most reported breaches.

As a result, the class actions coming into court are based on laws not
designed for electronic data issues. Also, despite persistent headlines
about hacking, there has been no pattern of demonstrable consumer injuries:
no mass unauthorized use of Social Security numbers, no wave of fraudulent
charges to stolen credit cards. Absent specific laws regarding what
constitutes protected data, what standard of care has been violated, and
what actual harm has occurred, our courts have been reluctant so far to
impose liability relating to consumer data breaches.

In the meantime, though, commercial liability disputes are starting to hit
the courts, and are much more likely to catch the attention of the
judiciary.

Disputes about commercial risk allocation are as old as contracts. They are
familiar to judges. They involve sophisticated parties. And nearly every
commercial agreement has risk allocation language in it. That gives the
parties a way to frame an argument, and a judge a way to analyze and
interpret their intent in light of the facts after a breach. In addition,
the harms are quantifiable: “it costs my business X dollars directly and Y
dollars to cover and mitigate” is easy for a judge to understand.

This means that your informational technology and related agreements are
increasingly likely to determine your risks in the case of a breach. The
highest-profile example is the issuing banks behind the cards exposed in
the Target hack. They sued Target to recover the direct costs they incurred
from the breach (new cards, customer relations). Target tried to have the
claims dismissed. The court refused. How should this unfold: Does Target,
arguably a victim, have to pay costs its vendors incurred? And how will
provisions in old agreements be interpreted regarding allocation of risk
(post-breach costs) between parties?

Commercial exposure

Vendor management is likely to become increasingly important as an overall
risk management strategy — one that also includes technological protection
for personal information, employee training, insurance coverage, and
enterprise planning. Standardizing the “asks” in your purchasing contracts
and clauses may go a long way toward managing risk.

There are several provisions to consider. Obtaining them all is highly
unlikely, unless you have enormous negotiating leverage. Consider this a
menu, and see what is available based on the relationship and equities
between you and your

vendor.

Representations and warranties

At minimum, the vendor should “rep and warrant” that security will perform
according to agreed-upon specifications. Ideally, the vendor will have its
own (higher) standards that address how secure the system is and what level
of effort would be required to penetrate it. A middle ground might be a
warranty of performance to “industry standard.” In addition to a security
warranty, you may want to consider whether you need a warranty as to data
integrity: that the vendor’s system will not allow your data to suffer
loss, impairment, corruption, or similar.

Indemnification

Whether a vendor warrants any standards of security or data integrity,
consider asking for coverage of your losses in case of an incident that
occurs because of the vendor. Ideally, there would be no limits on the
vendor’s liability for any indemnity given, but that is likely to be the
subject of negotiation.

Insurance

Also consider a requirement of relevant insurance. “Relevant” insurance
probably is a cyber liability policy. It is increasingly rare that
commercial general liability or professional liability will cover any cyber
incident. Cyber policies often are sold modularly. Like a homeowner’s
policy that does not cover flood, a cyber policy may not cover indirect
losses such as business interruption, or losses due to employee
malfeasance, or a particular kind of peril like a hack, for example.

Duty to notify and investigate

In addition, you may want to ensure that your vendor has a duty to notify
you of any suspected incident and to investigate or assist your
investigation. This is because the patchwork of state laws that specify how
to respond to a breach could permit a vendor to delay notice to you, or to
decide that notice is not required. Either way, you are deprived of the
right to make a timely decision as to whether you have any duty to notify
your customers or other third parties of an incident.

Undertakings regarding data

If your vendor is storing your data or has any unique instance of it,
consider whether you should obtain a commitment from the vendor that covers
several things. Data back-up and accessibility obligations would require
the vendor to ensure that there is a second copy of your data available,
updated, and accessible at all times in case of emergency or incident in
the vendor’s primary network.

A promise to return a useable electronic copy of your data to you after
expiration or termination also puts the onus on your vendor to maintain the
integrity and comprehensiveness of your data. This indirectly affords you
additional protection that the vendor can and will perform with respect to
security and access.

Employee and contractor confidentiality

Finally, ensure that the confidentiality obligations in your standard
agreements address appropriately any electronic data to which vendors,
their contractors and employees will have access. All relevant persons
should be covered, and the definition of “confidential information” should
be adequate to protect the sensitive personal data in your care.

No single measure, or combination of measures, can protect you completely
from the exposure that comes with a breach.

Working to standardize the protections you receive from vendors may,
however, help you plan. It also may be a factor in your underwriting risks
as you pursue your own cyber insurance policies.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!