Articles Posted in Cybersecurity and Privacy

Posted

This blog is the second part of a two-part series on key contracting issues with technology service providers, and the focus is specifically geared toward companies doing business in the real estate industry.

As noted in Part 1, technology has infused every sector of society, and the real estate business is no different. Firms running large, complex real estate projects typically do not have the core competency to design, develop, implement, host, and/or maintain the technology applications and systems to run these innovative ideas, which is why these firms typically partner with third party technology service providers to design, develop, and implement their technology needs.

Entering into these partnerships with third party technology providers can come with risk and requires a contracting strategy. In Part 1, I discussed the issues of pricing and service performance. In this Part 2 below, I discuss data protection, infringement, and insurance.

Posted

Managed security services are often a natural “add-on” when outsourcing IT services given that data protection is integral to application development, software as a service, and cloud storage, among other services. More recently, managed security services has become a “niche” sourcing alternative that many companies are considering as they seek to leverage supplier’s expertise in cyber threat assessment, detection and response. One critical consideration to keep in mind prior to outsourcing your cybersecurity is that you cannot outsource your regulatory responsibilities. In a sense, you may hire a supplier to protect your and your clients’ data and cyber infrastructure to the degree required of your organization under the law, but if those legal standards are not met by the supplier, your organization remains liable.

Under U.S. laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Federal Information Security Management Act (FISMA), executive orders and state-specific regulations, or the UK Data Protection Act, you may outsource day-to-day information management; you may not outsource your regulatory liability. If a breach occurs, your organization must notify your own clients, state Attorneys General and federal agencies, as applicable. Enforcement actions may be taken against your organization based on violation by a supplier, regardless of your organization’s knowledge, involvement, or lack thereof. For example, the Consumer Financial Protection Bureau (CFPB), a relatively new federal agency formed in 2011 under The Dodd-Frank Act, explicitly targets its enforcement powers at the conduct of both financial institutions and their service providers.

As of 2012, the CFPB announced that it expects “supervised banks and nonbanks to oversee their business relationships with service providers in a manner that ensures compliance with federal consumer financial law” and avoids harm to consumers. And what is one of the biggest risks of harm facing consumers in 2015? Loss or improper disclosure of consumers’ personal and financial data, which may occur over the Internet, via smart-devices and related applications, at merchant points of sale when making card payments, or even at the hands of a rogue employee within your organization or that of your supplier. If the CFPB investigates your organization, as a matter of course they will likely investigate your service provider(s), if any, and focus on areas of consumer data security and risk of identity fraud.

Posted

Computer Weekly recently published the article NHS Care.data: The security concerns by Mike Pierides and Sarah Atkinson, Global Sourcing attorneys in Pillsbury’s London office. In the article, Pierides and Atkinson consider how England’s National Health Service is implementing a controversial programme to share patient data with the private sector, how the Care.data programme is intended to work, its legislative background, and the data security concerns that surround it.

Click here to read the full article

Posted

Be careful what you’ve promised your customers … or what has been promised about data you buy!

In today’s world, consumer data is a huge asset for companies across all industries, in particular those in technology-focused spaces like social media, apps, wearables, and retailers involved in e-commerce. The value of such data, however, is at least partly dependent on the extent to which the data can be transferred to third parties without restrictions on use. The ability of a company to sell or otherwise transfer its consumer data, whether in a merger, acquisition or otherwise, typically ties back directly to statements made in the company’s privacy policy. As illustrated by RadioShack’s recent bankruptcy sale, the latest in a series of high-profile examples over the years on this topic, promising not to share consumer information can create a significant obstacle for future asset sale transactions.

For more information, check out our Client Alert.

Posted

As more and more companies of all sizes ranging across a wide spectrum of industries have been exposed to network and data security breaches in recent years, the market for insurance products dedicated to cover cyber risks has grown just as fast. With policies sold under names like “cyberinsurance,” “privacy breach insurance,” “media liability insurance” and “network security insurance,” the market for this coverage often seems chaotic, with premiums and terms varying dramatically from one insurer to the next.

For more information, please read our Client Alert.

Posted

Part 2: How are Limits of Liability Evolving, with Respect to the Issue of Data Breaches?

Ten years ago, most “buyers/customers” expected their suppliers to absorb unlimited contractual liability if the supplier was responsible for a breach affecting the customer’s data. Today, while customers may continue to insist upon such a position at the beginning of negotiations, they frequently expect that market-leading suppliers will ask for some sort of limit to the supplier’s potential liability for data breaches.

When customers are forced to negotiate a liability cap applicable to breaches of data (including PII and PHI), they usually insist that such liability cap be an amount that is greater than the “standard” limit of liability under the Agreement (i.e., greater than the standard financial cap applicable other contract breaches).

Posted

Part 1: Contractual Protections With Respect to Data Breaches

Given the unrelenting, it seems, news reports of cyber attacks and data breaches affecting customer records and data, the issue of what are the appropriate contractual provisions that should govern data breaches in a contract between customers and suppliers remains timely, sticky, and constantly-evolving. Below are several observations regarding contractual language and protections with respect to data breaches, where a supplier has access to and/or could cause or allow a customer’s data to be breached.

  • Customers continue to insist upon strict terms and conditions requiring their suppliers to protect the customer’s confidential information, including with respect to the customer’s (i) data (i.e., information stored in equipment and software), (ii) Personally Identifiable Information (PII), and (iii) Protected Health Information (PHI).

Posted

Any company that uses information technology is a potential target for data theft, advanced malware and other cyber threats.  Cyber threats have emerged as a growing systemic risk particularly to the financial sector in which Financial Market Infrastructures (“FMIs”) are increasingly under attack from a wide range of players, at greater frequency and growing levels of sophistication.   Regulators, standards bodies and other authorities around the world are giving a high priority to cybersecurity for these reasons.  This post summarizes what regulators are doing in the Europe to address these threats and describes some of the actions companies everywhere can take to minimize their exposure.

What are EU regulators proposing to improve FMI cybersecurity?

The European Commission has initiated a push to “protect open internet and online freedom and opportunity” by 2020. This initiative includes combatting cyber-attacks against information systems, establishing an EU cybercrime centre and coordinating Emergency Response teams, cyber-attack simulations and national alerts among all EU Member States. These efforts are also intended to align with the international fight against cybercrime. The next five years will see an increase in costs as FMIs and regulators pay to rapidly update single FMIs and solidify an EU-wide cybersecurity structure.

Posted

Join two of our SourcingSpeak bloggers, Joe Nash and Meighan O’Reardon, as they explore “Cybersecurity as a Service,” an emerging concept that allows companies to more centrally manage cybersecurity. They will highlight how these services may be leveraged by corporations looking to mature their cybersecurity capabilities and address cybersecurity risk from a legal,

operational and management standpoint. Topics that they will cover include:

  • How can these cybersecurity services be leveraged by an organization?

Posted

The security community has been abuzz this week with the US. District Court of New Jersey’s April 7 ruling in Federal Trade Commission v. Wyndham Worldwide Corporation, et al. (see http://www.adlawaccess.com/wp-content/uploads/sites/137/2014/04/Opinion.pdf). Wyndham had asserted in a motion to dismiss that the Federal Trade Commission (“FTC”) did not have the authority to pursue enforcement actions against the hotelier related to data security. The District Court denied the motion and held that the FTC may in fact pursue claims related to data security under Section 5(a) of the FTC Act’s prohibition on unfair or deceptive acts or practices affecting commerce (see 15 U.S.C. 45(a)). While the significance of the holding is being debated in the legal community, this week’s decision highlights the Federal Government’s increasing emphasis on requiring certain baseline cybersecurity practices by the private sector.

The background facts of the case are fairly straightforward. The FTC brought suit against Wyndham Worldwide, Corp. in the wake of three separate security breaches that occurred between 2008 and 2011 and resulted in the theft of guests’ personal information (e.g., payment card account numbers, expiration dates, and security codes). The FTC alleges that after the initial two security incidents, Wyndham failed to implement reasonable and appropriate security measures which exposed consumers’ personal information to unauthorized access and resulted in consumer injury. Specifically, the FTC alleges that there were several problems with the Wyndham’s information security practices including wrongly configured software, weak passwords, and insecure computer servers.

So what does the Court’s holding mean for the private sector? Since, up until this case, the FTC’s data security actions have been settled out of court, this case marks the first time that the courts have ruled on the merits of the FTC’s authority related to data security actions. Fundamentally, the decision affirms that the FTC has the power to pursue enforcement actions for unreasonable cybersecurity practices under existing laws. The Court, however, cautioned that “this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” It is also important to note that the Court’s decision did not include a verdict on Wyndham’s liability in the matter (interested parties should continue to watch as the matter continues).