A Practical Approach to Mitigating Data Breach Risk in an Interconnected World

by Ronald Weikers, Leslie Spasser and Rebecca Conner

The laws governing data security impose varying obligations on businesses that maintain data, and courts are starting to weigh in as to the duties that exist between business customers and their vendors. This article summarizes recent legal developments in this area of the law, and provides practical pointers to assist counsel in negotiating contracts that minimize their clients' liability.

Excerpt:

Over the past decade, outsourcing and interconnectedness have become the rule, not the exception, for businesses in virtually every sector of the economy. One of the most significant challenges faced by counsel is assessing their clients' risk to potential third-party-related data security breaches, and implementing effective contractual protections to minimize that exposure. The laws governing data security impose varying obligations on businesses that maintain data. And into this complex environment, courts are starting to weigh in as to what duties exist between business customers and their vendors. This article summarizes recent legal developments regarding data security obligations between commercial customers and vendors, and sets forth practical steps that counsel can take to negotiate contracts that minimize their clients' potential liability.

Data Security - Legal Background

Data security, at both the federal and state level, is governed by a patchwork of laws, rules and regulations, many of which are industry-specific and most of which address the relationship between businesses and consumers. Nonetheless, the standards being created by these laws and their implementing regulations are shaping the direction of business-to-business liability in other industries. The FTC reinforces and evolves these standards through enforcement actions against businesses that experience security breaches. Using its authority under the FTC Act, the FTC targets misrepresentations about the level of security provided, as well as misstatements about how personally identifiable information ("PII") of consumers is treated. The resulting consent decrees set forth requirements for responsible security practices that apply across industries.

While FTC enforcement actions generally focus on misrepresentations to consumers, recent actions have addressed security obligations that a business collecting PII must impose on any vendors that have access to that data. In In re Premier Capital Lending, Inc. and Deborah Stiles, the data breach at issue occurred as a result of Premier Capital Lending, Inc.'s ("PCL") provision of access by a PCL business partner to PCL's database of mortgage loan applicants' PII. The FTC alleged, in part, that PCL engaged in unfair and deceptive practices by failing to (a) "assess the risks of allowing a third party to access consumer reports through PCL's account" and (b) "implement reasonable steps to address these risks by, for example, evaluating the security of the third party's computer network and taking steps to ensure that appropriate data security measures were present." In the resulting agreement to consent decree, the FTC imposed on PCL the obligation to develop and use "reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondents and requiring service providers by contract to implement and maintain appropriate safeguards." [footnotes omitted]

Access the full version of "A Practical Approach to Mitigating Data Breach Risk in an Interconnected World" with your lexis.com ID. Additional fees may be incurred.

Lexis.com subscribers can access the complete set of Emerging Issues Analysis for Cyber & E-Commerce Law and the Cyber & E-Commerce Area of law page.

If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.

Ronald N. Weikers is Managing Partner at Weikers & Co. | Software-Law.com, where he focuses on software licensing. He is also an Adjunct Professor of Law at the University of New Hampshire School of Law, Franklin Pierce Center for Intellectual Property, where he teaches courses in cybercrime and software licensing.

Leslie F. Spasser is a shareholder at LeClairRyan, P.C., where she leads the Firm's Media, Internet and E-Commerce Industry Team, and focuses her practice on the areas of content licensing and distribution, technology development and licensing, and the provision of cloud computing and hosted services. She also counsels clients on privacy and data security issues.

Rebecca B. Conner is an associate at LeClairRyan, and focuses her practice on emerging growth companies in a variety of practice areas including entity formation, intellectual property matters, and financing transactions. Ms. Conner also regularly advises clients concerning issues relating to technology contracts.