Not a Lexis+ subscriber? Try it out for free.
LexisNexis® CLE On-Demand features premium content from partners like American Law Institute Continuing Legal Education and Pozner & Dodd. Choose from a broad listing of topics suited for law firms, corporate legal departments, and government entities. Individual courses and subscriptions available.
by Ronald Weikers, Leslie Spasser and Rebecca
The laws governing data
security impose varying obligations on businesses that maintain data, and
courts are starting to weigh in as to the duties that exist between business
customers and their vendors. This article summarizes recent legal developments
in this area of the law, and provides practical pointers to assist counsel in
negotiating contracts that minimize their clients' liability.
Over the past decade,
outsourcing and interconnectedness have become the rule, not the exception, for
businesses in virtually every sector of the economy. One of the most
significant challenges faced by counsel is assessing their clients' risk to
potential third-party-related data security breaches, and implementing
effective contractual protections to minimize that exposure. The laws governing
data security impose varying obligations on businesses that maintain data. And
into this complex environment, courts are starting to weigh in as to what
duties exist between business customers and their vendors. This article
summarizes recent legal developments regarding data security obligations
between commercial customers and vendors, and sets forth practical steps that
counsel can take to negotiate contracts that minimize their clients' potential
Data Security - Legal Background
Data security, at both the federal and state level, is governed by a patchwork
of laws, rules and regulations, many of which are industry-specific and most of
which address the relationship between businesses and consumers. Nonetheless,
the standards being created by these laws and their implementing regulations
are shaping the direction of business-to-business liability in other
industries. The FTC reinforces and evolves these standards through enforcement
actions against businesses that experience security breaches. Using its
authority under the FTC Act, the FTC targets misrepresentations about the level
of security provided, as well as misstatements about how personally
identifiable information ("PII") of consumers is treated. The
resulting consent decrees set forth requirements for responsible security
practices that apply across industries.
While FTC enforcement actions generally focus on misrepresentations to
consumers, recent actions have addressed security obligations that a business
collecting PII must impose on any vendors that have access to that data. In In
re Premier Capital Lending, Inc. and Deborah Stiles, the data breach at
issue occurred as a result of Premier Capital Lending, Inc.'s ("PCL")
provision of access by a PCL business partner to PCL's database of mortgage
loan applicants' PII. The FTC alleged, in part, that PCL engaged in unfair and
deceptive practices by failing to (a) "assess the risks of allowing a
third party to access consumer reports through PCL's account" and (b)
"implement reasonable steps to address these risks by, for example,
evaluating the security of the third party's computer network and taking steps
to ensure that appropriate data security measures were present." In the
resulting agreement to consent decree, the FTC imposed on PCL the obligation to
develop and use "reasonable steps to select and retain service providers
capable of appropriately safeguarding personal information they receive from respondents
and requiring service providers by contract to implement and maintain
appropriate safeguards." [footnotes omitted]
Access the full version of "A Practical Approach to
Mitigating Data Breach Risk in an Interconnected World" with your
lexis.com ID. Additional fees may be incurred.
Lexis.com subscribers can access the complete
set of Emerging Issues Analysis for Cyber & E-Commerce Law and
the Cyber & E-Commerce Area of law page.
If you do not have a lexis.com ID, you can purchase this commentary and additional Emerging Issues Commentaries from the LexisNexis Store.
Ronald N. Weikers is
Managing Partner at Weikers & Co. | Software-Law.com, where he focuses on
software licensing. He is also an Adjunct Professor of Law at the University of
New Hampshire School of Law, Franklin Pierce Center for Intellectual Property,
where he teaches courses in cybercrime and software licensing.
Leslie F. Spasser is a shareholder at LeClairRyan, P.C., where she leads
the Firm's Media, Internet and E-Commerce Industry Team, and focuses her
practice on the areas of content licensing and distribution, technology
development and licensing, and the provision of cloud computing and hosted
services. She also counsels clients on privacy and data security issues.
Rebecca B. Conner is an associate at LeClairRyan, and focuses her
practice on emerging growth companies in a variety of practice areas including
entity formation, intellectual property matters, and financing transactions.
Ms. Conner also regularly advises clients concerning issues relating to