Use this button to switch between dark and light mode.

Cybersecurity and Data Privacy in Commercial Real Estate

July 06, 2022

By: Eric B. Levine, LINDABURY, MCCORMICK, ESTABROOK & COOPER, P.C.

This article discusses several key considerations for evaluating cybersecurity and data privacy practices when counseling owners of commercial real estate (CRE). 

THE ARTICLE ALSO DETAILS WHAT STEPS SHOULD BE taken to mitigate the risk of unauthorized release or exposure of data in the possession of CRE owners. This article is written from the landlord’s perspective and applies to all manner of commercial properties, including industrial, office, retail, healthcare, hotel, and mixed-use properties.

Understand that each class of commercial property is unique and comes with a distinct set of concerns, warranting site-specific counseling of CRE owners. Note as well that you must carefully evaluate the information in this article in light of all state and local laws applicable to your client’s location. Finally, you should counsel your clients on their own internal cyber hygiene and security practices; it is just as important for commercial landlords to protect their own confidential data as it is for them to protect their tenants’ data.

Getting Started – Client Information

As an initial step to counseling clients about the risks associated with cybersecurity/data privacy and CRE, it is important that you understand the level of sophistication of your clients, what type of properties your clients are leasing, and who their tenants are. This may appear to be elementary as most attorneys conduct client interviews when first engaged by any clients. But with CRE and cybersecurity, the conversation must go to a deeper level. Without this level of detail, it is possible that site-specific cybersecurity advice could be missed. This requires in-depth conversations with your clients to develop a thorough understanding of:

  • The type of properties being leased
  • The nature of the properties’ usage
  • The type of tenants utilizing the properties
  • The services provided to the tenant by the owner/landlord of the properties

Type of Property and Tenant

Consider how different uses of CRE can impact legal issues when preparing your advice for a landlord client. For example, if your client leases an industrial warehouse that is climate-controlled—such as a warehouse storing perishable goods, pharmaceutical inventories, or cloud servers—and the climate controls are internet-accessible, the integrity of the HVAC system may be the single largest concern of the tenant and a particularly vulnerable access point for data intrusions. An outside threat actor accessing temperature controls of the warehouse and altering the pre-set climate conditions by just a few degrees could significantly damage the materials that are being warehoused or otherwise impair tenant operations.

Next, consider if your client owns a multi-tenant retail property, such as a mall, where the tenants may rely on an open (unsecured) Wi-Fi system that provides amenities and services to tenants and customers. Open Wi-Fi systems are convenient for customers but present a set of vulnerabilities that must be minimized. Imagine the business impact that could befall the tenants of this type of property should that open Wi-Fi system be used to infiltrate other building systems and cripple them.

Or, what if your client owns a smart building that integrates state-of-the-art building-management technologies to provide related benefits and building efficiencies to tenants, such as biometric recognition, inventory tracking technologies, and security and building systems (like elevators or lighting) that are monitored by a vendor at a centralized, off-site location? The breach of any of these systems could effectively shut down the building and impact the tenants’ businesses. The resulting disputes that may arise between your client and its tenants are both foreseeable and preventable.

You need to recognize at the outset of client retention what your client’s unique needs are related to the specific property, as there is no one-size-fits-all advice you can give to your client to achieve maximal protection from potential cybersecurity-related liability. For instance, the concerns of a hospitality-based piece of CRE like a hotel are far different than the concerns of an industrial property, so the lease provisions must be particularized to maximize the landlord’s ability to maintain control.

You also need to learn about each property’s operational technologies, meaning the software and hardware that monitor and control the property. Ask your client to describe what systems are used to control and monitor the properties. If more than one system has been installed, are they integrated, or do they function separate from one another? Are they internet-accessible?

Each type of property is associated with particular benefits and vulnerabilities requiring varying levels of landlord responsibility and protective measures. Today’s tenants expect more amenities, modern systems, and seamless landlord-tenant interfaces as part of their leasing relationship. Furthermore, many commercial properties are supported by outside vendors such as HVAC service, plumbing, maintenance, and cleaning crews. As discussed in Evaluating Vendor Contracts and Security Measures below, tailoring your client’s vendor agreements to address data privacy is an integral step in protecting your client from potential liability.

Single vs. Multi-tenant Properties

It is important to understand the physical layout and tenant composition of the property. Cybersecurity and data concerns may be much less complex in a stand-alone, single-tenant property compared to a multi-tenanted office complex, apartment building, or retail property like a mall. For example, if your client is leasing a retail property, you need to determine who will be responsible for establishing infrastructure supporting a point-of-sale system. If a tenant’s point-of-sale system connects to an external network, it will be more susceptible to attack. You need to address in the lease who is responsible for the maintaining the security and integrity of the connection to any external network.

Moreover, in a multi-tenanted property, landlords have to consider the implications of common areas such as lobbies, cafeterias, hallways, loading areas, garages, and restrooms. It is not uncommon for a multi-tenanted property to have sophisticated levels of security covering common areas and electronic security for off-hour access. A multi-tenanted property will also likely have a high number of vendors frequenting the property, engaged by either the landlord or the tenants. As the risk of cyber-intrusions increases, so does the complexity of the leases between your client and its tenants; the leases must address allocation of security responsibility for third parties, indemnification/hold harmless provisions, insurance concerns, and mandated security efforts to be undertaken by tenants and their vendors. See Leasing—Allocating Responsibility to the Tenant through Lease Provisions below for more information.

Client’s Experience and Level of Sophistication

You will need to consider the level of sophistication of your clients in order to determine how well-suited they are to addressing the risks of owning CRE in the digital age. It is not uncommon for CRE owners to be multigenerational owners who own properties for long periods of time. If this is the case, your client’s properties and building systems may be outdated and in need of restoration, upgrading, and modernization to attract creditworthy tenants. But note that modernization is often accompanied by increased risks associated with building systems such as access management controllers, computerized air controllers and HVAC systems, cameras/security systems, and automated alarm/fire suppression systems. These types of systems require computer networks to operate, and many will also be connected to the internet to allow off-site monitoring, control, and troubleshooting. These connections are a popular attack vector for external threats. Your client must address potential risks by allocating liability in its leases and maintaining proper insurance.

Questions to Ask Your Client

During your first consultation with your client, explore the following questions to better understand what sort of landlord you are counseling:

  • How many properties do you own?
  • Where is each property located?
  • How long have you owned each property?
  • What has the property been used for? Is the use industry-specific? For example, if it is a warehouse, what is stored there?If office space, what types of industries operate there? Is it retail, providing point of service terminals?
  • How many tenants are in each property?
  • If properties are vacant (partially or wholly), who/what is your preferred tenant for the vacant space?
  • When was the last time the leases were reviewed by counsel?
  • Are the properties managed by an independent, third-party property manager or by in-house staff? If by third parties, you should do the following:
    • Investigate the experience of the third-party vendors and review all property management contracts.
    • Ask when property management was last turned over to a new company.
    • Identify all internal employees with property-specific responsibilities and determine what information each has access to.
  • Who is the landlord’s support team? Be sure to obtain a list
    of all vendors and subcontractors that service the building, review all contracts, and maintain them in a centralized but protected location.
  • Has the property been retrofitted or upgraded recently? If
    so, it is important to understand exactly what aspects were upgraded and who performed the upgrades. For security reasons, once a property that integrates technology accessible from outside the building (i.e., internet-accessible systems) has been built, owners should have all internet-accessible systems analyzed by an independent cybersecurity professional to ensure system integrity and change passwords and log-in information. This should not be done by the entity that performed
    the construction.
  • What services or amenities are provided by the landlord to the tenants?
  • Are the properties connected to the internet and, if so, are updated security measures in place (firewalls, virus protection, end-point security/encryption, malware)?
  • How does each tenant pay rent (electronically or manually)?
  • How does each tenant communicate with the landlord (email, text, phone)?
  • What sort of tenant-based information and records does the landlord collect and why?
  • Where does the landlord store property- and tenant-specific information (cloud servers, on-site network servers, tape backups, electronic spreadsheets, physical files)?
  • How is property- and tenant-specific data protected from improper access and how is it purged? Be sure to review all document-retention and destruction policies.
  • What sort of insurance policies are in place for each building?
  • What experience does the landlord have with cybersecurity/data privacy in any context?
  • Are there existing corporate cybersecurity/data privacy policies and training programs in place?

The questions are illustrative only and are not meant to be all inclusive. Only once you have a complete understanding of who your client is and their experience with their properties and tenants can you provide tailored advice. By asking these questions, you will also get the opportunity to educate your client, especially if your client is a first-time landlord or has limited experience in CRE.

Risks to Consider

It is important to advise your clients of the data privacy-related risks associated with owning CRE. Historically, CRE has not been as focused on data privacy as other industries such as healthcare and manufacturing; CRE owners tended not to possess the same types of information and data as other industries that were more frequently targeted by outside threat actors. However, the risks of being targeted by cybercriminals is every bit as real for CRE owners and is growing with the advent of more CRE-friendly technology.

Do not assume that your client understands the nature of risks that a data breach can cause. And do not assume that because your client owns a small number of properties or does not lease to national, big box clients that they will not be targeted by outside threat actors. You must explain to your clients that the following are some of the risks that they must address for each of their properties:

  • Safety concerns. Consider how improper access to building systems, such as elevator, lighting, or air quality controls, could cause a safety risk to tenants.
  • Damage to tenant property, inventory, or productivity. Understanding the nature of the business operating in your client’s property is critical to assessing and controlling risk of damage to the tenant’s business and the property’s contents. We have already noted the potential impact on a tenant in a climate-controlled building storing temperature-sensitive products with an HVAC system that can be remotely accessed from outside the property. Should an unauthorized user access the HVAC system and raise the temperature a few degrees, it could be devastating to a tenant, who will then likely look to the landlord for compensation for any loss. Consider in the retail sector if a landlord loses control over building systems that force tenants to close their businesses pending recovery of the systems. Likewise, imagine the impact on tenant operations in a high-rise building complex if elevators and stairwell lighting are incapacitated for an extended period of time, forcing the closure of tenant offices on higher floors due to inaccessibility. These are the types of scenarios you need to review with your client.
  • Data breach liability/data exposure/data loss. Your client needs to understand that if there is a data breach and your client maintained tenant data, anyone whose personal information
    is accessed could potentially sue the landlord. This means not just the tenants themselves, but the tenants’ employees, their vendors, and even their customers and clients.
  • Loss of reputation and tenant trust. CRE owners must understand that should a cyber-breach occur resulting in a disruption of operations or loss of data, inevitably tenants will look to the landlord for answers as to how such an incident occurred and whether it could have been prevented. The detrimental impact on a landlord’s business could be severe. Reputational harm could follow the landlord for years, making them an unattractive landlord option to tenants.
  • Costs of data recovery and repairs. Restoring data after exposure or a ransomware attack can be costly, especially if the data is not properly backed up. In some circumstances, your client may need to rebuild its entire computer system.
  • Litigation costs. Last, but by no means least, are the costs of having to defend lawsuits brought by individuals and companies that have had their data accessed without authorization. These are the costs of defending any claims only and are exclusive of any damages or regulatory fines.

Data Collection

Once you have educated yourself about your clients and discussed the list of potential risks with them, have your clients gather property-specific information in an effort to catalog any and all data that comes into their possession to determine what requires protection. This includes digital information as well as physical records, and records in your client’s possession or in the possession of third-party vendors.

Technology Audit

The first step for any commercial landlord is performing a technology audit to assist in understanding the threats their particular real estate and tenants present. An integral part of any competent cyber hygiene program is advising clients to perform a technology audit and to map their data. A technology audit is an evaluation of a business’s information technology (IT) infrastructure and how the client currently uses that infrastructure, including a review of the client’s operations and policies/procedures. A proper audit will show whether those operations and policies make the best use of the assets used by the organization and that the data that organization interacts with is stored in a secure manner. While the audit process is not a purely legal process that counsel performs for clients, it is beneficial for counsel to participate in the process and evaluate the results.

For instance, if your client performs an audit and the results show that no data-security policies exist or that any existing policies are outdated, your help may be needed in drafting or updating those policies. You can also assist your client by outlining the basic framework for this type of audit and advising your client to seek the assistance of an IT security professional in performing an audit.

In doing so and documenting your client’s efforts, in addition to firming up the client’s security infrastructure, you are creating a record of your client having taken reasonable measures to protect tenant information. The records of the audit provide a road map to a client for improving its data security, while providing a record of reasonable efforts that can be offered in defense of any claim asserted against a landlord for failing to take adequate measures to secure tenant information. Furthermore, your client may need to show that these efforts were taken in order to obtain cybersecurity insurance policies. Issuers of cyber insurance policies routinely demand that a potential insured complete questionnaires about data protection efforts undertaken by the potential insured.

With increased connectivity to cloud-based building systems, the Internet of Things, and remote-working employees, there are multiple points of access that can be exploited by hackers. It is now increasingly common that HVAC, electrical, lighting, security, safety, and building management systems can be accessed remotely in the ordinary course of building operations. It is crucial to understand how such systems are integrated into properties, what data they contain, and who can access them.

Locating and closing gaps in a client’s IT systems require:

  • Taking inventory of the systems integrated in the property
  • Determining who is responsible for their maintenance (landlord or tenant)
  • Documenting same in your client’s lease
  • Analyzing how these systems are configured for operations and remote access

You should advise your client to perform both physical and virtual inspections, including site walks and audits of contractors that completed work.

Ask your client what kind of tenant information is being stored and what is the purpose for having such information. For instance, if a tenant makes rental payments to a landlord electronically, it makes sense to have banking information of the tenant to effectuate payment. Also, consider advising your landlord client to get the express written consent of the tenant to obtain and store this information as part of the lease agreement. That way, your client has a record of having been authorized to store and use this data, which can bolster the defense of any claim raised by a tenant. Obtaining written authorization to store payment information is often overlooked in a lease, which normally contains rental terms such as the amount of rent, when rent is due, and late charge amounts.

Location-Specific Data Concerns

Historically, local authorities and municipalities did not exercise control over the type of tenant data that a landlord may retain, but that practice is changing. It is important for you to evaluate all federal, state, and local laws related to data privacy in the jurisdiction of the property in order to fully understand your client’s legal obligations and potential exposure.

A prime example of a local/municipal concern can be found in the New York Tenant Data Privacy Act (TDPA), established on May 8, 2021.1 The first law of its kind in the United States, the TDPA addresses privacy issues related to the use of smart access systems in multifamily dwellings. Among other things, the TDPA requires that all owners of Class A multiple dwellings (a dwelling for three or more families living independently of one another used for permanent residential purposes) that use smart access systems (e.g., key cards, phone access, fingerprint) take the following steps:

  • Provide tenants with a privacy notice written in plain language
  • Obtain consent for the use of smart access systems
  • Establish data retention periods for collected data
  • Ensure that collected data is not sold or shared
  • Create parameters surrounding the tracking of tenants
  • Protect data that landlords collect

The TDPA provides for a private cause of action by a lawful occupant of a dwelling unit and allows of the collection of compensatory and punitive damages as well as counsel fees. Other states considering similar laws include Hawaii, Illinois, Maryland, Massachusetts, and Nevada.

Illinois already has the nation’s most progressive laws on biometric data, the Illinois Biometric Information Privacy Act,2 which establishes rules for collection of biometric data like fingerprints, facial features, and other physiological characteristics. California is also at the forefront of privacy issues, and your client will be subject to the California Consumer Privacy Act (CCPA),3 if it collects consumer personal data, does business with any resident of California, and meets one or more of the following thresholds:

  • Has annual gross revenues in excess of $25 million
  • Buys, receives, or sells the personal information of 50,000 or more consumers or households
  • Earns more than half of its annual revenue from selling consumers’ personal information

These laws provide examples of why determining the laws that apply to your client’s operations is indispensable to your preparation of the lease of the property. If you do not understand what laws apply to the property, it is likely that the lease you prepare will lack many necessary protections for your client.

International Concerns

Another concern is whether your client is leasing property to individual international tenants, especially residents of the European Union (EU), or collecting data from such tenants. A landlord client may be subject to the General Data Protection Regulation (GDPR) without realizing it; even if your client is not leasing property to EU citizens or residents, it may still be collecting data from them simply by advertising properties online. If this is the case, a whole other set of requirements may apply to your client.

The GDPR protects citizens of EU countries, as well as noncitizens who reside in EU countries, and does not depend on the location of the entity holding those people’s data. The GDPR is concerned with the following areas of data privacy, among many others:

  • Being informed. A data collector must state why it is collecting personal information, how that information is used, how long it will be maintained, and if that information is intended to be shared.
  • Consent. If your client is collecting information from international tenants, your client must obtain consent for the data collection.
  • Breach notification. GDPR requirements for notification of a security breach are much more stringent that those of most U.S. states. For instance, EU residents must be notified within 72 hours of discovery of the security breach. Penalties for noncompliance under the GDPR are extremely severe, being composed of monetary penalties based off of worldwide sales figures.
  • Right to access. EU residents have a right to obtain confirmation about whether and how their personal data is being processed.
  • Right to be forgotten or erased. When data is no longer relevant to your client’s original purpose, the provider of the information can request that their data be erased and no longer distributed.
  • Data portability. EU residents have the right to obtain and reuse their personal data for their own purposes. Your client is responsible for creating processes and identifying employees who respond to requests for the portability or erasure of personal data.

Detailed analyses of individual jurisdictional laws such as the CCPA and the GDPR are beyond the scope of this article, but keep in mind that when you advise a CRE client, you must evaluate federal, state, and local laws, and possibly international law, related to property usage on an ongoing basis.

Evaluating Vendor Contracts and Security Measures

Recall that the 2013 Target data breach was caused by a vendor of Target that accessed Target’s systems to handle electronic billing, contract submission, and project management. Unbeknownst to the vendor and Target, the vendor had been the victim of a sophisticated cyberattack that infected the vendor’s systems with malware. The resulting data breach cost Target millions of dollars and significantly damaged its reputation and brand.

You should draft a vendor-management policy for your client that can also become a tenant obligation under a lease. The goal of this policy is to ensure that your client performs proper due diligence when hiring vendors that will have access to the landlord’s computer network and integrated building systems, as well as mandating compliance with any applicable data privacy and security laws. The policy should also:

  • Delineate your client’s oversight of the vendor and testing of services it provides
  • Outline exactly what information is being utilized by the vendor
  • Mandate that the vendor provide copies of its own security policies and controls to your client as part of the engagement process

It is important for your client to interface with vendors to determine how vendors are using the landlord’s data and what steps are being taken to protect it.

It is imperative that you review each agreement with a vendor or other third party providing services to the property. This is especially true for any vendor that accesses any building systems digitally. You should focus on the following areas:

  • Indemnification, defense, and hold harmless provisions. Any vendor that has access, or even potential access, to your client’s IT systems and data must agree to indemnify, defend, and hold the landlord harmless from any data breach arising from the vendor’s failure to secure data. Such indemnity language must be broad and not limit the amount of liability. Your client should be indemnified, defended, and held harmless from losses of all types, including third-party damages, regulatory fines, counsel fees, and costs of litigation. Be sure to include language obligating the tenant to defend, not just indemnify and hold harmless, your client.
  • Limited access to data and critical systems. The vendor agreement should include a provision limiting access to your client’s critical systems and information to as narrow a field of persons employed by the vendor as possible. By limiting the number of persons who can access the property and its systems, you restrict access to confidential information only to persons who need the information to perform their jobs.
  • Notice of breach requirements. The vendor agreements should include language requiring any vendor or third party servicing the property to provide immediate written notice to your client should the vendor become aware that it has or may have been the victim of a cyber-breach.
  • Scope of work and systems accessed. Vendor agreements should clearly define the exact scope of work to be performed and the building systems that need to be accessed in order to perform the work. This list should in turn be reviewed with your client’s IT team and its IT security professionals to identify areas of concern, gaps in protection, and efforts that need to be added to the scope to ensure system integrity.
  • Representations and warranties about the vendor’s security program/practices. It is important that any vendor agreement contain detailed representations and warranties of the vendor outlining that vendor’s data-protection efforts. For instance, a landlord needs to know that its vendors engage in their own data-security practices at a level of sophistication at least equal to the landlord’s. If not, this could cause a number of problems, including a disparity in security efforts that increases the risk of liability. Additionally, your client’s insurance carrier may require that all third parties engaged in business with your client show proof of adequate security measures as a condition of obtaining insurance coverage. Engaging a vendor who fails to meet this standard could result in a denial of issuance of a cybersecurity insurance policy. While it is not common to include a representation or warranty about prior cyber incidents in a vendor agreement, you should ask the vendor if it has been involved in any previous data breach/cybersecurity incident.
  • Limitations of liabilities. Be careful to evaluate vendors’ limitations of liability. It is not uncommon for a vendor to attempt to limit its liability to the value of its contracted services and limit liability for, or refuse to cover at all, consequential or punitive damages. Remember that the potential liability for a cyber-breach can be extensive based on how improperly accessed data is used, sold, and exposed. With virtually unlimited exposure possible,
    it behooves a landlord to negotiate hard against any limits of liability for cyber-breaches.
  • Insurance provisions. You need to pay attention to what manner of insurance and coverage limits a vendor has obtained to determine if it provides adequate coverage for your client. You should insist on reviewing copies of the vendor’s cybersecurity insurance policies and require that your client be named as an additional insured. (Remember that a cyber insurance policy provides different coverage than a general liability policy, which provides coverage for bodily injury and damage to property resulting from the operations and services provided by the covered entity.)
  • Dispute resolution, choice of law, and venue. As with other contracts you review with your clients, make sure that the vendor’s dispute provisions, choice of law, and venue selection provisions are consistent with your client’s expectations.

Security Testing and Incident Response Plans

One of the most important things you can counsel your client on is to regularly conduct investigations to understand the current state of its cybersecurity defense weaknesses and vulnerabilities. This practice includes periodically performing vulnerability assessments (hiring an IT security professional to identify, quantify, and prioritize the vulnerabilities in a system) and penetration testing (performing an authorized simulated cyberattack on a computer system using a third party commonly known as an ethical hacker to evaluate the security of the system). These technical exercises should become part of your client’s standard business operations as they are crucial for maintaining good cyber hygiene.

Attorney-Client Privilege and Work Product Doctrine

Your client’s investigations will likely produce an extensive list of potential problem areas that, in a perfect world, would all be promptly and exhaustively remedied. In reality, this remedial approach is often not feasible as most companies have budgetary and other practical limitations that may require them to prioritize which vulnerabilities to address first, and the degree of remediation they can reasonably undertake.

This means that it is possible that a breach could affect your client’s tenant before all of the identified vulnerabilities are remedied. Imagine if your client is sued for such a breach and you had to disclose the results of a vulnerability assessment when the recommended solutions have not been completed. If your client experiences a cyber-breach incident, this written report is likely
to become a prominent exhibit of any plaintiff action against the company over that breach. After all, the investigative results will show that your client knew about certain vulnerabilities and chose not to remedy several of them at that time.

If done properly, your involvement in the process can allow your client to rely on attorney-client privilege and/or the work product doctrine to maintain the confidentiality of the investigative results. The overriding principle of using privilege is straightforward: to protect your company’s breach response efforts from usage by third parties or regulatory agencies in litigation arising from a breach. Attorney-client privilege protects confidential communications between attorneys and clients over the course of a professional relationship from discovery by adverse third parties. The work product doctrine protects from disclosure those documents and other tangible things that a party or a party’s representative prepares in anticipation of litigation. You must understand the difference between the privileges and also recognize that privilege applies differently if you are in-house counsel to a CRE client or if you are outside counsel engaged by a CRE client.

You should research the requirements of the jurisdiction in which you are practicing to ensure that you satisfy all of the elements required to invoke attorney-client privilege. Recognize that the work product doctrine may not apply unless you are taking steps in anticipation of specific litigation. At a minimum, when engaging a vendor to perform a vulnerability assessment, you should:

  • Require all vendor contracts to be signed by counsel
  • Instruct the vendor to present all reports to you and not directly to the client
  • Ensure that all directions and communications, other than those related to logistics and scheduling, go through counsel and the vendor
  • Delineate the payment responsibilities of the client and your office, being careful to follow governing case law on how the payment of fees will affect the privilege

Make clear that the purpose of engaging this vendor is to:

  • Analyze the client’s potential exposure to liability and regulatory compliance
  • Enable you to prepare the client to defend against any litigation arising from the use of the client’s computer network and data it contains
  • Allow you to provide guidance on complying with any and all applicable laws

In-House Counsel Concerns

Companies with their own in-house counsel may sometimes want to avoid the additional expense of hiring outside counsel to arrange the cybersecurity vulnerability investigation. By having in-house counsel undertake the arrangements, however, a company may risk losing attorney-client privilege.

In-house counsel tend to have dual roles at their companies, meaning that they frequently provide both general business advice and legal advice. It may therefore be more difficult for a client to prove that in-house counsel was truly retaining the cybersecurity vendor for the purpose of providing legal advice, rather than simply as part of the in-counsel’s general business role at the company or as an officer of the company.

Outside counsel, on the other hand, tend to be brought in specifically for the purpose of providing legal advice on a focused issue, and therefore the potential dual role issues that in-house counsel may face can be avoided.

For their own protection, in-house counsel should instruct outside counsel to make all arrangements necessary to engage the IT security vendor who will perform cybersecurity vulnerability assessments. If these vulnerability assessments are undertaken at the direction of an attorney for the purpose of providing legal advice to the attorney’s client, then arguably the report detailing the client’s cybersecurity weaknesses will be protected from disclosure under attorney-client privilege. This can allow the client to be comfortable in doing the right thing by having its cybersecurity program evaluated and improved, while potentially avoiding having a list of vulnerabilities turned over in a future plaintiff litigation.

In-house counsel should work closely with management at their company to evaluate when it is appropriate to bring in outside counsel in connection with a cybersecurity vulnerability investigation and potentially obtain the benefits of attorney-client privilege for the results of that investigation.

Leasing—Allocating Responsibility to the Tenant through Lease Provisions

You will need to work with your landlord client to allocate responsibility for technology system integrity to their tenants through lease provisions. These provisions must clearly define each party’s role and responsibilities in the security process. These responsibilities will be ongoing throughout the lease term and should be thoroughly and clearly delineated.

Topics that must be addressed during lease negotiations include the following:

  • Allocating technology-related fit-up, upgrade, and repair responsibilities between landlord and tenants. In any landlord work letter, it is important to be explicit on the limits of any work done by the landlord, including stating clearly what ongoing obligations, if any, the landlord retains for maintaining the security of any fit-up work. For improvements/fit-up work done by tenants that are integrated into the building systems, you need to include a provision giving the landlord the right to evaluate and approve such work to ensure that the integration is successful and secure, while at the same time mandating that ongoing maintenance and monitoring for security remain with the tenant.
  • Representations and warranties as to the condition of the property. You should be sure that the lease references the current condition of any cybersecurity/data-related infrastructure of the property. It may be that tenants do not normally inspect certain building aspects such as Wi-Fi hubs, fiber-optic connections, or internet connections available on the property, but allowing them to do so can serve as a basis to argue for an allocation of liability should a breach occur in a system that a tenant could have inspected but chose not to.
  • Capping/limiting damages for cyber-related losses. Be careful to draft broad language when describing the limitations on the damages a tenant is waiving. If possible, negotiate a finite damage cap, in addition to narrowing the types of damages for which your client must reimburse a tenant. However, you should expect a tenant to demand that any limitation on damages to which it is subject to mirrors the limits of liability that your client is demanding.
  • Indemnification, defense, and hold harmless provisions. Similar to the indemnity provision discussed earlier related to vendors, you should negotiate a lease provision requiring the tenant to indemnify, defend, and hold the landlord harmless from any data breach arising from the tenant’s failure to secure its computer systems and data. This indemnity language must be broad and not limit the amount of liability. Your client should be indemnified from all types of losses, including third-party damages, regulatory fines, counsel fees, and costs of litigation arising from a tenant’s data breach. This is especially important in multi-tenanted properties.
  • Cyber-related insurance concerns. You should draft the insurance provision to mandate that all tenants obtain separate cyber insurance policies naming the landlord as an additional insured so that there is coverage for any breach caused by a tenant’s negligence. This is especially useful in multi-tenanted properties, like retail and office buildings. If you wish to mandate specific policy limits, you will need to consult with your client and an experienced cyber insurance broker to estimate potential breach-related costs in order to calculate acceptable limits.
  • Notice requirements should tenant learn of a cyber-breach. It is critical for a tenant to provide notice to a landlord of any potential cybersecurity breach as soon as possible. The ability to minimize the negative impact of any breach weakens the more time passes from the time of the breach.
  • Consent provision from tenants for collecting and use of information. You should include language in the lease expressly having the tenant authorize the landlord to collect, maintain, and use information collected.
  • Landlord’s approval of vendors used by tenant for fit-up, repairs, and modernization. You should include a provision in the lease requiring the tenant to obtain the landlord’s approval of any vendor that will be accessing any building systems or potentially coming into contact with any information maintained by the landlord. The landlord’s approval of the vendor should not be unreasonably withheld, but by requiring the landlord to approve the vendors accessing building systems, your client will be able to procure first-hand information about third parties entering into its property and manipulating the building systems and keep itself updated on any modifications and service to the building systems.

Security Policies and Procedures

Part of your duty as counsel to a landlord is to help your client develop a robust and comprehensive security practice, including protocols and policies that must be followed pertaining to cybersecurity. These policies provide a road map for your client’s organization to follow. It may also be required in order to obtain cyber insurance coverage. Like other enterprise-level policies (such as employment and facilities policies), these policies should be reviewed annually and provided to all employees of your client. The following policies should be drafted:

  • Remote access and teleworking policy. Due to the rise in remote working, a remote working policy is indispensable. Drafting a comprehensive written remote access policy enhances the likelihood that everyone will act uniformly and follow the same processes. The policy will need to address:
    • Eligibility for remote access
    • Procedures for obtaining permission to work remotely
    • What technology will be used in implementing the access
    • Protocols for transmitting confidential information
    • What discipline may be imposed for noncompliance
  • Cyber incident response plan. Your client will need to draft a systematic incident response plan that provides a detailed process to follow in the event of a cyber incident. This plan should:
    • Identify the response team
    • Define responsibilities for members of the team
    • Set forth exact procedures for responding to a cyber incident
    • Outline how to collect information to respond to an incident
    • Provide evidence preservation protocols
    • Establish proper channels of communication within the landlord’s company
  • Employee training policy. As discussed below in Education and Monitoring, your client should engage in periodic training of its employees to reinforce the need to secure data and to instill best practices among its personnel. All employees, without exception, should participate in the training and your client should maintain records of completion. Training should cover all aspects of data protection, including:
    • File maintenance
    • Email protection
    • Password management
    • Acceptable transmission of data internally and externally
    • Use of approval technologies such as multifactor authentication and verification of authority before releasing data
  • Computer privacy policy. Your client should draft and disseminate a policy advising that all computers are company property and there is no right to privacy for the information they contain. The policy should also advise that your client reserves the right to monitor and record all activity on their computer systems.

Insurance Concerns

You should discuss the need for your client to insure cyber-risks as part of its overall insurance program. As noted earlier, cyber insurance is unique and the risks it covers are distinct from the protections provided by a commercial general liability policy. Cyber insurance can improve your client’s cybersecurity program by requiring your client to engage in the application process, which forces it to evaluate its capabilities and weaknesses. It is also beneficial in the event of a cybersecurity breach since it provides a funding source for recovery of losses and assists your client resume normal operations.

Depending on the type of properties owned by your client, they will need distinct types of coverage as well as differing policy limits of coverage. Your role as counsel to a CRE landlord is to engage in the process and work with your client and an experienced cyber insurance broker to obtain coverage. The following types of coverage should be considered:

  • Network security coverage. This insures first-party costs arising from a cyber incident, including the cost of:
    • Breach notification
    • Data restoration
    • Legal expenses
    • Public relations
    • Ransomware
    • Identify theft restoration
    • IT forensics
  • Privacy coverage. This insures third-party costs associated with the release of sensitive information of third parties, like tenants and their customers. It includes violations of privacy-related laws.
  • Business interruption coverage. This insures for stoppages and interruptions of your client’s operations due to a cyber incident including losses arising from systems failures.
  • Errors and omissions coverage. This insures for allegations of negligence, omissions, or breaches of contract when a cyber incident prevents your client from delivering services to its tenants.
  • Social engineering coverage/theft and fraud coverage. This is insurance designed to protect your client from being victimized by email/phishing schemes, such as fraudulent wire transfer situations.
  • Reputational harm coverage. This coverage gives your client the ability to address potential harm to its brand/reputation arising from a cyber incident.
  • Data restoration coverage. This insures the costs of restoring your client’s data that was lost or damaged due to a cyber incident.

Responding to Data Breaches

Should your client ever be the victim of a cyber-breach, your role as counsel during that crisis is critical. Presumably, you will be the first person that your client calls for advice. Moreover, your assistance in the response may afford your client the protection of attorney-client privilege, as discussed above.

If your client has a cyber insurance policy, you need to ensure that your client immediately contacts its insurance carrier. Depending on the type of data breach (e.g., ransom attack/system lockout vs. unauthorized access), the insurance carrier may assume the breach response. If coverage is available and the insurance carrier assumes the response, then step aside to assure that the insurance carrier has no basis to deny coverage.

If your client does not have cyber insurance coverage or if for some reason the cyber insurance carrier does not otherwise respond to the breach, then it is your role to either manage the breach response or engage counsel with expertise in breach response. As with vulnerability assessments and penetration testing, having counsel manage the breach response may allow your client to argue that the breach response is subject to attorney-client privilege. You must engage a vendor experienced in cyber-breach responses immediately, being sure to preserve any and all evidence of the breach for analysis and remediation. You will also need to engage a computer forensic vendor to diagnose the breach and to contain the problem. This should be done without delay and through counsel’s engagement, again to invoke privilege to protect the results of any analysis undertaken.

Once the breach is contained, you should meet with your client to review the findings of the vendor that performed the breach response to ensure proper implementation of any remedial measures, and to follow recommendations putting into motion further steps to protect against litigation, such as:

  • Issuing any proper breach notices to affected persons under the appropriate state laws
  • Responding to any regulatory requirements
  • Notifying insurance carriers
  • Identifying witnesses and documents to be used at trial

Internal Threats and Securing Your Client’s Data

You must guide your client on combating cyber-threats and protecting data internally. If there is one department in every company that has in its possession of a literal treasure trove of sensitive information, it is the human resource department, which maintains employees’ names, addresses, dates of birth, Social Security numbers, bank account information (for direct depositing of paychecks), health and medical information (originating form health insurance applications, flex plan reimbursement materials), and financial information, especially if your client has a self-directed 401(k) plan and contributions are automatically deducted from payroll. A data breach implicating your client’s human resources department could be devastating.

In order to know how to protect employee data, your client must be counseled on understanding what data they have in their possession and where the weaknesses are in their data maintenance. This is similar to the evaluation of your client’s tenant data discussed above. You should advise your client that its human resource department directors should meet with their IT counterparts to ensure that they have an understanding of the various data privacy threats they face. You must advise your client that it should adopt the principle of least privilege, which means limiting access rights of employees to the minimum permission they need to perform their job duties. For example, if a staff member is responsible solely for processing, that individual should not be given access or rights to health insurance records.

Education and Monitoring

Counsel your client on the need to ensure that employee training is undertaken on a regular basis and includes topics such as: 

  • Securing mobile devices
  • Data safeguards for remote employees
  • Password protection
  • Recognizing common cyber-threats like social engineering, phishing, and ransomware

Make all training mandatory and ensure that proof of attendance becomes part of an employee’s personnel file. Doing so will insure employee education is current, while also creating a record of reasonable training to be used as business records evidence to support any defense to litigation a company may be subjected to in the aftermath of a cyber-breach. Maintaining such records may also be a condition of a cyber insurance policy maintained by a company.

Also consider advising your client to monitor employees’ computer usage to detect employees accessing documents that they are not supposed to or unusual downloading activity. Ensure that your client has a computer privacy policy in place that advises employees that they are subject to monitoring and have no expectation of privacy in their work devices. Doing so is a legal requirement but can also act as a deterrent for some employees who will limit their online usage for fear of employer access to their browser history. This in turn reduces the chances of employees accessing suspicious websites at work.

Counsel your client to commence data privacy training during the onboarding process by providing all data privacy policies and procedures during any orientation or training for new employees. It is important to encourage employees from their first day of employment to understand that timely notice of any possible data breach is crucial and that, while all data privacy events must be reported, innocent mistakes happen. While employees can be disciplined for breaches of data privacy protocols, advise your client that it is important to foster an environment where employees feel free to report problems and are not in fear of retribution for reporting.

Finally, you should counsel your client to be vigilant and keep watch for rogue employees—those individuals who are dissatisfied with work and may be prone to destroying materials or taking sensitive materials with them should they leave the company, or worse, those who may affirmatively try to hurt a company through the release of sensitive information. 


Eric B. Levine is President of Lindabury, McCormick, Estabrook & Cooper, P.C and a member of the firm’s Executive Committee. Eric concentrates his practice in commercial, probate, and general litigation. His trial and dispute resolution experience encompasses a wide variety of matters, including cybersecurity & data privacy, insurance defense and coverage, contract matters, commercial real estate, and construction litigation matters. Mr. Levine is co-chair of Lindabury’s Cybersecurity and Data Privacy practice and assists businesses in the creation of their internal cyber-breach response team. He advises corporations and their executives on mitigating the impact of cyber-breaches and counsels on the regulatory reporting and client/customer notification responsibilities after breaches occur. An accomplished litigator with trial experience in both state and federal courts, Eric works with corporations to defend cyber-related claims.


To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Real Estate > Commercial Purchase and Sales > Practice Notes

Related Content

For guidance on managing the work flow for purchasing and selling commercial real estate, including detailed practice notes, templates, and checklists, see

PURCHASING AND SELLING COMMERCIAL REAL ESTATE RESOURCE KIT

For a collection of retail leasing resources, including letters of intent, lease agreements, work letter agreements, lease guaranties, and ancillary retail lease agreements, see

RETAIL LEASING RESOURCE KIT

For a discussion of key industrial lease provisions and practical tips for drafting and negotiating an industrial lease from the landlord’s or the tenant’s perspective, see

INDUSTRIAL LEASE AGREEMENTS

For information on the office leasing process and where to find Practical Guidance practice notes, templates, checklists, and clauses related to office leasing, see

OFFICE LEASING RESOURCE KIT

For an overview of data privacy and cybersecurity issues that companies typically address regarding COVID-19, see

> CORONAVIRUS (COVID-19) RESOURCE KIT: DATA PRIVACY AND CYBERSECURITY

For assistance in drafting a commercial real estate leasing agreement to document terms regarding the proposed lease of space in an office building, see

OFFICE LEASE AGREEMENT

For an example of an agreement for the lease of retail space in a mixed-use building, shopping center, or stand-alone property, see

RETAIL LEASE AGREEMENT (LONG FORM)

For a sample commercial and industrial lease agreement, with detailed practical guidance and drafting notes, see

COMMERCIAL AND INDUSTRIAL LEASE

For an explanation of the types of risks to an enterprise that may be covered by cybersecurity insurance, see

CYBERSECURITY INSURANCE

For more information on the common varieties of business insurance, see

BUSINESS INSURANCE BASICS

1. N.Y. City Admin. Code § 26-3001 et seq. 2. 740 ILCS 14/1 et seq. 3. Cal. Civ. Code § 1798.100 et seq.