Review this exciting guide to some of the recent content additions to Practical Guidance, designed to help you find the tools and insights you need to work more efficiently and effectively. Practical Guidance...
By: Jeffrey D. Mamorsky , COHEN & BUCKMANN, P.C. THIS VIDEO SERIES CELEBRATES THE ENACTMENT of the Employee Retirement Income Security Act (ERISA), signed by President Gerald Ford on September 2...
By: Kirk A. Sigmon , BANNER WITCOFF THIS CHECKLIST OUTLINES KEY CONSIDERATIONS THAT ATTORNEYS should review when advising whether and how to copyright artificial intelligence (AI) and machine learning...
By: Erin Hanson , Arlene Arin Hahn , Sahra Nizipli , and Jordan Hill , WHITE & CASE LLP THIS ARTICLE SUMMARIZES VARIOUS INTELLECTUAL PROPERTY AND TECHNOLOGY (IP/IT) PROVISIONS, including sample definitions...
By: Damon W. Silver , Gregory C. Brown, Jr. , and Cindy Huang , JACKSON LEWIS P.C. Overview of Artificial Intelligence (AI) in Employment Decisions AI tools are fundamentally changing how people work...
Copyright © 2024 LexisNexis and/or its Licensors.
By: Eric B. Levine, LINDABURY, MCCORMICK, ESTABROOK & COOPER, P.C.
This article discusses several key considerations for evaluating cybersecurity and data privacy practices when counseling owners of commercial real estate (CRE).
THE ARTICLE ALSO DETAILS WHAT STEPS SHOULD BE taken to mitigate the risk of unauthorized release or exposure of data in the possession of CRE owners. This article is written from the landlord’s perspective and applies to all manner of commercial properties, including industrial, office, retail, healthcare, hotel, and mixed-use properties.
Understand that each class of commercial property is unique and comes with a distinct set of concerns, warranting site-specific counseling of CRE owners. Note as well that you must carefully evaluate the information in this article in light of all state and local laws applicable to your client’s location. Finally, you should counsel your clients on their own internal cyber hygiene and security practices; it is just as important for commercial landlords to protect their own confidential data as it is for them to protect their tenants’ data.
As an initial step to counseling clients about the risks associated with cybersecurity/data privacy and CRE, it is important that you understand the level of sophistication of your clients, what type of properties your clients are leasing, and who their tenants are. This may appear to be elementary as most attorneys conduct client interviews when first engaged by any clients. But with CRE and cybersecurity, the conversation must go to a deeper level. Without this level of detail, it is possible that site-specific cybersecurity advice could be missed. This requires in-depth conversations with your clients to develop a thorough understanding of:
Type of Property and Tenant
Consider how different uses of CRE can impact legal issues when preparing your advice for a landlord client. For example, if your client leases an industrial warehouse that is climate-controlled—such as a warehouse storing perishable goods, pharmaceutical inventories, or cloud servers—and the climate controls are internet-accessible, the integrity of the HVAC system may be the single largest concern of the tenant and a particularly vulnerable access point for data intrusions. An outside threat actor accessing temperature controls of the warehouse and altering the pre-set climate conditions by just a few degrees could significantly damage the materials that are being warehoused or otherwise impair tenant operations.
Next, consider if your client owns a multi-tenant retail property, such as a mall, where the tenants may rely on an open (unsecured) Wi-Fi system that provides amenities and services to tenants and customers. Open Wi-Fi systems are convenient for customers but present a set of vulnerabilities that must be minimized. Imagine the business impact that could befall the tenants of this type of property should that open Wi-Fi system be used to infiltrate other building systems and cripple them.
Or, what if your client owns a smart building that integrates state-of-the-art building-management technologies to provide related benefits and building efficiencies to tenants, such as biometric recognition, inventory tracking technologies, and security and building systems (like elevators or lighting) that are monitored by a vendor at a centralized, off-site location? The breach of any of these systems could effectively shut down the building and impact the tenants’ businesses. The resulting disputes that may arise between your client and its tenants are both foreseeable and preventable.
You need to recognize at the outset of client retention what your client’s unique needs are related to the specific property, as there is no one-size-fits-all advice you can give to your client to achieve maximal protection from potential cybersecurity-related liability. For instance, the concerns of a hospitality-based piece of CRE like a hotel are far different than the concerns of an industrial property, so the lease provisions must be particularized to maximize the landlord’s ability to maintain control.
You also need to learn about each property’s operational technologies, meaning the software and hardware that monitor and control the property. Ask your client to describe what systems are used to control and monitor the properties. If more than one system has been installed, are they integrated, or do they function separate from one another? Are they internet-accessible?
Each type of property is associated with particular benefits and vulnerabilities requiring varying levels of landlord responsibility and protective measures. Today’s tenants expect more amenities, modern systems, and seamless landlord-tenant interfaces as part of their leasing relationship. Furthermore, many commercial properties are supported by outside vendors such as HVAC service, plumbing, maintenance, and cleaning crews. As discussed in Evaluating Vendor Contracts and Security Measures below, tailoring your client’s vendor agreements to address data privacy is an integral step in protecting your client from potential liability.
Single vs. Multi-tenant Properties
It is important to understand the physical layout and tenant composition of the property. Cybersecurity and data concerns may be much less complex in a stand-alone, single-tenant property compared to a multi-tenanted office complex, apartment building, or retail property like a mall. For example, if your client is leasing a retail property, you need to determine who will be responsible for establishing infrastructure supporting a point-of-sale system. If a tenant’s point-of-sale system connects to an external network, it will be more susceptible to attack. You need to address in the lease who is responsible for the maintaining the security and integrity of the connection to any external network.
Moreover, in a multi-tenanted property, landlords have to consider the implications of common areas such as lobbies, cafeterias, hallways, loading areas, garages, and restrooms. It is not uncommon for a multi-tenanted property to have sophisticated levels of security covering common areas and electronic security for off-hour access. A multi-tenanted property will also likely have a high number of vendors frequenting the property, engaged by either the landlord or the tenants. As the risk of cyber-intrusions increases, so does the complexity of the leases between your client and its tenants; the leases must address allocation of security responsibility for third parties, indemnification/hold harmless provisions, insurance concerns, and mandated security efforts to be undertaken by tenants and their vendors. See Leasing—Allocating Responsibility to the Tenant through Lease Provisions below for more information.
Client’s Experience and Level of Sophistication
You will need to consider the level of sophistication of your clients in order to determine how well-suited they are to addressing the risks of owning CRE in the digital age. It is not uncommon for CRE owners to be multigenerational owners who own properties for long periods of time. If this is the case, your client’s properties and building systems may be outdated and in need of restoration, upgrading, and modernization to attract creditworthy tenants. But note that modernization is often accompanied by increased risks associated with building systems such as access management controllers, computerized air controllers and HVAC systems, cameras/security systems, and automated alarm/fire suppression systems. These types of systems require computer networks to operate, and many will also be connected to the internet to allow off-site monitoring, control, and troubleshooting. These connections are a popular attack vector for external threats. Your client must address potential risks by allocating liability in its leases and maintaining proper insurance.
During your first consultation with your client, explore the following questions to better understand what sort of landlord you are counseling:
The questions are illustrative only and are not meant to be all inclusive. Only once you have a complete understanding of who your client is and their experience with their properties and tenants can you provide tailored advice. By asking these questions, you will also get the opportunity to educate your client, especially if your client is a first-time landlord or has limited experience in CRE.
It is important to advise your clients of the data privacy-related risks associated with owning CRE. Historically, CRE has not been as focused on data privacy as other industries such as healthcare and manufacturing; CRE owners tended not to possess the same types of information and data as other industries that were more frequently targeted by outside threat actors. However, the risks of being targeted by cybercriminals is every bit as real for CRE owners and is growing with the advent of more CRE-friendly technology.
Do not assume that your client understands the nature of risks that a data breach can cause. And do not assume that because your client owns a small number of properties or does not lease to national, big box clients that they will not be targeted by outside threat actors. You must explain to your clients that the following are some of the risks that they must address for each of their properties:
Once you have educated yourself about your clients and discussed the list of potential risks with them, have your clients gather property-specific information in an effort to catalog any and all data that comes into their possession to determine what requires protection. This includes digital information as well as physical records, and records in your client’s possession or in the possession of third-party vendors.
Technology Audit
The first step for any commercial landlord is performing a technology audit to assist in understanding the threats their particular real estate and tenants present. An integral part of any competent cyber hygiene program is advising clients to perform a technology audit and to map their data. A technology audit is an evaluation of a business’s information technology (IT) infrastructure and how the client currently uses that infrastructure, including a review of the client’s operations and policies/procedures. A proper audit will show whether those operations and policies make the best use of the assets used by the organization and that the data that organization interacts with is stored in a secure manner. While the audit process is not a purely legal process that counsel performs for clients, it is beneficial for counsel to participate in the process and evaluate the results.
For instance, if your client performs an audit and the results show that no data-security policies exist or that any existing policies are outdated, your help may be needed in drafting or updating those policies. You can also assist your client by outlining the basic framework for this type of audit and advising your client to seek the assistance of an IT security professional in performing an audit.
In doing so and documenting your client’s efforts, in addition to firming up the client’s security infrastructure, you are creating a record of your client having taken reasonable measures to protect tenant information. The records of the audit provide a road map to a client for improving its data security, while providing a record of reasonable efforts that can be offered in defense of any claim asserted against a landlord for failing to take adequate measures to secure tenant information. Furthermore, your client may need to show that these efforts were taken in order to obtain cybersecurity insurance policies. Issuers of cyber insurance policies routinely demand that a potential insured complete questionnaires about data protection efforts undertaken by the potential insured.
With increased connectivity to cloud-based building systems, the Internet of Things, and remote-working employees, there are multiple points of access that can be exploited by hackers. It is now increasingly common that HVAC, electrical, lighting, security, safety, and building management systems can be accessed remotely in the ordinary course of building operations. It is crucial to understand how such systems are integrated into properties, what data they contain, and who can access them.
Locating and closing gaps in a client’s IT systems require:
You should advise your client to perform both physical and virtual inspections, including site walks and audits of contractors that completed work.
Ask your client what kind of tenant information is being stored and what is the purpose for having such information. For instance, if a tenant makes rental payments to a landlord electronically, it makes sense to have banking information of the tenant to effectuate payment. Also, consider advising your landlord client to get the express written consent of the tenant to obtain and store this information as part of the lease agreement. That way, your client has a record of having been authorized to store and use this data, which can bolster the defense of any claim raised by a tenant. Obtaining written authorization to store payment information is often overlooked in a lease, which normally contains rental terms such as the amount of rent, when rent is due, and late charge amounts.
Location-Specific Data Concerns
Historically, local authorities and municipalities did not exercise control over the type of tenant data that a landlord may retain, but that practice is changing. It is important for you to evaluate all federal, state, and local laws related to data privacy in the jurisdiction of the property in order to fully understand your client’s legal obligations and potential exposure.
A prime example of a local/municipal concern can be found in the New York Tenant Data Privacy Act (TDPA), established on May 8, 2021.1 The first law of its kind in the United States, the TDPA addresses privacy issues related to the use of smart access systems in multifamily dwellings. Among other things, the TDPA requires that all owners of Class A multiple dwellings (a dwelling for three or more families living independently of one another used for permanent residential purposes) that use smart access systems (e.g., key cards, phone access, fingerprint) take the following steps:
The TDPA provides for a private cause of action by a lawful occupant of a dwelling unit and allows of the collection of compensatory and punitive damages as well as counsel fees. Other states considering similar laws include Hawaii, Illinois, Maryland, Massachusetts, and Nevada.
Illinois already has the nation’s most progressive laws on biometric data, the Illinois Biometric Information Privacy Act,2 which establishes rules for collection of biometric data like fingerprints, facial features, and other physiological characteristics. California is also at the forefront of privacy issues, and your client will be subject to the California Consumer Privacy Act (CCPA),3 if it collects consumer personal data, does business with any resident of California, and meets one or more of the following thresholds:
These laws provide examples of why determining the laws that apply to your client’s operations is indispensable to your preparation of the lease of the property. If you do not understand what laws apply to the property, it is likely that the lease you prepare will lack many necessary protections for your client.
International Concerns
Another concern is whether your client is leasing property to individual international tenants, especially residents of the European Union (EU), or collecting data from such tenants. A landlord client may be subject to the General Data Protection Regulation (GDPR) without realizing it; even if your client is not leasing property to EU citizens or residents, it may still be collecting data from them simply by advertising properties online. If this is the case, a whole other set of requirements may apply to your client.
The GDPR protects citizens of EU countries, as well as noncitizens who reside in EU countries, and does not depend on the location of the entity holding those people’s data. The GDPR is concerned with the following areas of data privacy, among many others:
Detailed analyses of individual jurisdictional laws such as the CCPA and the GDPR are beyond the scope of this article, but keep in mind that when you advise a CRE client, you must evaluate federal, state, and local laws, and possibly international law, related to property usage on an ongoing basis.
Recall that the 2013 Target data breach was caused by a vendor of Target that accessed Target’s systems to handle electronic billing, contract submission, and project management. Unbeknownst to the vendor and Target, the vendor had been the victim of a sophisticated cyberattack that infected the vendor’s systems with malware. The resulting data breach cost Target millions of dollars and significantly damaged its reputation and brand.
You should draft a vendor-management policy for your client that can also become a tenant obligation under a lease. The goal of this policy is to ensure that your client performs proper due diligence when hiring vendors that will have access to the landlord’s computer network and integrated building systems, as well as mandating compliance with any applicable data privacy and security laws. The policy should also:
It is important for your client to interface with vendors to determine how vendors are using the landlord’s data and what steps are being taken to protect it.
It is imperative that you review each agreement with a vendor or other third party providing services to the property. This is especially true for any vendor that accesses any building systems digitally. You should focus on the following areas:
One of the most important things you can counsel your client on is to regularly conduct investigations to understand the current state of its cybersecurity defense weaknesses and vulnerabilities. This practice includes periodically performing vulnerability assessments (hiring an IT security professional to identify, quantify, and prioritize the vulnerabilities in a system) and penetration testing (performing an authorized simulated cyberattack on a computer system using a third party commonly known as an ethical hacker to evaluate the security of the system). These technical exercises should become part of your client’s standard business operations as they are crucial for maintaining good cyber hygiene.
Attorney-Client Privilege and Work Product Doctrine
Your client’s investigations will likely produce an extensive list of potential problem areas that, in a perfect world, would all be promptly and exhaustively remedied. In reality, this remedial approach is often not feasible as most companies have budgetary and other practical limitations that may require them to prioritize which vulnerabilities to address first, and the degree of remediation they can reasonably undertake.
This means that it is possible that a breach could affect your client’s tenant before all of the identified vulnerabilities are remedied. Imagine if your client is sued for such a breach and you had to disclose the results of a vulnerability assessment when the recommended solutions have not been completed. If your client experiences a cyber-breach incident, this written report is likely to become a prominent exhibit of any plaintiff action against the company over that breach. After all, the investigative results will show that your client knew about certain vulnerabilities and chose not to remedy several of them at that time.
If done properly, your involvement in the process can allow your client to rely on attorney-client privilege and/or the work product doctrine to maintain the confidentiality of the investigative results. The overriding principle of using privilege is straightforward: to protect your company’s breach response efforts from usage by third parties or regulatory agencies in litigation arising from a breach. Attorney-client privilege protects confidential communications between attorneys and clients over the course of a professional relationship from discovery by adverse third parties. The work product doctrine protects from disclosure those documents and other tangible things that a party or a party’s representative prepares in anticipation of litigation. You must understand the difference between the privileges and also recognize that privilege applies differently if you are in-house counsel to a CRE client or if you are outside counsel engaged by a CRE client.
You should research the requirements of the jurisdiction in which you are practicing to ensure that you satisfy all of the elements required to invoke attorney-client privilege. Recognize that the work product doctrine may not apply unless you are taking steps in anticipation of specific litigation. At a minimum, when engaging a vendor to perform a vulnerability assessment, you should:
Make clear that the purpose of engaging this vendor is to:
In-House Counsel Concerns
Companies with their own in-house counsel may sometimes want to avoid the additional expense of hiring outside counsel to arrange the cybersecurity vulnerability investigation. By having in-house counsel undertake the arrangements, however, a company may risk losing attorney-client privilege.
In-house counsel tend to have dual roles at their companies, meaning that they frequently provide both general business advice and legal advice. It may therefore be more difficult for a client to prove that in-house counsel was truly retaining the cybersecurity vendor for the purpose of providing legal advice, rather than simply as part of the in-counsel’s general business role at the company or as an officer of the company.
Outside counsel, on the other hand, tend to be brought in specifically for the purpose of providing legal advice on a focused issue, and therefore the potential dual role issues that in-house counsel may face can be avoided.
For their own protection, in-house counsel should instruct outside counsel to make all arrangements necessary to engage the IT security vendor who will perform cybersecurity vulnerability assessments. If these vulnerability assessments are undertaken at the direction of an attorney for the purpose of providing legal advice to the attorney’s client, then arguably the report detailing the client’s cybersecurity weaknesses will be protected from disclosure under attorney-client privilege. This can allow the client to be comfortable in doing the right thing by having its cybersecurity program evaluated and improved, while potentially avoiding having a list of vulnerabilities turned over in a future plaintiff litigation.
In-house counsel should work closely with management at their company to evaluate when it is appropriate to bring in outside counsel in connection with a cybersecurity vulnerability investigation and potentially obtain the benefits of attorney-client privilege for the results of that investigation.
You will need to work with your landlord client to allocate responsibility for technology system integrity to their tenants through lease provisions. These provisions must clearly define each party’s role and responsibilities in the security process. These responsibilities will be ongoing throughout the lease term and should be thoroughly and clearly delineated.
Topics that must be addressed during lease negotiations include the following:
Part of your duty as counsel to a landlord is to help your client develop a robust and comprehensive security practice, including protocols and policies that must be followed pertaining to cybersecurity. These policies provide a road map for your client’s organization to follow. It may also be required in order to obtain cyber insurance coverage. Like other enterprise-level policies (such as employment and facilities policies), these policies should be reviewed annually and provided to all employees of your client. The following policies should be drafted:
You should discuss the need for your client to insure cyber-risks as part of its overall insurance program. As noted earlier, cyber insurance is unique and the risks it covers are distinct from the protections provided by a commercial general liability policy. Cyber insurance can improve your client’s cybersecurity program by requiring your client to engage in the application process, which forces it to evaluate its capabilities and weaknesses. It is also beneficial in the event of a cybersecurity breach since it provides a funding source for recovery of losses and assists your client resume normal operations.
Depending on the type of properties owned by your client, they will need distinct types of coverage as well as differing policy limits of coverage. Your role as counsel to a CRE landlord is to engage in the process and work with your client and an experienced cyber insurance broker to obtain coverage. The following types of coverage should be considered:
Should your client ever be the victim of a cyber-breach, your role as counsel during that crisis is critical. Presumably, you will be the first person that your client calls for advice. Moreover, your assistance in the response may afford your client the protection of attorney-client privilege, as discussed above.
If your client has a cyber insurance policy, you need to ensure that your client immediately contacts its insurance carrier. Depending on the type of data breach (e.g., ransom attack/system lockout vs. unauthorized access), the insurance carrier may assume the breach response. If coverage is available and the insurance carrier assumes the response, then step aside to assure that the insurance carrier has no basis to deny coverage.
If your client does not have cyber insurance coverage or if for some reason the cyber insurance carrier does not otherwise respond to the breach, then it is your role to either manage the breach response or engage counsel with expertise in breach response. As with vulnerability assessments and penetration testing, having counsel manage the breach response may allow your client to argue that the breach response is subject to attorney-client privilege. You must engage a vendor experienced in cyber-breach responses immediately, being sure to preserve any and all evidence of the breach for analysis and remediation. You will also need to engage a computer forensic vendor to diagnose the breach and to contain the problem. This should be done without delay and through counsel’s engagement, again to invoke privilege to protect the results of any analysis undertaken.
Once the breach is contained, you should meet with your client to review the findings of the vendor that performed the breach response to ensure proper implementation of any remedial measures, and to follow recommendations putting into motion further steps to protect against litigation, such as:
You must guide your client on combating cyber-threats and protecting data internally. If there is one department in every company that has in its possession of a literal treasure trove of sensitive information, it is the human resource department, which maintains employees’ names, addresses, dates of birth, Social Security numbers, bank account information (for direct depositing of paychecks), health and medical information (originating form health insurance applications, flex plan reimbursement materials), and financial information, especially if your client has a self-directed 401(k) plan and contributions are automatically deducted from payroll. A data breach implicating your client’s human resources department could be devastating.
In order to know how to protect employee data, your client must be counseled on understanding what data they have in their possession and where the weaknesses are in their data maintenance. This is similar to the evaluation of your client’s tenant data discussed above. You should advise your client that its human resource department directors should meet with their IT counterparts to ensure that they have an understanding of the various data privacy threats they face. You must advise your client that it should adopt the principle of least privilege, which means limiting access rights of employees to the minimum permission they need to perform their job duties. For example, if a staff member is responsible solely for processing, that individual should not be given access or rights to health insurance records.
Counsel your client on the need to ensure that employee training is undertaken on a regular basis and includes topics such as:
Make all training mandatory and ensure that proof of attendance becomes part of an employee’s personnel file. Doing so will insure employee education is current, while also creating a record of reasonable training to be used as business records evidence to support any defense to litigation a company may be subjected to in the aftermath of a cyber-breach. Maintaining such records may also be a condition of a cyber insurance policy maintained by a company.
Also consider advising your client to monitor employees’ computer usage to detect employees accessing documents that they are not supposed to or unusual downloading activity. Ensure that your client has a computer privacy policy in place that advises employees that they are subject to monitoring and have no expectation of privacy in their work devices. Doing so is a legal requirement but can also act as a deterrent for some employees who will limit their online usage for fear of employer access to their browser history. This in turn reduces the chances of employees accessing suspicious websites at work.
Counsel your client to commence data privacy training during the onboarding process by providing all data privacy policies and procedures during any orientation or training for new employees. It is important to encourage employees from their first day of employment to understand that timely notice of any possible data breach is crucial and that, while all data privacy events must be reported, innocent mistakes happen. While employees can be disciplined for breaches of data privacy protocols, advise your client that it is important to foster an environment where employees feel free to report problems and are not in fear of retribution for reporting.
Finally, you should counsel your client to be vigilant and keep watch for rogue employees—those individuals who are dissatisfied with work and may be prone to destroying materials or taking sensitive materials with them should they leave the company, or worse, those who may affirmatively try to hurt a company through the release of sensitive information.
Eric B. Levine is President of Lindabury, McCormick, Estabrook & Cooper, P.C and a member of the firm’s Executive Committee. Eric concentrates his practice in commercial, probate, and general litigation. His trial and dispute resolution experience encompasses a wide variety of matters, including cybersecurity & data privacy, insurance defense and coverage, contract matters, commercial real estate, and construction litigation matters. Mr. Levine is co-chair of Lindabury’s Cybersecurity and Data Privacy practice and assists businesses in the creation of their internal cyber-breach response team. He advises corporations and their executives on mitigating the impact of cyber-breaches and counsels on the regulatory reporting and client/customer notification responsibilities after breaches occur. An accomplished litigator with trial experience in both state and federal courts, Eric works with corporations to defend cyber-related claims.
To find this article in Practical Guidance, follow this research path:
RESEARCH PATH: Real Estate > Commercial Purchase and Sales > Practice Notes
For guidance on managing the work flow for purchasing and selling commercial real estate, including detailed practice notes, templates, and checklists, see
> PURCHASING AND SELLING COMMERCIAL REAL ESTATE RESOURCE KIT
For a collection of retail leasing resources, including letters of intent, lease agreements, work letter agreements, lease guaranties, and ancillary retail lease agreements, see
> RETAIL LEASING RESOURCE KIT
For a discussion of key industrial lease provisions and practical tips for drafting and negotiating an industrial lease from the landlord’s or the tenant’s perspective, see
> INDUSTRIAL LEASE AGREEMENTS
For information on the office leasing process and where to find Practical Guidance practice notes, templates, checklists, and clauses related to office leasing, see
> OFFICE LEASING RESOURCE KIT
For an overview of data privacy and cybersecurity issues that companies typically address regarding COVID-19, see
> CORONAVIRUS (COVID-19) RESOURCE KIT: DATA PRIVACY AND CYBERSECURITY
For assistance in drafting a commercial real estate leasing agreement to document terms regarding the proposed lease of space in an office building, see
> OFFICE LEASE AGREEMENT
For an example of an agreement for the lease of retail space in a mixed-use building, shopping center, or stand-alone property, see
> RETAIL LEASE AGREEMENT (LONG FORM)
For a sample commercial and industrial lease agreement, with detailed practical guidance and drafting notes, see
> COMMERCIAL AND INDUSTRIAL LEASE
For an explanation of the types of risks to an enterprise that may be covered by cybersecurity insurance, see
> CYBERSECURITY INSURANCE
For more information on the common varieties of business insurance, see
> BUSINESS INSURANCE BASICS
1. N.Y. City Admin. Code § 26-3001 et seq. 2. 740 ILCS 14/1 et seq. 3. Cal. Civ. Code § 1798.100 et seq.