It comes as no surprise that data breaches are increasing for American corporations. 2016 is on pace to exceed 2015 in both the number of breaches and the total records compromised. And, 2015 far surpassed 2014. There is no reason to believe that this trend won’t continue. And, as we sometimes discuss in other contexts, the bad guys just need to get lucky one time, but organizations need to protect themselves from all potential threats. Given the sophistication of cybercriminals and the proliferation of technology within an organization, many companies assume a cybersecurity issue is a question of not “if,” but “when.”
Even though external attacks are what garner headlines, the greatest threat to any organization is its own people – whether employees, subcontractors, agents or volunteers – as the majority of breaches still occur through human error. If an organization wants to be proactive in its security posture, the two easiest things it can do are to emphasize training and encrypt its sensitive data.
Ensuring adequate and continuous training for employees, vendors and contractors associated with an organization will reinforce a culture of security awareness. Additionally, any organization should review its policies and procedures and revise when necessary to ensure consistency with each other. Because technology is always changing and it is now easier to adopt new technologies, policies and procedures can quickly and easily become out of sync. Thus, a regular review of both will help identify any inconsistencies and allow organizations to correct them before any major issues arise. This review is not a one-person job, either. The organization should involve multiple stakeholders to fully understand the uses of sensitive data and the means of transit both inside and outside the organization.
Encryption, if it’s feasible, can greatly mitigate the negative effects of a potential data breach. Many state and federal laws and regulations will relieve an organization of a notice requirement should encrypted information be compromised. Additionally, a regular regime of encryption will potentially minimize the footprint of sensitive data, thus reducing the size of the target for cybercriminals.
Despite their best efforts, many organizations will experience a data breach. The data breach which is most difficult to protect against is a third party data breach involving company data. When this type of breach occurs, it is often too late to negotiate with the third-party service provider over who will pay the costs of the breach. At that point, substantial damages may have been incurred, and both parties are likely to engage in blame-shifting to avoid responsibility for these potentially extensive costs. Those costs can include, among others, attorneys’ fees, notification costs to both individuals and the media, staffing a call center and credit monitoring service. If the organization has the confidential information of other parties mixed in, additional confidentiality obligations may also need to be analyzed, potentially adding even more costs to the total damage from the breach. Moreover, most statutory and regulatory schemes do not set out ex ante who should be responsible for data breach costs. As such, parties are often left without any guidelines as to how liability should be apportioned between them.
Given all of this, there’s no doubt that the time for discussions regarding liability for data breach is during the initial contract negotiations, where parties can determine, often based on relative negotiating strength, who should be responsible for date breach costs.
What should companies keep in mind during these negotiations? Given the nature of a breach and associated costs, organizations should be careful to avoid waivers of consequential damages that are often boilerplate in many agreements. A court would likely categorize the types of expenses listed above as consequential damages. As a result, without a carve-out, the third party could escape any liability for costs associated with a data breach. If uncapped liability is not a possibility, organizations should explore the possibility of a “super cap,” often a multiplier of fees paid. Alternatively, the parties may agree to a dollar limit in the event of a data breach. To determine whether the amount is adequate, simply multiply the number of records held by the third party by $158.00, the current global and average cost incurred for each lost or stolen record containing sensitive or confidential information. If the organization maintains records that contain particularly sensitive information – typically health information, financial information or other personally identifiable information – the cost per record is higher.
With proper planning and foresight, as well as an ounce of prevention, organizations can decrease the probability of experiencing a data breach and mitigate their damages in the event of a breach.