Emerging Markets Law

Cyber Insurance: A Common Exclusion Tested in Court

Professional meeting over a business plan

A recent court dispute makes clear that there are many elements to cyber planning and protection for any company to consider. Although some do involve technical bells and whistles, many or most are merely business operation decisions involving non-technical matters. Just like other operational decisions, the success of these planning measures can have a direct impact on your bottom line.

The Spec’s Family Partners Ltd. v. The Hanover Insurance Co. case involves insurance coverage for a data breach. The insured retailer sought insurance coverage of losses incurred under its merchant account with a payment card processor. Because that account and those losses are governed by a merchant account agreement, the insurer denied coverage under the retailer’s cyber policy, citing the policy’s “contractual exclusions” clause. In other words: the insurer refused to pay for losses the retailer suffered because of the terms of its merchant account agreement. In the case, the appeals court ruled in favor of the retailer, saying that there are several non-contractual theories relating to the losses (costs), and that the trial court must consider those before ruling that the insurer may decline payment. The appeals court did NOT require that the contractual claims be considered, and so in effect it has implicitly endorsed the validity of the exclusion in the policy.

What does this mean for insureds, i.e., ordinary business operators?

First: vendor management is a critical part of cyber planning. 

Where you can, try to negotiate for your vendors to take on part of the losses following a data breach; and if the breach is of their system, have your agreement specify that you are entitled to full coverage and remedies from the vendor. Where, as here, the vendor is likely a large market power and you have little basis to negotiate, at least understand what losses the contract apportions to you, so that you can tailor your insurance and other planning appropriately.

Second: cyber insurance. 

The main rule of thumb is to have a policy. The corollary is to understand what it covers. They are not comprehensive, and not all policies cover all losses; in this way, they resemble the homeowner’s policy that may cover flooding but NOT sewage backup, depending on what you bought.

This “contractual claims” exclusion is common, and it generally means that the insurer will not cover any costs or losses you bear in a cyber-breach that are the result of a contractual provision with a third party. Thus, if you have a weak vendor contract and end up carrying the costs of a data breach because of that weak contract, you cannot count on your insurance to make you whole. In other words, you will have lost two chances to spread the risk and losses to third parties.

Although a contractual claims exclusion is common, they are by no means non-negotiable. There are carriers that do not use such exclusions, or that use them sparingly. Because so many breaches end up involving some form of third-party contractual dispute, it is worth shopping around on the front end to avoid finding that you are self-insuring all your contractual losses on the back end.

Demystifying the Rules Surrounding GDPR and Your Business

Demystifying the Rules Surrounding GDPR and Your Business

If you have received a deluge of emails regarding updated privacy policies from services you use, you are not alone. They relate to a new set of data privacy rules that went into effect across the European Union on May 25, known as the General Data Protection Regulation (GDPR). The new rules have sweeping implications for businesses around the world. In fact, Facebook and others have already been sued for non-compliance with the GDPR.

If you do business in the EU (including the UK, which has said it will honor the rules) in any way, it would be a good idea to check with counsel regarding whether your business must comply. Although the rules are designed to cover consumer privacy, the way they are written is very broad; B2B as well as B2C customers are affected.

Common facts that can subject you to the GDPR include having European sales or facilities, using cloud-based storage for your website or portal, performing services in the EU, serving customers located there, having employees there, having vendors there, and having European employees who work in the United States temporarily.

The fact that your company is US-based does not matter: the rules explicitly apply to any company handling the personal information of persons in the EU, regardless of the company’s location. In addition, if you serve customers who pass you EU data, they may ask you to certify your security practices or to sign a “Data Processing Agreement” that makes certain assurances about your practices.

In addition to their operational implications, the rules require notice of a breach of any EU personal data within 72 hours – a huge hurdle unless you have conducted some advance planning. Many companies are reviewing their privacy policies, work flows, employee policies, cyber preparedness planning, vendor agreements, and other matters in connection with the GDPR. Not all companies have to conduct a “scorched earth” approach to privacy, but nearly all companies would do well to consider their business and privacy practices and make adjustments where they can.

The rules as drafted leave a great deal of room for the regulators to maneuver; they are very ambiguous. The very clear part of the GDPR, however, is this: fines for non-compliance can be assessed up to the greater of €20 million or 4% of global revenue.

Taylor English’s Data Security & Privacy Team is assisting the firm’s clients with assessment of the client’s exposure to the rules, policy drafting and review, contractual terms relating to the new rules, and liaison with security and technical resources. Our team has extensive in-house compliance experience, internationally and domestically, as well as broad expertise in the legal aspects of information security planning and incident response.

#CyberForGrowth

How New EU Data Privacy Rules May Apply to Your U.S. Business

If you use any online services such as Facebook or Google, you may have seen new tools and products relating to your account privacy settings recently, along with a tweak to privacy policies and terms of use.

Continue reading How New EU Data Privacy Rules May Apply to Your U.S. Business ›

Five Lessons from Equifax

The continuing fall-out from the Equifax breach reported last month makes great headline fodder, and is really good for Congressional representatives eager to show themselves hard at work protecting voters.

Continue reading Five Lessons from Equifax ›

National Cybersecurity Month: Protect Your Assets

It’s National Cybersecurity Month. You’d hardly know this momentous occasion was coming: in September of 2017, we kept waking up to headlines about hacks at major outfits such as Equifax, Deloitte, and the SEC.

Continue reading National Cybersecurity Month: Protect Your Assets ›

GDPR: Good Defense = Prepared + Responsive!

General Data Protection Regulation in the EU

If you have any business dealings outside the U.S., you may have heard about shifting data privacy laws in the European Union.

The General Data Protection Regulation (GDPR), the new EU-wide privacy rule, comes into effect in May 2018. Anyone who does business with residents of the EU will have to be cognizant of the GDPR’s provisions and pitfalls.

Continue reading GDPR: Good Defense = Prepared + Responsive! ›

Reflections on the Equifax Hack

Reflections on Equifax Hack

The Equifax hack announced on September 7, 2017, is very scary, and a reminder to lock up the company jewels. Most companies, however, will never face a catastrophic event involving an outside, malicious attack on the very core of their business.

Continue reading Reflections on the Equifax Hack ›

Cyber Protection for Growth

According to a new survey by insurer Nationwide, almost half of all businesses have been the victim of a cyberattack without knowing it. 

Most of the headlines about cyber exposure and planning focus on the need to avoid exposure to consumer claims. This neglects the real purpose of cyber planning for most companies, however: protecting your revenue and securing your growth. 

Many businesses don’t have a lot of “personally identifiable information” on file, and the penalties associated with losing control over that information are generally not large (outside healthcare, financial services, and similar industries).  With those facts in front of you, it can be hard to justify spending scarce resources on a defensive plan. 

However, your own business assets and your own growth/succession are at risk no matter what kinds of records you hold in your company.  The time and money you spend on developing and practicing good cyber habits is priceless when you think about your IP, your trade secrets, your pricing, your “secret sauce” getting out via a hacker. Bad guys troll for valuable information all the time, and often sell batches of information via online black markets. This has nothing to do with the headline grabbing consumer suits that garner all the attention. 

How would you value your business in a sale if you knew you’d been the victim of a cyberattack and couldn’t demonstrate that your core assets remained secure?  How would you talk to your investors or your board following an attack?  What would you want to know about a target’s cyber habits before buying its business? 

These are the questions that should be driving our discussion of cybersecurity planning.  #cyberforgrowth – not cybersecurity as a means to fend off rare (and rarely successful) consumer claims.  

Applying Georgia's Angel Investor Tax Credits to Convertible Promissory Notes

A friend recently asked if the Georgia Angel Investor Tax Credit program would cover an angel investor’s investment in a start-up’s convertible promissory note. It was a good question because start-ups often raise funds through convertible notes. The short answer to his question was, “it depends.”

The Georgia Angel Investor Tax Credit program gives angel investors who are Georgia residents a tax credit for making qualified investments in Georgia start-ups. The program was amended in 2015 to cover qualified investments made in 2016, 2017 and 2018. (See Georgia Angel Investment Tax Credit (May 24, 2016))  

The program allows the angel a tax credit of up to 35% for a qualified investment, capped at a credit of not more than $50,000 in any tax year, with the tax credit to be issued in the second year after the investment is made. (For example, a qualified investment made in 2015 would result in a tax credit for the 2017 tax year.) The state permits not more than $5 million in tax credits each year and start-ups need to apply for allocations of the tax credits if they have investors who want to take advantage of the program. 

The Georgia Department of Revenue has issued rules to guide tax payers through the requirements of the program. (See Georgia Rule 560-7-8-.52)  

To obtain a tax credit a “qualified investor” must make a “qualified investment” in a “qualified business” (tracking the definitions from the Georgia Rule). Answering the question originally posed, therefore, requires the taxpayer to walk through each of these definitions. An investment in a convertible promissory note, can be a “qualified investment” (assuming all of the other definitions are met) if the convertible promissory note satisfies the requirements of “qualified subordinated debt” (the only debt category within the definition of “qualified investment”). Qualified subordinated debt is “indebtedness that is not secured, that may or may not be convertible into common or preferred stock or other equity interest, and that is subordinated in payment to all other indebtedness of the qualified business issued or to be issued for money borrowed and no party of which has a maturity date less than five years after the date such indebtedness was purchased.”

It is this last requirement for “qualified subordinated debt” that most start-up convertible note deals may have difficulty satisfying. Most convertible notes issued by start-ups are not subordinated, but rather represent senior indebtedness that may not be subordinated. So, if a start-up wants to ensure that its convertible note offering will be eligible for the Georgia Angel Investment Tax Credit program, counsel for the start-up should carefully draft the subordination provisions of the note with a view towards the requirements of Georgia Rule 560-7-8-.52(2)(g). 

Financial Choice Act

Posted In Government

This week, the House of Representatives will consider and vote on the Financial Choice Act (“FCA”), sponsored by Rep. Jeb Hensarling of Texas – chairman of the House Financial Services Committee. The FCA is a response to the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”), and not a nice one. It essentially guts that bill which was itself a response to the financial crisis that began in 2007. After his election, President Obama called for a "sweeping overhaul of the United States financial regulatory system, a transformation on a scale not seen since the reforms that followed the Great Depression" and Dodd-Frank was basically the result.

Continue reading Financial Choice Act ›

Stay Connected

Subscribe to blog updates via email

Contributors