Emerging Markets Law

Showing 2 posts from July 2018.

Vendor Management and Cyber Planning: Why Equifax Shows “What Not to Do”

Terms and conditions for cyber plan

If you’ve ever wondered why all the hullabaloo about cyber planning, here is a great example:

Equifax has said that it “owed no duty to safeguard the personal information of millions of consumers and financial institutions” affected by its massive 2017 data breach, and has asked to have the resulting lawsuits dismissed. (Daily Report, 24 July 2018.)

The claims of the affected financial institutions are, in essence, vendor management claims. Their success in court, and the likelihood that those banks can look to Equifax to make whole their losses, may depend in part on how good their contracts were with Equifax. The losses the banks suffered likely include costs of customer relations (phone, email, and other support), continued anti-fraud efforts in the aftermath of the breach, issuance of new cards or accounts or credentials to replace compromised accounts, and other direct costs.

To gain an idea of the scope of the potential loss to the banks, keep in mind that Target settled most of the claims relating to its 2013 data breach, for about $100 million total. Of that money, $10 million went to consumers. $60 -$70 million went to credit card issuers like Visa and MasterCard.

The comparative commercial losses after a massive data breach usually dwarf the losses to consumers personally. Target was breached when an HVAC vendor left open a hole to a single store in the Midwest. Equifax was breached when it failed to install a single routine software patch recommended by its IT vendor.

How good are your contracts with your vendors? Could they make you whole if you were fighting about whose responsibility it was to restore your business operations, buy new computer equipment, replace or rebuild your business data, handle your customer and client relations, pay the PR firm and lawyers, and more? Planning is easy, relatively inexpensive, and can flag many “little” details like standard contractual language. Taken together, these efforts can prevent greater losses later. #CyberForGrowth

Cyber Insurance: A Common Exclusion Tested in Court

Professional meeting over a business plan

A recent court dispute makes clear that there are many elements to cyber planning and protection for any company to consider. Although some do involve technical bells and whistles, many or most are merely business operation decisions involving non-technical matters. Just like other operational decisions, the success of these planning measures can have a direct impact on your bottom line.

The Spec’s Family Partners Ltd. v. The Hanover Insurance Co. case involves insurance coverage for a data breach. The insured retailer sought insurance coverage of losses incurred under its merchant account with a payment card processor. Because that account and those losses are governed by a merchant account agreement, the insurer denied coverage under the retailer’s cyber policy, citing the policy’s “contractual exclusions” clause. In other words: the insurer refused to pay for losses the retailer suffered because of the terms of its merchant account agreement. In the case, the appeals court ruled in favor of the retailer, saying that there are several non-contractual theories relating to the losses (costs), and that the trial court must consider those before ruling that the insurer may decline payment. The appeals court did NOT require that the contractual claims be considered, and so in effect it has implicitly endorsed the validity of the exclusion in the policy.

What does this mean for insureds, i.e., ordinary business operators?

First: vendor management is a critical part of cyber planning. 

Where you can, try to negotiate for your vendors to take on part of the losses following a data breach; and if the breach is of their system, have your agreement specify that you are entitled to full coverage and remedies from the vendor. Where, as here, the vendor is likely a large market power and you have little basis to negotiate, at least understand what losses the contract apportions to you, so that you can tailor your insurance and other planning appropriately.

Second: cyber insurance. 

The main rule of thumb is to have a policy. The corollary is to understand what it covers. They are not comprehensive, and not all policies cover all losses; in this way, they resemble the homeowner’s policy that may cover flooding but NOT sewage backup, depending on what you bought.

This “contractual claims” exclusion is common, and it generally means that the insurer will not cover any costs or losses you bear in a cyber-breach that are the result of a contractual provision with a third party. Thus, if you have a weak vendor contract and end up carrying the costs of a data breach because of that weak contract, you cannot count on your insurance to make you whole. In other words, you will have lost two chances to spread the risk and losses to third parties.

Although a contractual claims exclusion is common, they are by no means non-negotiable. There are carriers that do not use such exclusions, or that use them sparingly. Because so many breaches end up involving some form of third-party contractual dispute, it is worth shopping around on the front end to avoid finding that you are self-insuring all your contractual losses on the back end.

Stay Connected

Subscribe to blog updates via email