Data breaches expose businesses to many additional disputes. At times, these disputes can be more problematic than the intrusion itself. Contractual counterparties, customers, and other impacted businesses may all seek some compensation in the wake of a data breach. Insurance companies may seek to avoid payment under policies that arguably apply, leading to additional litigation.
1. Contractual counterparties. Most contracts
have provisions that are either directly or indirectly implicated by a data breach. Some of these provisions are triggered by a breach, such as obligations to notify consumers whose information is exposed. A counterparty may allege that other provisions are broken by an intrusion, such as a requirement to have adequate or reasonable security. Businesses often struggle with whether a particular provision requires notifi cation, either because the provision itself is not clear or because the business believes that the intrusion does not rise to the level contemplated in the contract. such cost, combined with an increas-
ing chance of an incident triggering these clauses, is an area likely to be subject to dispute both during con- tract negotiation and in the wake of a breach.
Many contracts already contain liabil- ity allocation provisions, but those provisions do not explicitly address cybersecurity matters. In the wake of a cybersecurity incident, interpreting the liability allocation provisions will be a matter of some dispute.
c) Data security and notifi cation. Laws,
regulations, and political and consumer pressure have increased businesses’ focus on the security of consumer data. At the same time, consumer data have become a more valuable commodity. For instance, AT&T and Apple both contested Radio Shack’s ability to sell consumer data during Radio Shack’s bankruptcy.
Recognizing these trends, businesses are placing more provisions in contracts that dictate security requirements. Because the underlying consumer data are valuable, these provisions may be subject to signifi cant disputes during negotiations. Other businesses are attempting to read existing provisions as covering security requirements and privacy responsibility.
Many businesses that entrust sensitive data to counterparties are including breach notifi cation provisions in con- tracts. These provisions vary greatly, even within a single industry, and cre- ate various thresholds for notifi cation. For instance, some provisions require notifi cation in the event of a breach. Others require notifi cation if there is an indication of a breach. Many vic- tims of a security breach seek to keep the existence of a breach out of the
press, but business customers have also pressed for indemnifi cation in the wake of an intrusion.
Disputes with business partners over data breaches can disrupt normal operations, above and beyond the disruption caused by the data breach itself. The need to resume normal operations can pressure the victim to quickly agree to a settlement.
Customers will often fi le class actions in the wake of a data breach. Plaintiffs’ law- yers are growing more sophisticated in how and where they fi le these actions. Both individual consumers and fi nancial institutions have fi led class actions, and, in some cases, these class actions are con- solidated into complicated multidistrict litigation with multiple tracks for the dif- fering plaintiffs. This creates expensive and cumbersome litigation.
3. Other impacted businesses. Contractual
counterparties are not the only businesses that may sue in the wake of a data breach. Banks that issued cards implicated in Target’s data breach are suing Target, even if they lack any traditional relationship to Target. Our more interconnected society has spread the effects of cybersecurity problems, and affected parties are developing more creative methods to fi le suit against the original victim of the intrusion.
4. Insurance. More and more insurance
companies are offering cyber policies, and more businesses are attempting to make claims for intrusions under general policies. Insurance companies are, in turn, attempting to limit the scope of coverage. Some insurance companies are denying claims, while others are carefully reviewing invoices for services related to data breaches. The cost to respond to a breach can be expensive, and insurers will continue to dispute claims and charges. In some cases, this will lead to additional litigation after the data breach response is complete.
Counterparties may disagree with this interpretation, leading to disputes if the intrusion does come to light.
Notifi cation provisions often have an abbreviated time frame for notifi cation. Attempting to identify and comply with notifi cation provisions of impacted coun- terparties can create additional stress beyond the already signifi cant stress related to a data breach. Reviewing and attempting to interpret these provisions after an intrusion also creates risk of con- tractual breach, as a business may not discover the notifi cation provision until after the required time frame has passed.
In the wake of a breach, a victim’s securi- ty will come under scrutiny, and a con- tractual counterparty may argue that the security was inadequate under the con- tract. For instance, in the DFARS provi- sion discussed previously, “adequate security” is ripe for protracted litigation in the wake of a cybersecurity incident. It is diffi cult to defi ne such terms adequate- ly and still provide fl exibility in the face of changing threats.
In some industries, such as those that deal with payment cards, many security requirements are codifi ed and subject to audit. The victim of a data breach may be subject to a more intrusive audit to con- fi rm its security.
Many contracts that involve confi dential data have a provision for certifying that the confi dential data have been destroyed. A counterparty may rightly inquire how such a certifi cation was made in the wake of a cybersecurity incident.
2. Customers. Many intrusions lead to
lawsuits by customers, whether they be individual consumers or large businesses. Recent card breaches have resulted in signifi cant class-action litigation, and these cases have received much of the
RISKS OF DISPUTES AND REGULATORY INVESTIGATIONS RELATED TO CYBERSECURITY MATTERS