Legal Aspects of Cyber Risk: Mitigation and Allocation
Last Friday’s global cyber and ransomware attack in history highlights vulnerabilities to and pervasiveness of cyber risk. Hospitals, train systems and large businesses had their data held hostage as the hackers demanded ransoms to be paid in bitcoin.
Recently, the purchase price for the sale of Yahoo to Verizon was reduced by $350 million dollars due to Yahoo’s repeated cyber security breaches. Prudent businesses should be asking themselves if they are doing enough to avoid and mitigate their risks. Here are a few considerations.
We will leave it to the cyber security experts to advise about what technologies are most secure and provide the most protection against threats. Suffice it is critical that cyber security systems, firewalls and software are updated to address the latest threats.
Employee Training and Practices
All employees (not just the IT department) should be trained to avoid common cyber risks such as phishing and downloading malware. Companies should adopt written policies regarding data protection, confidentiality trade secret protection and minimizing cyber risks. These policies can be stated in employee handbooks or other company policy handbooks provided to employees and independent contractors. To mitigate legal risks, companies must stay abreast of federal and state laws about privacy, proprietary information, and best practices as each continually evolves.
Despite best efforts, companies may still fall prey to cyber attacks. Companies that collect, store or transmit intellectual property, proprietary or confidential information, or personal health or financial data, should explore cyber security insurance to ensure that they have proper insurance to cover the costs of malware, viruses and data breaches. In the current economy, that likely includes most companies.
Contractual Terms; Risk Allocation
When negotiating commercial contracts, companies should ensure that contracts properly allocate cyber-risk between the parties. Consider including indemnification provisions for cyber risks and liabilities. Depending on the nature of the agreement and the services being provided, it may be appropriate for each party to indemnify the other party for cyber risk based on the comparative negligence of the respective parties. However, when a contractor is providing data processing, cyber security or certain other IT services, it may be appropriate that the service provider indemnify the customer for the cyber risks. Lastly, consider whether general limitations of liability make sense for cyber risks. Currently, it is common to make an exception from general limits on liability for liabilities related to intellectual property infringement. Given the potential size of cyber damages, it may be appropriate to carve out cyber risks as well.