Why Privacy Laws Matter To Commercial Landlords

Transcription

1 Why Privacy Laws Matter To Commercial Landlords Christopher L. Travis Gill Elrod Ragon Owen & Sherman, P. A. Little Rock, AK L ast year, thieves breached Sony Play- Station data servers and stole personal information of millions of customers, including their names, addresses, security questions and credit card information. That type of theft, resulting financial loss and (for now) inevitable lawsuits about insurance coverage may seem far away to a commercial landlord. Landlords, however, could be affected by those risks as well because almost every commercial tenant uses some form of Internet access, even if only for its point-of-sale (POS) system. If a tenant suffers a data breach and has resulting liabilities that are not insured against, the tenant could face debilitating losses and default on its lease. In a more recent and brick-and-mortarrelated scenario, in December the U.S. District Court in New Hampshire unsealed an indictment of four Romanians, in which the United States alleged the hackers accessed around 200 POS systems throughout the United States, focusing mainly on 150 Subway franchisees, and used the stolen data to incur about $3 million in fraudulent charges. The franchisees had neglected to maintain best practices to secure their POS systems, which allowed the thieves to steal the data over the Internet. Those franchisees may face some huge losses, and many could consequently default on their leases, unless those losses are insured against. This article points out some emerging legal issues that should concern commercial landlords and suggests some lease covenants and insurance requirements that could, if honored, operate either to prevent data loss or at least ensure that the losses are insured against. If businesses begin thinking about privacy issues in a proactive way, many privacy problems could be avoided, and those that cannot be avoided may at least be insured against. Ignoring the issue, however, is not a viable option. The Scope of Privacy Laws Privacy and data security laws exist at the federal and state level. There are at least 12 different federal laws that fall into the privacy category, and for some businesses, international privacy laws may even apply. The federal government has not yet adopted a general data breach notification statute, although several bills have been introduced in recent years. The states, therefore, have undertaken to protect consumers privacy through a patchwork of statutes covering privacy or data protection statutes. This hodgepodge legal scheme means landlords and tenants must ensure that they comply with the law of their home state and the

2 law of the state where the physical location exists. Ongoing compliance and post-breach notifications, needless to say, require a complex analysis. Privacy and data protection is an area of the law that is so new that no one really knows the scope and reach of all the privacy laws, and lawsuits are springing up everywhere. The most common lawsuits involve a breach of a duty of data protection that a company owed to its customer. As individuals, we need to safeguard our private information. As business owners, however, landlords need to understand that these laws exist, and that they may affect their own and their tenants business in unexpected ways. To help illustrate the data security mindset, the following are a few examples illustrating the potential impact of privacy laws: Privacy Issues: Potential Scenarios Data security risk does not exist only in cyberspace. Though many headline-grabbing incidents refer to data breaches by online hackers, businesses operating in real space are not immune from data and privacy breaches. For instance, with a retail tenant using a POS system, criminals can obtain customers debit card numbers and PINs from the retailer in one city and make fake debit cards, which they later use at bank ATMs in another city. Here are some things to think about in that situation: Did the retailer owe its customers a duty to make sure the criminals could not commit that crime? If so, did the retailer fulfill that duty? Does the retailer have insurance for that liability? What happens if one of those customers (or even the bank that had to issue new debit cards) sues the business from which his or her information was stolen? Did the retailer have a written policy about how its employees are supposed to operate the credit card machines? Here s another scenario to consider: A business, as many often do, maintains a frequent customer database. The customers information is stored in an Excel spreadsheet or in an Access database in the business s computers and includes, among other information, the customers name, home address, purchasing preferences (or frequency), and credit card information. What if an employee decides to copy that information before he/she quits and give it to a competitor, or worse, sell it to a criminal? Or, even less nefarious, what if a well-meaning employee copies the database to a flash drive but loses the flash drive while taking it to a print shop or forgets what is on the flash drive after making the needed copies? What if the print shop loses the flash drive? Does the business owe its customers a duty to protect against those events? Does the business have to tell its customers that it lost their personal information? What is the business s reputational risk/cost in doing that? Does the business have a written employee policy regarding employees handling customers data? Another example: A franchisor requires its franchisee to enter customer data and upload that data to the franchisor s computers. The franchise agreement places the burden of the security of that data on the franchisee. Does the franchisee have insurance against that loss? What happens if the franchisee, like the Subway franchisees attacked by the Romanians, does not have the appropriate insurance coverage? That loss (or even just the cost of defending the resulting lawsuit) could easily cause a business closure or bankruptcy and consequent breach of a lease. 2

3 One final example to consider is one that does not even involve a computer: A company has been in business for 30 years, and has accumulated numerous boxes of employment records related to former employees (along with a lot of other data). Those old records are stored offsite in a local selfstorage facility. What happens if someone breaks into that storage facility? What duty does the company owe to its former employees whose records may have been stolen? Does the storage facility owe the company a duty to protect those records? Should the storage company have to indemnify the company? Does the storage company have insurance coverage for that risk? Did the company investigate the storage company s insurance coverage before storing the information there? Did the law require the company to retain those records? If not, should the company have a different policy regarding document retention and destruction? These are just a few possible scenarios. The list could go on and on. Privacy Rights.org is a Web site that lists reported data breaches since ( rights.org/data-breach). The list is quite long and includes dozens of astonishing events from across the country. Perhaps unsurprisingly, most of the events occurred in larger metropolitan areas. But with ability to attack POS systems and other Internet-dependent operations remotely, breaches are spreading to ever more rural areas. For every instance on PrivacyRight.org s reported list, there are many more that have gone either unreported or, worse, undiscovered. Once you begin thinking about privacy and data security, the potential weak points become easier to spot. Many people believe this is the next big area in consumer litigation, which would mean it could also be the next big thing in causing financial losses to tenants. So What Should a Commercial Landlord Do? Privacy and data security laws are here, and the litigation avalanche is just beginning. A landlord should address its own business potential exposure, while also taking steps to ensure that its tenants operate in compliance with the various data-protection and data-security laws. A landlord should also maintain appropriate insurance coverage(s) against potential data-breach losses, which policies, of course, where possible, should name the landlord as an additional insured or loss payee. A Landlord Should Consider Its Own Risk Landlords as business owners (as opposed to a landlord worrying about a tenant s business practices) need to consider these issues and, at a minimum, adopt written policies governing their data-collection and datatransfer practices. Employees need to be trained. Vendors (software and otherwise) need to be questioned. Every business needs to consider these issues and address them in writing. With any business that suffers a data breach and must notify affected employees or customers, one difficult issue regarding security-breach notification is deciding which state s law applies (in addition to the state in which the brick-and-mortar business sits). For instance, if a brick-and-mortar business in Arkansas suffers a data security breach, the company must comply with Arkansas s law as well as with the breachnotification law of the state in which the business s customers reside. 3

4 There are currently 46 different state statutes governing security-breach notification. So if a customer from New York visited a company once, and there is a breach of the computer system that may have exposed that customer s information, the company needs to check and comply with New York s databreach notification statute and comply with the law of the state where the breach occurred. According to the Ponemon Institute s 2010 Annual Study: U.S. Cost of a Data Breach, the average breach-notification cost in 2010 was $268 per data record. This high cost was due in large part to the forensic cost associated with determining which customers were affected, so that the business could determine how to comply with all applicable laws: the local state s law, the customer s home state s law and federal law. Several bills are currently being worked out in the U.S. Congress to attempt to create a single, federal data-security breach notification system. There is great debate among the participants in the industry on the proper method of remedying this patchwork of state laws. For now, a business could have to comply with its home state s laws, federal laws, and as many as 45 other states laws if it suffers a data breach. If there are, for example, 1,500 customers potentially exposed, using the 2010 $268-per-data-record average cost, notifying those customers could cost as much as $402,000. That is just the cost to notify the customer; it does not include any potential exposure to litigation resulting from the breach, or the damage to a company s reputation. Most general liability insurance policies do not cover that expense or those losses. Landlords Should Require Tenants to Follow Best-Data Practices: Obtain Cyber-Insurance In drafting a lease with a commercial tenant, a landlord should require a tenant to covenant and agree to operate its business in full compliance with all applicable federal and state laws regarding data security and privacy. Although the laws applicable to a given tenant may vary from tenant to tenant, care should be taken to consider each tenant s business model to ascertain which laws might apply. If there is a breach related to a POS system, the question of liability for a tenant often begins with whether the tenant s POS system adhered to the standards promulgated by the PCI Security Standards Council. The council is a non-profit organization founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa ( securitystandards.org). Every business that uses a POS system should familiarize itself with these standards and take steps to ensure its POS system complies. Language similar to the following could be added to a tenant s covenant regarding the manner in which the tenant agrees to operate its business: Tenant, at its sole cost and expense, shall take all steps and actions necessary to ensure Tenant s operations comply with (a) the PCI Data Security Standard, as amended from time to time by the PCI Security Standards Council ( secu ritystandards.org), (b) all federal laws, rules, orders and regulations, including, but not limited to the following, as amended: the Fair Credit Reporting Act of 1970, the Electronic Communications Privacy Act of 1986, the Video Privacy 4

5 Protection Act of 1988, the Personal Responsibility and Work Opportunity Reconciliation Act of 1996, and the Identity Theft and Assumption Deterrence Act of 1998 and (c) all state laws, rules, orders, regulations and local ordinances and rules, including, without limitation, the following, as amended: [the situs state s data protection statute] and all other states laws regarding consumer privacy, consumer data protection and security, as applicable. Because cyber insurance is now available, a landlord should include those insurance-coverage requirements in a tenant s mandated insurance coverage. These policies vary from state to state and by underwriter, but generally speaking the policies insure against first-party liability and sometimes against third-party liability. A landlord should consult its insurance agent or broker to determine what policies are available in the landlord s state(s) of operation. As with any insurance policy, cyber insurance is fact specific, and care should be taken to ensure that the correct policies and riders are required to provide the maximum amount of protection for the tenant and its landlord, given the tenant s business model. Conclusion These issues are not going away, and the cost of compliance after the fact can be devastating. The good news is that a little work on the front end and some thoughtful consideration to the way a business handles customers personal information could prevent an issue from ever arising. As the examples above attempt to illustrate, privacy and data protection laws implicate many different areas of every business, not just the computer network. Once companies begin thinking about these issues, they will probably start to see privacy issues everywhere. Ultimately, we need to view the world in which our businesses operate through the lens of data protection and privacy. A company can address the issues and protect its customers and employees privacy (and thereby the company s bottom line) only if it is able first to recognize the issues. CHRISTOPHER L. TRAVIS is a shareholder and director with Gill Elrod Ragon Owen & Sherman, P.A. in Little Rock, AK. He represents developers, landlords and tenants in all aspects of real estate development, and his practice includes advising clients on privacy matters and data security and protection. Mr. Travis may be reached at (501) or travis@gilllaw.com. 5