Note: this article was previously posted on Norse’s DarkMatters.
A recent lawsuit provides a nice case study for how businesses’ contracts can play a critical role in their cybersecurity strategy. Before the court is this question: Who was responsible for maintaining cybersecurity safeguards for a bank’s website, the bank or the company that designed and hosted the website?
While the case was only recently filed, it serves as an example of how a strong contract between the bank and the website company could have resolved many of the issues they are now fighting over in court.
A better approach would be for parties, at the beginning of their relationship, to think about, work through, and document their cybersecurity issues, expectations, and duties. They can start with the four issues discussed in this article.
Contracts are Essential Business Communication Tools
Contracts are one of the primary tools that businesses use to communicate and document important information and agreements. In fact, most business contracts have what are called “merger clauses” that specifically say that that any communications and agreements between them, that are not contained in the contract, are not part of their agreement.
Because of the prominence that cybersecurity risks now play in the overall business risks that businesses face, it is vital that their contracts adequately address cybersecurity issues.
Who is Responsible if the Contract Does Not Say?
The dispute in Travelers Casualty and Surety Co. of America v. Ignition Studio, Inc. reveals that their contract did not address several important cybersecurity issues. This case began with Alpine Bank, a financial institution, hiring Ignition Studio, a professional website design company, to design and host its website.
Ignition Studio designed and, apparently, hosted the website for Alpine Bank. Some time later, hackers attacked the website and caused a data breach that caused Alpine Bank to incur $154,711.34 in expenses to comply with its data breach response obligations.
Alpine Bank made an insurance claim to Travelers. Travelers paid the claim and then sued Ignition Studio to recover the amount of the losses. Travelers’ Complaint alleged causes of action based on negligence and breach of contract.
The primary question in the case is whose responsibility was it to ensure the website had appropriate cybersecurity safeguards in place? Travelers’ claims may or may not be successful, and it is only through a costly legal dispute that we will know the answer.
Without addressing how I believe this case will ultimately turnout, I do want to address what I see as the most important lesson: The parties could have negotiated and agreed upon each of the issues in dispute beforehand in a binding contract.
Four Basic Cybersecurity Issues Today’s Business Contracts Should Address
What cybersecurity standards apply to the project? Are there specific regulatory or industry standards governing either party, or other unique circumstances, that require certain cybersecurity standards?
Travelers alleged that because Ignition Studio holds itself out as a professional designer and servicer of websites, it should have known to use appropriate standards to protect the highly personal and private information of the Alpine Bank’s customers.
Practically speaking, as both a professional working in the cybersecurity space as well as with numerous website design firms, I am not sure those expectations are realistic.
Most of you reading this post are knowledgeable of cybersecurity issues, so ask yourself a few questions: Do you know one regulatory body that governs financial institutions? Do you know if that governing body has prescribed cybersecurity guidelines for subject institutions? Are you familiar with FFIEC?
If you are not, then how realistic is it that Ignition Studio, or other similarly website design companies, are actually familiar with such guidelines?
Moreover, assume the bank had been in another industry without a governing body but still operating in a sensitive environment. In that case, even just saying “reasonable standards” would still leave open the question of whether it would be the standards of that industry or the website design industry that determines reasonableness?
This kind of ambiguity leads to litigation. In today’s business environment, anytime parties do business together, they should discuss the cybersecurity issues that are involved. They should address questions like “are there any particular standards that apply?” and, if so, “what are those standards?” and “what aspects of the project do they apply to?” These are all issues that can and should be addressed in business contracts.
What are each of the parties’ responsibilities for taking steps to ensure that the project is protected by adequate cybersecurity safeguards? What steps will be taken? How will they be implemented?
It would have been helpful had Ignition Studio’s “form contract” either clearly define the scope of work to limit its responsibility for these issues (to a reasonable degree) or, if it were agreeing to provide specific security services, to also require the client to notify it of any industry or practice specific cybersecurity standards and provide it with the appropriate guidelines for following such standards.
From Alpine Bank’s perspective, it would have been helpful if the contract had provided that by providing website design and hosting, such services would necessarily include the implementation and maintenance of certain baseline cybersecurity standards to protect the website, the data thereon, as well as the networks connected thereto.
Had these issues been raised, the parties could have negotiated any number of reasonable ways to deal with the issues. In fact, had they focused on the issue, there is a significant likelihood that they would have realized that neither Alpine Bank nor Ignition Studio had the requisite expertise and understanding of cybersecurity to make any of these decisions.
For example, given your own knowledge and experience, do you believe that a website design and hosting company has enough expertise to determine when and how a bank’s customer data should be encrypted?
Had the contract required that these cybersecurity issues be addressed, there is a decent chance that they would have realized that there is a big difference between website design and hosting and cybersecurity.
Then, hopefully, they would have sought the help of a qualified cybersecurity firm that could have not only guided them through this process but also assisted them in hardening the site and avoiding the data breach all together. This would be a win for everyone.
Parties’ initial “form contract” will not resolve all of the cybersecurity issues but, if they at least raise the issue, then the parties can negotiate reasonable solutions for the issues.
These solutions should answer questions like:
- who is primarily responsible for the overall cybersecurity safeguards for the project?
- what are the steps that will be taken to accomplish this?
- how will those steps be implemented?”
What procedures are in place for verifying, whether by audit or otherwise, that the agreed upon cybersecurity safeguards are being used? What are the remedies if they are not?
President Ronald Reagan’s old adage for dealing with the Soviets is equally appropriate for an issue as critical as cybersecurity: “Trust, but verify.” The consequences of a data security incident are too great to blindly take others’ word that they are doing what they contractually agreed to do.
It is important that all contracts have provisions that permit the parties to verify that the cybersecurity protections that they negotiated for are actually followed.
Then, if they agreed upon precautions are not being taken, the contract should specify how the other party is to stand in the gap and do what is necessary to protect the environment and then require the other, non-performing party, to compensate it for fulfilling its obligations. In legal terms, this is called mitigation of damages.
What are the parties’ requirements for notifying each other in the event of an incident? If one occurs, what are their respective obligations?
As any good contract should do when its promises are not fulfilled, it should specify what happens in the event of breach. The same goes for cybersecurity obligations.
First, the contract should obligate the parties to notify one another in the event there is a cybersecurity incident and should be specific as to how quickly the notice must be given, the manner in which it is to be given, and to whom.
Second, the contract should address what the respective parties rights and obligations are in the event there is an incident, as well as address what triggers each parties’ respective obligations.
The four issues are certainly not comprehensive and, in reality, are only the starting point for what cybersecurity issues should be addressed. But, they are a starting point and, businesses that address these issues will be much farther ahead in planning for and allocating responsibility for cybersecurity issues than their counterparts that do not.
It is More Efficient to Address These Issues in Contracts Than Courts
In the Travelers v. Ignition Studio case, Travelers is suing Ignition claiming it is responsible for the losses it incurred as a result of having to pay for the data breach of Alpine Bank’s website.
To support its position, Travelers must argue that Ignition Studio breached a somewhat amorphous “duty of professional care” and “an implied term in the agreement” to perform the work “reasonably and within the standard of care applicable to companies engaging in the business of maintaining and servicing websites for bank.”
Allegations such as this are not uncommon in the law, especially when the claims are negligence-based, and oftentimes they are successful. But, they are uncertain as well. Uncertainty leads to litigation–expensive litigation.
Regardless of whether Travelers prevails, it would have had an easier and more efficient case if those terms — rather than having to be discerned and implied — were addressed in the contract from the beginning.
Because they were not, they are now paying their attorneys considerably more money to go to court and fight it out. As an attorney who does that for a living, I am ok with that, but there is a better way.
As I always say about cyber risk, “an ounce of prevention is cheaper than the very first day of litigation.”
Shawn Tuma (@shawnetuma) is a business lawyer with an internationally recognized reputation in cybersecurity, computer fraud and data privacy law. He is a Cybersecurity & Data Protection Partner at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.