Planning for Breach Notification Requirements in Your Customer Contracts
At the San Francisco “Exchange” Data Privacy and Cyber Security Forum on April 26, a spirited debate arose whether a federal breach notification law will/should be enacted to bring uniformity to the patchwork of breach notification laws in 47 states. But even a uniform law would not end the analysis for many companies.
As companies become more aware of (and liable for) data breaches, we see more negotiated provisions governing breaches. Some require notice earlier than statutory requirements, notice in a particular manner, or specific information included with the notice. Those provisions are often accompanied by indemnity provisions that can be burdensome and open-ended.
In April, the Department of Justice released its report on “Best Practices for Victim Response and Reporting of Cyber Incidents” recommending a pre-breach action plan. That plan should include evaluating “What criteria will be used to ascertain whether data owners, customers, or partner companies should be notified if their data or data affecting their networks is stolen.” That’s good advice.
If you store information of many other companies (and their customers), you should plan for the likelihood of a data breach. The tumult of a data breach is no time to begin reviewing all your customer contracts to look for special breach notification provisions. Some ideas to plan ahead:
- Legal or Contracts Administrator should flag contracts containing non-standard breach notification provisions. Contracts administration software (or even an Excel spreadsheet) might include:
- A Yes/No field for non-standard breach provisions, so a list of non-standard contracts could be quickly assembled.
- A field to identify the deadline to notify (20 days from discovery, etc.).
- A field to identify the exact person to be notified (see below).
- Ensure that the recipient of the breach notification is appropriate – e.g., to the customer’s IT department, rather than the company representative who signed the contract, who may have no responsibility for data breach issues, and who may have moved to another role. One solution is to have the customer set up a notification group, so that a single email to DataBreach@[YOUR CUSTOMER].com would go to an entire response team.
The takeaway is that untimely notification to a customer as required by a contract, could expose you to substantial contractual damages to the customer, particularly when those notification provisions are backed up by robust indemnification provisions. The good news is that special breach notification provisions are a relatively recent phenomena to most companies, so most companies may not need to review legacy contracts for such provisions.
Next step: Re-examine those indemnification provisions and scale back open-ended obligations in light of the current data breach and regulatory environment.