Contracting Conundrum: “Reasonable Security Measures”

In technology contracts between customers and vendors, it is common to obligate one or both parties to implement “reasonable security measures” to protect applicable data and information. Typically, the obligation is a function of risk allocation or legal requirements. The recently enacted (and more recently amended) California Consumer Privacy Act’s authorization of a private right of action against businesses that fail to implement reasonable security procedures and practices highlights the issue. But, what are “reasonable security measures?” And, which contracting party decides? The Market Speaks Often, technology contracts merely reference, but do not explain, reasonable security measures. A contract may require a party simply to “implement reasonable security measures” to safeguard applicable information. Alternatively, a contract may obligate the party to “implement reasonable security measures as required by applicable law” or to “comply with applicable data privacy and security laws, including those regarding security measures.” Both customers and vendors can find these examples appealing. Pushing the Envelope Less often, but frequently when the technology transaction involves financial services companies, the contract may impose more stringent requirements based on statute or regulation. For example, the vendor may be obligated to “implement administrative, technical, and physical safeguards to insure the security and confidentiality of customer records and information, to protect against any anticipated threats or hazards to the security or integrity of such records, and to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.” Similarly, technology contracts involving healthcare information can mirror applicable federal regulations and obligate a party to “implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the information.” For EU personal data, the Standard Contract Clauses (which will likely soon change) may be invoked. Although usually advocated by technology customers, because these more specifically stated obligations track legal requirements, they are often acceptable to the customers’ vendors. Breaking the Envelope In a few cases, customers or vendors may choose to sidestep the vagueness of the above options. For example, agreements with ties to California may explicitly reference the 2016 California Data Breach Report, which specifically states that an organization’s failure to implement all twenty controls in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security. When payment card information is in scope, the contracting vendor may be directed to comply with the PCI Data Security Standards. Increasingly more common, a technology customer – or vendor – may expressly set out detailed, bespoke security measures. The contractual statement of these measures can range from one, to three, to five or more pages. Clearly, there are many ways for contracting parties to reach agreement on applicable security measures to be implemented under a technology contract. Be sure that what you sign up for works best for your company – all costs, risks, and consequences considered.

Privileged Cybersecurity Investigations – A Checklist for Contracting with Consultants

Your company may suffer a cybersecurity incident that warrants bringing in third-party forensics or other consultants to investigate and report on the cause or consequences of the cyber event or compromise. To seek to protect the third parties’ reports with the work product privilege (and, thus, to avoid having to disclose the reports in litigation) – and to try to side-step the unexpected failure to establish such protection that Capital One recently experienced (In re: Capital One Consumer Data Security Breach Litigation) – do (and don’t do) the following with respect to your contracts with these third parties: Do have outside counsel be the entity contracting directly with the third party. Have outside counsel pay the third party’s fees, directly. Then, have outside counsel bill you for reimbursement of the fees paid. Do contract under a specific statement of work or services description that is exclusive to the particular cyber incident. Do state and expressly limit the purpose of the third party’s services and reports to anticipating litigation arising from the cyber incident. The purpose should not explicitly or implicitly include, for example, financial controls or reporting. Do require that the third party’s report be in a form and of substance specific to the purpose of anticipating litigation. The report should not mirror what would be provided for reports for other purposes. Do require the third party to issue formal and informal reports and updates only to the contracting outside counsel. Outside counsel, then, as necessary or appropriate, can distribute further the reports or updates, for example, to select internal stakeholders. Don’t allow those who receive reports and updates from outside counsel to further distribute the reports or updates, whether internally or externally. Require recipients to explicitly agree to limited use and handling terms, before receiving reports or updates. Don’t allocate the costs and fees for the third party’s services to any internal billing or cost center other than Legal’s. The costs and fees should be assigned to Legal’s budget. Categorize the costs and fees as “legal” costs and fees, not, for example, cybersecurity or business costs or fees. And, in the contract with the third-party forensics firm or consultant, do include requirements that the third party conform to all of the applicable above do’s and don’t’s. Importantly, these are only a few do’s and don’t’s that may help guide many companies to attempt to structure and implement contracts with third-party consultants so as to establish the work product privilege applicable to the third party’s reports. Each company, each cybersecurity incident, and applicable law can vary and be unique, so it is perhaps even more critical for the company to immediately involve inside (or outside) counsel to navigate these thorny issues. Background – In re: Capital One Consumer Data Security Breach Litigation The above do’s and don’t’s follow from the recent decision of the U.S. District Court for the Eastern District of Virginia in the above-referenced litigation. Capital One sought to avoid having to disclose the report issued by the cybersecurity forensics firm that it retained in wake of the March 2019 data security breach suffered by the financial company. In affirming a magistrate judge’s order to compel Capital One to disclose the forensics report, the Virginia federal district court made several observations. Well before the breach (and not specific to the March breach), Capital One had retained the forensics firm under a general SOW, on a retainer basis, to provide a set number of service hours for any one of a broad range of incident response services that might be needed. After the security breach, although the bank’s outside counsel signed a letter agreement with the forensics firm for services with respect to the breach. The terms of the letter agreement provided for the same scope and kind of services, on the same terms and conditions, as the general SOW (except that the forensics firm would work at the direction of the outside counsel and provide the forensics report to the outside counsel). For performing under the letter agreement, the consultant was first paid from the retainer already provided under the general SOW. Then, Capital One directly paid the balance of the consultant’s fees due under the letter agreement – with funds from Capital One’s internal general cybersecurity budget. Capital One (at least at first) internally identified the fees paid to the consultant as a “business critical” expense – not as a “legal” expense. During the forensics firm’s investigation, it communicated directly with the bank’s external financial auditors, so that the auditor’s could assess whether the breach impacted the bank’s accounting controls. Many internal and external parties received a copy of the forensics report, but Capital One provided no explanation as to why these recipients received a copy of the report, as to whether the report was provided for business purposes, regulatory reasons, or specifically in anticipation of litigation, or as to any restrictions placed on the recipients’ use, reproduction, or further distribution of the report. Both the magistrate judge and, on appeal, the district court judge who opined on the matter saw these above facts, among others, as support for finding that the forensic firm’s investigation report was not protected from disclosure by the work product privilege.

2019 Case Law Mash-Up: Can you assign exaggerated representations and warranties to a locked-in vendor?

Mash-up (noun): (slang) a creative combination of content or elements from different sources. Several court cases in 2019 dealt with (or are still dealing with) key issues faced by parties to commercial contracts, including contracts for technology products and services. This post briefly discusses four of those cases and their corresponding issues of contract assignment, representations and warranties, and data security. Can You Assign? According to the court in Barrow-Shaver Resources v. Carrizo Oil & Gas (Tex. 2019), the answer to the question, “Can you assign?” is “No.” Bottom line: Make sure your contract clauses are clear and unambiguous, and don’t plan to rely on prior negotiations, drafts, or margin comments to explain away terms you don’t like. The contract in question included an unambiguous non-assignment clause that read, “The rights provided to [Barrow-Shaver] under this Letter Agreement may not be assigned, subleased or otherwise transferred in whole or in part, without the express written consent of Carrizo.” The court concluded that Carrizo was within its contractual rights to simply refuse to provide consent to Barrow-Shaver’s requested assignment – without more. Neither the contract language nor applicable law required Carrizo, in withholding consent, to exercise good faith, to be reasonable, to satisfy certain conditions, or to provide a reason for withholding consent. The court rejected arguments that, notwithstanding the contract language: industry custom and usage should be applied to interpret when consent may be withheld; prior to contracting, Carrizo assured Barrow-Shaver that Carrizo would provide its consent; and, the parties’ prior negotiations and an early draft of the contract should be considered. Exaggerated Representations and Warranties Two 2019 cases highlight the sales and contracting processes for big-ticket IT services. In IBM v. Lufkin Industries (Tex. 2019) (“Lufkin”), Lufkin Industries contracted with IBM for the provision and implementation of a new software solution to run Lufkin Industries’ operations systems. In Hertz v. Accenture (S.D.N.Y., not yet decided) (“Hertz”), Hertz contracted with Accenture to build a transformed web site and mobile application. A key takeaway from both cases is that well-drafted contractual disclaimers and integration clauses, absent explicit contractual representations or warranties, can defeat warranty breach, inducement, and misrepresentation claims. In Lufkin, IBM made several pre-contractual representations regarding the timing and ease of implementation of the new software solution. Some representations were made orally, others appeared in sales materials. The project implementation process ultimately failed. In Hertz, Accenture is alleged to have delivered versions of contracted work product that failed to meet contractual timing requirements, specifications, and warranties. Hertz terminated Accenture’s contract before the project was completed. In 2019, Hertz filed a lawsuit against Accenture for breach of contract and unfair and deceptive practices. In its motion to dismiss, Accenture specifically called out the contract’s integration clause and conspicuous warranty disclaimer provision. In Lufkin, IBM prevailed against Lufkin Industries’ claims for inducement and misrepresentation. The contract included clearly drafted language disclaiming IBM representations, disclaiming Lufkin Industries’ reliance on IBM representations, and establishing the contract as the entire agreement between the parties. Contracting for large IT projects can be challenging. The projects are often complex and time-consuming and frequently involve developing or evolving parameters and requirements. Almost certainly, notable time is spent drafting contractual representations, warranties, disclaimers, and integration clauses. But, to address potential issues, also duly consider project scoping provisions and acceptance terms (including whether the RFP (if one) will be part of the contract). If possible, stay connected with your sales or procurement team throughout the sales process to ensure alignment and relevant project-specific contract terms. Locked-In Vendor Tightly drafted contracts are a valuable asset – but they are not the exclusive source of risk mitigation and avoidance. If you can, do more. A class-action lawsuit was brought against Delta Air Lines following a data security breach affecting 800,000 Delta customers. See McGarry v. Delta Air Lines (C.D.Cal. 2019). The breach involved a hack of Delta’s service provider, 24[7] (a Philippines company). Delta subsequently sued 24[7] for damages arising from the breach. The security terms in Delta-24[7] were robust and comprehensive. In addition, 24[7] represented that it had achieved five different industry-recognized privacy/security certifications. Although the contract terms and representations ultimately may be sufficient to award Delta damages, the contract doesn’t assure Delta’s full recovery. What other help is there? For customers, even if it’s not required, pre-contract service provider diligence can be quite informative; for vendors, ensure that you can do what you contractually sign up for. When contracting with foreign companies, consider parent guarantees or other contractual mitigations. And, for customers and vendors, closely review your own insurance policies to evaluate coverage in the event of a security incident; also for customers, consider reviewing the service provider’s policies if you have coverage concerns.

Why Blockchain Matters to In-House Lawyers

Today, news reports, academic articles, and corporate reports are flush with mentions of “blockchain,” “Bitcoin,” and “distributed ledger technology.” At first glance, many readers see the discussion as hype, generating a great deal of actionless attention, curiosity, and investment opportunities. However, on another level, some of the conversation regards developments in technology that may specifically shape or impact a company’s contract or legal risk profile – even for those companies that don’t have or deal in Bitcoin. Blockchain technology is expected to have a broad and sweeping impact across industries worldwide, with one commentator identifying a financial impact of over $176 billion in the next several years. It is envisioned that countless companies (whether suspecting or unsuspecting) will deploy or utilize the technology in their businesses. This may happen in the form of an internally developed or deployed technology or system, through dealings with governments or government agencies, or by way of transactions with technology vendors or service providers, among others. At a very high and general level, blockchain is a recently developed distributed ledger (or database) technology that facilitates secure records of transactions over time by electronically distributing and maintaining tens, hundreds, or thousands of identical, immutable, highly secure digital copies of the transaction record. Each of these copies is distributed to and held by a different computer node or site participating in the ledger. Blockchain is one kind of distributed ledger technology, and there are many different platforms for blockchain. Bitcoin is a form of cryptocurrency whose foundation is based on one of the blockchain platforms. (Numerous detailed explanations of blockchain and distributed ledger technology are available online, including the video, Ever wonder how Bitcoin (and other cryptocurrencies) actually work?, and a UK Government report on distributed ledger technology.) Many sets of records that are maintained in an Excel spreadsheet, a company or vendor database, or government files, whether or not currently stored or maintained in the cloud, may be suitable for blockchain. A few examples include real estate purchase and sale transactions, shipping records, banking and financial transactions, inventory management, consumer auto-pay and auto-withdrawal transactions, product manufacturing, and customer subscription transactions. Attorneys and contract professionals supporting companies’ encounters with blockchain technology should consider the following, among others: Open Source Software. Currently, numerous distributed ledger technologies (including blockchain) are built using open source software. The Bitcoin program is distributed under the MIT License, aspects of Ethereum (another blockchain-based cryptocurrency) use the GNU General Public License, and OpenChain (another distributed ledger technology) is based on the Apache 2.0 license. Open source software licenses include many unique terms (and omit many standard commercial software licensing terms), and may, for example, dictate subsequent use and distribution of the software, as well as of company proprietary code related to the open source software. New Software. Because distributed ledger technology like blockchain is new, in many cases the software underpinning the technology is not as well-tested and presents a notable possibility of serious errors and glitches. Consequently, traditional contractual recourses and remedies for software errors and bugs may not be wholly meaningful, when applied to blockchain, and typical software project deployment schedules and timelines may be difficult to adhere to. Privacy. While one of the potential benefits of blockchain is stronger data security safeguards against loss, destruction, and unauthorized alteration of data and records, the nature of a distributed ledger is that the tens, hundreds, or thousands of ledger participants will have exact duplicates of the digital data and records. Even if the parties to a particular transaction do not consider the transaction record in the ledger to be confidential, it is possible that the underlying record data (especially if health, medical, or financial data) may be a material concern. Technology Contracting. Blockchain is a technology, with its own open (as noted above) or proprietary platforms, software, and systems. Contracts for, or to use, blockchain technology, just as other company contracts for technology, are key vehicles to establish critical rights and obligations regarding representations and warranties, indemnities, limitations of liability, and intellectual property. Bitcoin. Many companies will not typically have or deal in Bitcoin or other cryptocurrencies. The legal and regulatory landscape applicable to cryptocurrency is nascent and exceptionally dynamic and varies across U.S. and non-U.S. jurisdictions (and is beyond the scope of this post). Even for companies that merely or only occasionally transact business in cryptocurrency (and don’t issue, exchange, or administer cryptocurrency), potential issues can include how cryptocurrencies are treated and taxed (different legal authorities consider them to be “currencies,” “commodities,” or “property”), whether corporate insurance provides coverage or protection for cryptocurrency transactions, and whether the use of cryptocurrency is even legal. Blockchain is an algorithm-intensive, complex technology that may provide great benefits, efficiencies, and cost savings to its users. While this post does not speak to many of its features, including smart contracts, permissioned versus unpermissioned ledgers, and cryptocurrency mining, hopefully it provides a “bit” of useful information.  

Your Emoji Use Just Formed a Contract

Or, did it? As confirmed in a very recent Wall Street Journal article, the legal impacts and effects of using emojis and emoticons in business and workplace communications and dealings are growing. For attorneys, contract professionals, and business executives and teams discussing, negotiating, and communicating about technology, business, deals, and transactions, the use of emojis (pictographs) and emoticons (punctuation marks, letters, and numbers) should be a concern. Depending on the circumstances, using an emoji or emoticon to respond to another party’s email or message may have the same effect as if precisely crafted words had been used. Unless the author of the email or message is careful, casually sending a ?, :-), ?, or ☺ in response to an email putting forth a proposal or offer to do business may be the same as stating, “I agree to your terms.” At a minimum, replying to a message with an emoji may convey contractual intent. Bottom line, before using emojis or emoticons in emails and other communications, it is critical to consider how they may be received or interpreted. The use of emojis clearly is on the rise. In its November 2016 report, Emogi reported that 2.3 trillion messages incorporating an emoji would be sent in 2016 – and the report did not include the use of emojis in emails. In addition, the Unicode Consortium recently announced that 157 new emojis have been added in 2018, bringing the total number of standard emojis to 2,823. As more of the business world adopts technology to communicate, it becomes more important for business leaders, procurement and purchasing professionals, and others to be mindful of their use of emojis and emoticons in emails, texts, and other message formats. To those businesses and companies that have “careful communications” policies, has your policy been updated to address the use of emojis? Aside from general contract concerns, the use of emojis has and will increasingly impact parties’ legal rights and obligations. This includes in the areas of labor and employment, promissory estoppel, jury instructions, and criminal cases. According to research by Santa Clara University law professor Eric Goldman, for the set of reported cases that he was able to identify as mentioning “emoji” or “emoticon” over the 2004-2016 period, over 30% of the cases were from 2016, and nearly 50 were from 2015 and 2016. And, if you needed another reason to be overly cautious when using emojis and emoticons in correspondence and communications, be aware that the true meaning attributed to any particular emoji may be vague, at best, or non-existent, at worst. Moreover, the form and appearance of the emoji you send may not be the same as the form and appearance seen by the recipient. In addition, different cultures, generations, and geographic regions interpret emojis differently. (The most confusing emoji? It’s ?.) The reality is that emojis are easy to use and can be fun and communicative. They are, and will continue to be, used in emails, texts, and communications between and among business parties, their advisors, and others. Just be sure to ? before you ?.