This article was originally published in Focus (Industry News), New York State Hospitality & Tourism Association newsletter (Winter 2012)
Whether a business keeps data in its immediate possession or transfers it to "the cloud", the threat of hacking is ever-present. Even in the absence of a hacking incident, improper disclosures of sensitive business data are common.
In one recent example, Major League Baseball went to court to gain information from an off-shore insurance company to learn how non-public financial information captured electronically for several baseball teams made its way onto the Internet. It's a sobering example of how much information is captured electronically and just how easily that information can be made public, even without the involvement of a computer hacker.
To manage such risks, businesses of all sizes should take the following steps. First, make sure that your computer infrastructure maintains up-to-date security to guard against hackers, malware and viruses. Second, document your efforts to protect the business's data. Regulators and insurance companies will often seize upon accusations that a business used obsolete or ineffectual security measures to seek damages, impose penalties or deny coverage.
If your business entrusts data management or hosting to another company, e.g., via cloud computing, disclose this fact to your customers, partners, suppliers and others who may transmit or share data. While such disclosures may not be mandatory, they can go a long way toward nullifying certain accusations by third parties. Also, undertake (and document) due diligence measures regarding the security employed by the data hosting or data management provider.
If you employ cloud computing firms, establish contractual agreements expressly setting forth the level of indemnity and "hold harmless" protection that the cloud company will provide should the entrusted data be hacked. Insist also on representations and warranties regarding the level of security employed by the cloud firm to protect entrusted data against hacking.
Businesses handling sensitive electronic data should establish internal protocols determining the classification of certain categories of information and restricting internal access in accordance with the data's sensitivity rating. Simply put, not everyone needs unfettered access to all company files. Similarly, establish protocols to govern use of data from remote locations. Also, set forth guidelines about how employees should use -- and safeguard -- portable and mobile devices, including rules for what may be downloaded or otherwise taken off site.
Include insurance coverage and indemnity rights as part of your core risk management strategy. Given the near inevitability that a business at some point will suffer a data breach, insurance and indemnity rights may soften the blow and help defray the costs. There are many insurance coverage products that promise protection for Internet perils and other related computer losses, including virus and hacker claims. These products are often complicated and vague, so take care in selecting the most suitable protection available.
Preparing for data breaches before they occur is key to any hospitality and gaming company. It's perilous to try to figure these issues out when the genie has already escaped the bottle. Advance planning will ease the burden of a data security event -- at which point the business will already be complying with state notice laws and addressing lawsuits and possibly inquiries from FTC regulators and state attorney generals.
Joshua Gold is a shareholder at the law firm of Anderson Kill & Olick, P.C. Mr. Gold regularly represents policyholders, including gaming and hospitality businesses, software companies, financial institutions, and retailers in insurance coverage matters and disputes concerning liability, arbitration, time element insurance, electronic data and other property-casualty insurance coverage issues. Mr. Gold can be reached at jgold@andersonkill. com or (212) 278-1866.
About Anderson Kill & Olick, P.C.
Anderson Kill practices law in the areas of Insurance Recovery, Anti-Counterfeiting, Antitrust, Bankruptcy, Commercial Litigation, Corporate & Securities, Employment & Labor Law, Health Reform, Intellectual Property, International Arbitration, Real Estate & Construction, Tax, and Trusts & Estates. Best-known for its work in insurance recovery, the firm represents policyholders only in insurance coverage disputes, with no ties to insurance companies and no conflicts of interest. Clients include Fortune 1000 companies, small and medium-sized businesses, governmental entities, and nonprofits as well as personal estates. Based in New York City, the firm also has offices in Newark, NJ, Philadelphia, PA, Stamford, CT, Ventura, CA and Washington, DC. For companies seeking to do business internationally, Anderson Kill, through its membership in Interleges, a consortium of similar law firms in some 20 countries, can provide service throughout the world.
Anderson Kill represents policyholders only in insurance coverage disputes, with no ties to insurance companies, no conflicts of interest, and no compromises in its devotion to policyholder interests alone.
The information appearing in this article does not constitute legal advice or opinion. Such advice and opinion are provided by the firm only upon engagement with respect to specific factual situations
Specific Questions relating to this article should be addressed directly to the author.