Data Breach Notifications are on the Rise in 2016 and Businesses Continue to Struggle with Liability Issues Relating to Breaches

New York on Record Pace for Data Breach Notifications in 2016:

On May 4, 2016, New York Attorney General Eric Schneiderman announced that his office has been notified by companies of 459 data breaches involving New Yorker residents so far this year. This represents a 40 percent increase compared to the same period last year. In the first four months of 2015, the AG's office had received 327 data breach notifications and received notification for a total of 809 breaches for all of 2015. Schneiderman stated that he expects to receive well over a thousand breach notifications this year, which would be a record. The AG also announced that a new submission process has been implemented to make the notifications easier to submit and the process more efficient – businesses now have the ability to file notices electronically via an Internet submission form rather than using regular mail, fax, or email.

Under New York's Information Security Breach and Notification Act (General Business Law § 899-aa) any businesses that conduct business in New York State are required to comply with certain requirements with respect to notifying New York State residents in the event of a data breach or, as the Act calls it, a "breach of the security of the system." In addition to requiring notice to affected residents, the Act requires that notification be provided to three state agencies, one of which is the Attorney General's office. The Act also provides the AG's office with the power to commence lawsuits against businesses that fail to comply with the Act's notice requirements, which can result in money damages and penalties being assessed against the businesses.

Schneiderman also noted his continued push for further protections and regulation with respect to cyber security matters. Last year, Schneiderman proposed legislation that would not just require notification of breaches, but would also require companies to put into place certain technical and physical security measures to protect the data they hold while at the same time providing a safe harbor for companies that adopt and attain certification that they have effectively implemented certain heightened security standards. The proposed legislation would also expand the existing breach notification law to include within the definition of "private information" the combination of an email address and password, an email address in combination with a security question and answer, medical data such as biometric information, and health insurance information. The current law only defines "private information" to include social security numbers, driver's license (or non-driver ID) numbers, and account/credit/debit numbers in combination with security/access code or password (such that it would permit access to a financial account). The law's notice requirements are only triggered when this "private information" is accessed by unauthorized individuals. Thus, the AG's proposal would expand what constitutes a "breach" and, in conjunction, when residents are entitled to receive notification of a data breach event.

New York State, the Federal government, and states throughout the nation are continuing to develop legislation and regulations geared towards data protection and cyber security requirements. It is clear that with the continuing prevalence of data breach events and emphasis on cyber security, we have not by any means seen the end of the legislative and regulatory attention to these issues. How this legislative and regulatory push continues to pan out will undoubtedly have a significant impact on business.

What's in Your Contract:

Meanwhile, as businesses continue to struggle with data security requirements and breaches, a restaurant and grocery supplier learned a hard lesson in contracting in the cyber security age. The supplier, Jetro Holdings LLC, was the victim of hackers who stole credit card information from its payment system in 2011 and again in 2012. In each case, Jetro's transaction processor, PNC Bank NA, was charged approximately $3.4 million in fees and penalties by MasterCard for purportedly violating the "data security standards" of the agreement between PNC and MasterCard. PNC passed the $7 million liability on to Jetro pursuant to Jetro's agreement with PNC, which provided that Jetro was required to indemnify PNC for an fees, losses, or fines resulting from a data breach.

Jetro subsequently commenced a lawsuit in 2015 against MasterCard in New York State Supreme Court, claiming that MasterCard never should have charged PNC, and, thus, Jetro would not have been required to reimburse PNC. In a decision issued on May 5, the court dismissed Jetro's case. The court held that: "At bottom, Jetro's inability to seek redress for the withholding of funds by PNC is attributable to Jetro's own agreement, in its contract with PNC, that Jetro would indemnify PNC even for assessments that might violate the data security standards or which are otherwise unlawful"¦That Jetro bargained away its remedy against PNC does not give it the right to proceed directly against MasterCard." The court further stated that: "MasterCard bargained, in its contract with PNC, to have the right to pass these charges on to PNC; PNC bargained, in its contract with Jetro, to have the right to pass these charges on to Jetro"¦Since Jetro was in the best position to safeguard its computer system, contractual agreements which place the risk of loss on Jetro are not unreasonable, unfair, or inequitable." Ultimately, the court found that Jetro had no right or standing to sue MasterCard directly, and its remedy was, essentially, to negotiate a more favorable contractual arrangement.

Jetro's situation, while unfortunate for Jetro, provides a good lesson to businesses entering into contractual relationships in this cyber age – be mindful of contractual rights, obligations, and remedies relating to data security and breach events. Standard contract forms that have been regularly used for years without revision or automatically renewed contracts between parties with longstanding relationships should be examined to ensure that the parties have accounted for and understand who will be liable for what in the event of a data breach event.