Managing intangible data assets and making sure they do not become a liability

January 2021  |  EXPERT BRIEFING  | INTELLECTUAL PROPERTY

financierworldwide.com

 

As the global challenges arising from the COVID-19 pandemic continue to create waves that will change our planet, it is useful to reflect on the remarkable ability of many modern corporations to continue operating through the uptake of digital technologies. Cyber and technology risk now resides firmly in the C-suite as a topic to be understood and the subject of careful strategy.

With increasing complexity, a focus on core strengths and partnering with others is becoming commonplace. Collaboration is increasingly central to successful businesses. When it comes to information technology (IT), a corporation usually has many partners, from app providers to business or infrastructure outsourcing providers, within its technology ecosystem. There is also an increasing dependence on data flows and data assets for the delivery of innovation and value to customers. Like other forms of intellectual property (IP), with proper management data is a central intangible corporate asset. With mismanagement it becomes a major potential liability.

A volatile regulatory environment and ‘high profile’ data security breaches are capturing the attention of corporate executives, particularly with the potential for large fines and other damage to corporate value that follows a data security breach.

For example, in the 12 months to June 2020 the Office of the Australian Information Commissioner (OAIC) reported 1050 data breaches likely to result in serious harm to the individuals to whom the information related, after the introduction of mandatory data breach reporting laws in Australia in 2018. In 2019, the Australian government proposed legislation to increase the maximum penalty for serious and repeated interferences with privacy from $2.1m to the greater of: $10m; three times the value of any benefit obtained through the misuse of the information and 10 percent of a company’s annual domestic turnover.

The discussion questions for public comment laid out in the October 2020 ‘Privacy Act Review Issues Paper’ issued by the Australian Attorney General’s Department, make clear that in Australia the regulatory implications of mistakes in data management are steadily ramping up. This maps onto global trends, most notably, of course, the 2018 introduction of the General Data Protection Regulation (GDPR) in Europe which raised the maximum penalties for privacy breaches to 4 percent of the annual global turnover of an offending company.

Data asset risk management in technology collaboration

At a high level, the breach of privacy laws will often come into focus in the event of cyber attack or data breach by third-party actors, after internal personnel or contracted partners engage in unauthorised collection, disclosure or use of personal information, or by failure to manage or delete personal information in accordance with policies, laws or requests. Add to this a multijurisdictional business environment and escalating ramifications for mistakes, and management of these risks becomes a key contracting risk issue. How are the risks defined, who should bear the consequences if they are realised and should liability be excluded, limited or unlimited for service providers?

An organisation can attempt to shift the data privacy risks to a third-party vendor by including a contractual provision whereby the third-party vendor agrees to indemnify that organisation for costs, damage and penalties incurred in investigating and responding to a data privacy event for which the third-party supplier is partially or completely at fault. However, is this a worthwhile battleground, or is it tying up the procurement department in continual and unwarranted battles and stopping an organisation from being nimble in its uses of technology?

The global reality on risk sharing in this area is a variety of inconsistent approaches. Suppliers, particularly those offering commoditised cloud services or cloud infrastructure to thousands or tens of thousands of customers, find themselves faced with requests to agree to unlimited liability – something they will not agree to do. Their customers are happy to take services with unprecedented flexibility and power, a lack of contractual lock in and commoditised pricing, but still seek more from the risk-sharing perspective. When companies engage with smaller cloud-based software as a service (SaaS) suppliers, many aspects of the service are facilitated, in turn, by a cloud platform provider. The SaaS provider may have less negotiating power than both the large corporate or government customer and the large cloud infrastructure and platform providers. They are pressed for uncapped liability on the one hand but do not get reciprocal promises from underlying cloud infrastructure and platform providers.

To provide an example of the gap which is often bridged by SaaS providers stuck in the middle, first a large government entity’s procurement terms, for example the current ‘Digital NSW Cloud Framework Customer Contract’ of the state government of New South Wales (NSW), Australia provides that: “the Supplier must comply with all Privacy Laws” and  “Where either party receives or otherwise possesses Confidential Information [which includes “all data and information including any Personal Information, in any form”] of the other party [they] must keep it confidential” and liability is uncapped in relation to a breach of confidentiality or privacy laws. In contrast, a typical approach for a global cloud services and infrastructure provider in its standard terms is as follows: (i) “No limitation or exclusions will apply to liability arising out of either party’s confidentiality obligations (except for all liability limited to Customer Data, which remain subject to the limitations and exclusions above)” where “Customer Data means all data … that are provided by, or on behalf of, Customer through use of the Online Service”; (ii) “To the extent permitted by applicable law, each party’s total liability for all claims relating to Professional Services will be limited to the amounts Customer was required to pay for the Professional Services”; and (iii) “Service Credits are your sole and exclusive remedy for any performance or availability issues for any Service under the Agreement”.

Other than by SaaS providers caught without much negotiating power, how can this gap be bridged by corporations? And for that matter, how do the SaaS providers avoid ‘betting the company’ with every deal having regard to the very real nature of this particular risk.

The role of ‘cyber liability insurance’

All players in this risk-shifting game of ‘pass the parcel’ have a circuit breaker that allows commerce to move on and collaboration to appear seamless: a cyber liability insurance policy. How does such a policy help and what are the issues to be alert to? Below is a series of potential risk issues and sample clauses showing the approach of some insurers to these risks.

Issue 1. Does liability coverage apply in the event of: (i) unauthorised collection of personal information (PI); (ii) unauthorised disclosure, loss or theft of PI; (iii) unauthorised disclosure, loss or theft of confidential information; (iv) in each case by a company and its service providers? Sample clauses from cyber liability insurance policies extend coverage to: “an unauthorised modification, disclosure, loss or theft of… [PI] in the care, custody or control of any insured or service provider… a violation of any privacy regulation; or the unauthorised or wrongful collection of [PI]”, and to a “security failure” being “unauthorised… access to, or unauthorised use of… a company computer system…or… the loss of data arising from the physical theft or loss of hardware controlled by a company.”

Issue 2. Are the costs of a data breach response team covered, i.e., lawyers, forensic investigation, IT security experts and a PR firm? One policy we reviewed offered a comprehensive coverage: “We will pay on behalf of the company all privacy breach costs incurred by the insured, in relation to the investigation, collation of information, preparation for and notification to comply with privacy regulations of any actual or suspected privacy breach”, and “Privacy breach costs mean the reasonable fees, costs, charges and expenses incurred by the company (whether voluntarily or otherwise) with our prior written consent… for the purposes of retaining an accountant, legal advisor, forensics firm and/or a Forensics Investigator,  public relations consultant or other third party expert.” In addition to good levels of coverage for all of the activities involved in investigating and responding to a data breach, cyber liability insurers are often able to provide access to good advisers and harm mitigation services and advice.

Issue 3. Are regulatory investigations, fines and penalties covered? Often, yes, cyber liability insurance is available. A sample clause is as follows: “The Insurer will pay, Loss (Defence Costs and Data Protection Fines) resulting from a Regulatory Investigation” where data protection fines are “any lawfully insurable fines or penalties which are adjudicated by a Regulator, or ordered by a court for a breach of Data Protection Legislation”.

Issue 4. Regarding uncapped liability assumed in a contract, a service provider must be careful of overly broad privacy related indemnities, as coverage may not be effective.

The risk here is in a service provider taking on greater liability under contract than the relevant privacy regulations and laws would provide (as this probably will not be covered). For example, a service provider may not have exposure to a claim from the customers of its client under general law and a contractual assumption of liability for all of the consequences of misuse of data may not be insurable by the service provider in these circumstances.

Takeaways

There is no substitute for a well-considered approach at the executive level to data asset management, security and privacy issues. Corporations want to unleash the power of data to advance their businesses, but it is vitally important to keep ahead of trends in the regulatory environment and to also be aware of the changing expectations of corporations as custodians of personal information.

Work on a playbook for your contract negotiators, have a well-considered approach to the management of any liability for breach of data protection legislation and, finally, make sure your service providers have their own cyber liability insurance. Take a realistic and explicit perspective on which party is responsible for each aspect of data security and privacy compliance. It is difficult to overthink this, and legislative obligations and the protection of brand reputation cannot be outsourced through contracting. Getting data protection and uses of data right is key to preserving relationships with the individuals affected by the use of the data.

The adequacy of cyber liability insurance makes contracting in this space easier and it should be evaluated on an annual basis, or every time a company enters a new market or is aware of a major regulatory or risk-profile change affecting its business. New insurance offerings should be fully considered. The differences in coverages and offerings between insurers and each insurer’s commitment to a company’s sector should be examined.

 

Mark Vincent is a principal at Shelston Lawyers. He can be contacted on +61 2 9777 2450 or by email: markvincent@shelstonip.com.

© Financier Worldwide

BY

Mark Vincent

Shelston Lawyers

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.