Digital2Law guest post: 10 ways to limit your liability in case of a security breach (part II)

Threats and data breaches are so frequent these days. Companies are facing so much uncertainties and wish to learn how to face them better, faster & smarter. Digital2Law has prepared a list of 10 ways for companies to protect themselves when facing a potential breach, in relation with their end-users or commercial partners. First ones were shared in an article here and below are the rest of them.

6. Establish clear time limits for liability to arise

Depending on the type of relationship between the parties to an agreement, the interval during which liability can be claimed may differ. In a typical beneficiary – service provider type of relationship, liability is usually limited to the duration of the agreement between the parties, with an additional period after the agreement is terminated in case of works or services that are subject to warranty periods (either as provided by the law or agreed contractually between the parties). If the service being provided under the agreement is the implementation of a technical (hardware or software) infrastructure, the liability could also be extended to any period during which the provider offers maintenance and/or support services to the beneficiary, which directly relate to the proper functioning of the delivered infrastructure. In any case, limitation of liability should be construed not only from the point of view of the object it refers to, but also in respect of the time during which it can be claimed.

7. Have a standard security procedure that applies to most of your customers / commercial partners

If your activity is somewhat similar in terms of services or products provided to end users or customers, then it might be a good idea to draft a structured set of principles that apply to each of the agreements signed with other parties. Some of the aspects that should be included are: information about the security standards and procedures used to store information securely; a list of the people in your company that have access to information related to the client/user about the execution of the agreement; a detailed set of steps which will be taken in case of a security breach, including (if needed) any input from the client/user to limit the potential negative effects of a security breach. This will allow you to achieve a minimum response time, since your internal security team will know how to approach each issue following at least the same general standard steps.

8. Report breaches to the client and/or the authorities

You must consider informing the other party to an agreement if a security breach connected to the agreement has occurred. Some jurisdiction may also legally require an entity which is aware that a security breach affecting its service has occurred, to inform its clients or users; in this case, the relevant pieces law also provide details about what information the other party should be made aware of (such as: estimated date of breach; summary of the incident; information related to the receiving party that may have been affected by the breach; steps which have been taken to limit the breach; recommended actions to be taken by the receiving party in order to further secure their information). Apart from these contractual or legal obligations, in some cases you may need to also notify the authorities responsible for personal data processing or other information technology aspects, especially if your activity is connected to national security objectives, or refers to the functioning of industry standards.

9. Limit the possibility of contract termination

Some clients might push for contract termination in cases where security breaches could affect their own services or contractual relationships with end users. If this is the case, make a case for both how economically inefficient would be for them to change your company with another service provider on the go, and provide additional reinforcements on steps you will take in case of security breach. It is also common practice in some industries to provide different levels of customer support – including in cases of security breaches -, with some clients being serviced with priority depending on the revenue generated for the company. In any case, you should attempt to always avoid allowing contract termination as this would affect your cashflow on the short term, and market image on the medium to long term.

10. Be pro-active about your liability in case of security breaches

It is easier to fend off than it is to do patchwork when a problem arises, and security breaches are no different. Some pro-active measures that you can take to limit your liability include: regularly updating any security breaches procedures and policies you have in place to reflect any changes to services you may have effected; training your employees and collaborators regularly about both technical and legal standards in place that should be abided by in case of security breaches; contracting a cybersecurity liability insurance policy; designing products and services that have in-built security from the get-go, that will limit the potential of a security breach arising.
Digital2Lawis the go-to flexible and affordable legal partner for entrepreneurs, startups and companies building tech products and proprietary technology, and a network of experts & know-how adapted to the current and future state of the workplace.

    Related articles​

    Keeping up with cybersecurity: DefCamp is back ..

    BY Adina Harabagiu
    On May 16-17, we had an amazing time in Cluj-Napoca, hosting the very first spin-off edition of DefCamp. Q: ..

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..