On Technology Contracts

Privileged Cybersecurity Investigations – A Checklist for Contracting with Consultants

Your company may suffer a cybersecurity incident that warrants bringing in third-party forensics or other consultants to investigate and report on the cause or consequences of the cyber event or compromise. To seek to protect the third parties’ reports with the work product privilege (and, thus, to avoid having to disclose the reports in litigation) – and to try to side-step the unexpected failure to establish such protection that Capital One recently experienced (In re: Capital One Consumer Data Security Breach Litigation) – do (and don’t do) the following with respect to your contracts with these third parties:

Do have outside counsel be the entity contracting directly with the third party. Have outside counsel pay the third party’s fees, directly. Then, have outside counsel bill you for reimbursement of the fees paid.

Do contract under a specific statement of work or services description that is exclusive to the particular cyber incident.

Do state and expressly limit the purpose of the third party’s services and reports to anticipating litigation arising from the cyber incident. The purpose should not explicitly or implicitly include, for example, financial controls or reporting.

Do require that the third party’s report be in a form and of substance specific to the purpose of anticipating litigation. The report should not mirror what would be provided for reports for other purposes.

Do require the third party to issue formal and informal reports and updates only to the contracting outside counsel. Outside counsel, then, as necessary or appropriate, can distribute further the reports or updates, for example, to select internal stakeholders.

Don’t allow those who receive reports and updates from outside counsel to further distribute the reports or updates, whether internally or externally. Require recipients to explicitly agree to limited use and handling terms, before receiving reports or updates.

Don’t allocate the costs and fees for the third party’s services to any internal billing or cost center other than Legal’s. The costs and fees should be assigned to Legal’s budget. Categorize the costs and fees as “legal” costs and fees, not, for example, cybersecurity or business costs or fees.

And, in the contract with the third-party forensics firm or consultant, do include requirements that the third party conform to all of the applicable above do’s and don’t’s.

Importantly, these are only a few do’s and don’t’s that may help guide many companies to attempt to structure and implement contracts with third-party consultants so as to establish the work product privilege applicable to the third party’s reports. Each company, each cybersecurity incident, and applicable law can vary and be unique, so it is perhaps even more critical for the company to immediately involve inside (or outside) counsel to navigate these thorny issues.

Background – In re: Capital One Consumer Data Security Breach Litigation

The above do’s and don’t’s follow from the recent decision of the U.S. District Court for the Eastern District of Virginia in the above-referenced litigation. Capital One sought to avoid having to disclose the report issued by the cybersecurity forensics firm that it retained in wake of the March 2019 data security breach suffered by the financial company.

In affirming a magistrate judge’s order to compel Capital One to disclose the forensics report, the Virginia federal district court made several observations. Well before the breach (and not specific to the March breach), Capital One had retained the forensics firm under a general SOW, on a retainer basis, to provide a set number of service hours for any one of a broad range of incident response services that might be needed. After the security breach, although the bank’s outside counsel signed a letter agreement with the forensics firm for services with respect to the breach. The terms of the letter agreement provided for the same scope and kind of services, on the same terms and conditions, as the general SOW (except that the forensics firm would work at the direction of the outside counsel and provide the forensics report to the outside counsel).

For performing under the letter agreement, the consultant was first paid from the retainer already provided under the general SOW. Then, Capital One directly paid the balance of the consultant’s fees due under the letter agreement – with funds from Capital One’s internal general cybersecurity budget. Capital One (at least at first) internally identified the fees paid to the consultant as a “business critical” expense – not as a “legal” expense.

During the forensics firm’s investigation, it communicated directly with the bank’s external financial auditors, so that the auditor’s could assess whether the breach impacted the bank’s accounting controls. Many internal and external parties received a copy of the forensics report, but Capital One provided no explanation as to why these recipients received a copy of the report, as to whether the report was provided for business purposes, regulatory reasons, or specifically in anticipation of litigation, or as to any restrictions placed on the recipients’ use, reproduction, or further distribution of the report.

Both the magistrate judge and, on appeal, the district court judge who opined on the matter saw these above facts, among others, as support for finding that the forensic firm’s investigation report was not protected from disclosure by the work product privilege.

Eight Ways to Close Your Year-End Deals on Time

With less than four weeks until the end of the calendar year, many buyers and sellers of software, SaaS, cloud, cybersecurity, and other IT products and services have too many deals – and not enough time – to get everything done. Having been on both sides of year-end technology transactions, I’ve not yet seen a magic wand that provides the sales and procurement teams a stress-free year-end contracting experience.

That said, there are several different tactics to try to help technology buyers and sellers conclude year-end transactions that meet their needs and goals – despite the timing stress. The key is creativity. For example, requiring each party to set aside eight hours every day for team-to-team negotiations until the agreement is finalized – when each team has ten other deals they’re also trying to close by year-end – is impractical.

As you sprint toward the year-end finish line, consider whether one or more of the following contract approaches may help you to close a transaction that still reflects a good deal for your client or company:

Shorten the Term. If your year-end deal is troubling because your client’s or company’s obligations and responsibilities extend for three, five, or more years, shorten the duration of the contract and include optional renewals or extensions to get to the originally proposed longer term.

Extend Payments. If you are unsure whether the other party will perform its contractual obligations over the short-term, spread out the buyer’s payment obligations over a period of time. (The seller’s obligations to continue to provide technology products or services could be tied to the buyer’s extended payment obligations, as well.)

Termination Rights. To address uncertainty as to the other side’s near-term performance, build in to the agreement certain for-convenience termination rights that deal with unmet milestones or benchmarks that wouldn’t otherwise be material breaches of the agreement.

Aggressive Limitations of Liability. If you are not confident that your client or company will easily perform all of its obligations under the proposed year-end contract, aggressively limit your client’s or company’s liability under the agreement in the event of non-performance.

Current Scope Only. Some year-end deals try to accomplish too much – that is, they seek to include products or services that won’t be provided for many months or even years after signing. Limit the subject of the year-end deal to only those products and services that are immediately in scope, and temporarily postpone contracting for items that are to be provided separately, later.

Agree on Details Later. Some year-end transactions contemplate comprehensive professional services that are provided in stages, where the requirements of each later stage depend on the outputs from the earlier stages. Rather than trying to exhaustively detail each stage’s requirements and outputs all at once, expressly defer the details until later in the contract term – and build in to the contract appropriate mechanisms and outcomes if the details are not agreed.

Top Five Issues. Although rarely a favorite option of technology buyers or sellers, limiting one party or both parties to raising and negotiating only its top five contract issues will likely expedite the process of concluding the year-end deal.

Post-Signing Diligence. Allow one or both parties a short period of time after contract signing to perform deal diligence that they weren’t able to conclude before signing. If the diligence reveals material concerns with the signed agreement, permit the parties to renegotiate any impacted contract terms or to otherwise address the gaps.

Note: Several of the above tactics may be seen by technology sellers as untenable due to potential negative effects on their ability to recognize revenue for a particular deal. In some cases, however, whether in return for a larger or longer deal or otherwise, sellers may be willing to negotiate unique terms in order to close the year-end deal.

Good luck in your negotiations!

2019 Case Law Mash-Up: Can you assign exaggerated representations and warranties to a locked-in vendor?

Mash-up (noun): (slang) a creative combination of content or elements from different sources.

Several court cases in 2019 dealt with (or are still dealing with) key issues faced by parties to commercial contracts, including contracts for technology products and services. This post briefly discusses four of those cases and their corresponding issues of contract assignment, representations and warranties, and data security.

Can You Assign?

According to the court in Barrow-Shaver Resources v. Carrizo Oil & Gas (Tex. 2019), the answer to the question, “Can you assign?” is “No.” Bottom line: Make sure your contract clauses are clear and unambiguous, and don’t plan to rely on prior negotiations, drafts, or margin comments to explain away terms you don’t like.

The contract in question included an unambiguous non-assignment clause that read, “The rights provided to [Barrow-Shaver] under this Letter Agreement may not be assigned, subleased or otherwise transferred in whole or in part, without the express written consent of Carrizo.”

The court concluded that Carrizo was within its contractual rights to simply refuse to provide consent to Barrow-Shaver’s requested assignment – without more. Neither the contract language nor applicable law required Carrizo, in withholding consent, to exercise good faith, to be reasonable, to satisfy certain conditions, or to provide a reason for withholding consent.

The court rejected arguments that, notwithstanding the contract language: industry custom and usage should be applied to interpret when consent may be withheld; prior to contracting, Carrizo assured Barrow-Shaver that Carrizo would provide its consent; and, the parties’ prior negotiations and an early draft of the contract should be considered.

Exaggerated Representations and Warranties

Two 2019 cases highlight the sales and contracting processes for big-ticket IT services. In IBM v. Lufkin Industries (Tex. 2019) (“Lufkin”), Lufkin Industries contracted with IBM for the provision and implementation of a new software solution to run Lufkin Industries’ operations systems. In Hertz v. Accenture (S.D.N.Y., not yet decided) (“Hertz”), Hertz contracted with Accenture to build a transformed web site and mobile application. A key takeaway from both cases is that well-drafted contractual disclaimers and integration clauses, absent explicit contractual representations or warranties, can defeat warranty breach, inducement, and misrepresentation claims.

In Lufkin, IBM made several pre-contractual representations regarding the timing and ease of implementation of the new software solution. Some representations were made orally, others appeared in sales materials. The project implementation process ultimately failed. In Hertz, Accenture is alleged to have delivered versions of contracted work product that failed to meet contractual timing requirements, specifications, and warranties. Hertz terminated Accenture’s contract before the project was completed.

In 2019, Hertz filed a lawsuit against Accenture for breach of contract and unfair and deceptive practices. In its motion to dismiss, Accenture specifically called out the contract’s integration clause and conspicuous warranty disclaimer provision. In Lufkin, IBM prevailed against Lufkin Industries’ claims for inducement and misrepresentation. The contract included clearly drafted language disclaiming IBM representations, disclaiming Lufkin Industries’ reliance on IBM representations, and establishing the contract as the entire agreement between the parties.

Contracting for large IT projects can be challenging. The projects are often complex and time-consuming and frequently involve developing or evolving parameters and requirements. Almost certainly, notable time is spent drafting contractual representations, warranties, disclaimers, and integration clauses. But, to address potential issues, also duly consider project scoping provisions and acceptance terms (including whether the RFP (if one) will be part of the contract). If possible, stay connected with your sales or procurement team throughout the sales process to ensure alignment and relevant project-specific contract terms.

Locked-In Vendor

Tightly drafted contracts are a valuable asset – but they are not the exclusive source of risk mitigation and avoidance. If you can, do more.

A class-action lawsuit was brought against Delta Air Lines following a data security breach affecting 800,000 Delta customers. See McGarry v. Delta Air Lines (C.D.Cal. 2019). The breach involved a hack of Delta’s service provider, 24[7] (a Philippines company). Delta subsequently sued 24[7] for damages arising from the breach.

The security terms in Delta-24[7] were robust and comprehensive. In addition, 24[7] represented that it had achieved five different industry-recognized privacy/security certifications. Although the contract terms and representations ultimately may be sufficient to award Delta damages, the contract doesn’t assure Delta’s full recovery. What other help is there?

For customers, even if it’s not required, pre-contract service provider diligence can be quite informative; for vendors, ensure that you can do what you contractually sign up for. When contracting with foreign companies, consider parent guarantees or other contractual mitigations. And, for customers and vendors, closely review your own insurance policies to evaluate coverage in the event of a security incident; also for customers, consider reviewing the service provider’s policies if you have coverage concerns.

Why Blockchain Matters to In-House Lawyers

Today, news reports, academic articles, and corporate reports are flush with mentions of “blockchain,” “Bitcoin,” and “distributed ledger technology.” At first glance, many readers see the discussion as hype, generating a great deal of actionless attention, curiosity, and investment opportunities. However, on another level, some of the conversation regards developments in technology that may specifically shape or impact a company’s contract or legal risk profile – even for those companies that don’t have or deal in Bitcoin.

Blockchain technology is expected to have a broad and sweeping impact across industries worldwide, with one commentator identifying a financial impact of over $176 billion in the next several years. It is envisioned that countless companies (whether suspecting or unsuspecting) will deploy or utilize the technology in their businesses. This may happen in the form of an internally developed or deployed technology or system, through dealings with governments or government agencies, or by way of transactions with technology vendors or service providers, among others.

At a very high and general level, blockchain is a recently developed distributed ledger (or database) technology that facilitates secure records of transactions over time by electronically distributing and maintaining tens, hundreds, or thousands of identical, immutable, highly secure digital copies of the transaction record. Each of these copies is distributed to and held by a different computer node or site participating in the ledger. Blockchain is one kind of distributed ledger technology, and there are many different platforms for blockchain. Bitcoin is a form of cryptocurrency whose foundation is based on one of the blockchain platforms. (Numerous detailed explanations of blockchain and distributed ledger technology are available online, including the video, Ever wonder how Bitcoin (and other cryptocurrencies) actually work?, and a UK Government report on distributed ledger technology.)

Many sets of records that are maintained in an Excel spreadsheet, a company or vendor database, or government files, whether or not currently stored or maintained in the cloud, may be suitable for blockchain. A few examples include real estate purchase and sale transactions, shipping records, banking and financial transactions, inventory management, consumer auto-pay and auto-withdrawal transactions, product manufacturing, and customer subscription transactions.

Attorneys and contract professionals supporting companies’ encounters with blockchain technology should consider the following, among others:

Open Source Software. Currently, numerous distributed ledger technologies (including blockchain) are built using open source software. The Bitcoin program is distributed under the MIT License, aspects of Ethereum (another blockchain-based cryptocurrency) use the GNU General Public License, and OpenChain (another distributed ledger technology) is based on the Apache 2.0 license. Open source software licenses include many unique terms (and omit many standard commercial software licensing terms), and may, for example, dictate subsequent use and distribution of the software, as well as of company proprietary code related to the open source software.

New Software. Because distributed ledger technology like blockchain is new, in many cases the software underpinning the technology is not as well-tested and presents a notable possibility of serious errors and glitches. Consequently, traditional contractual recourses and remedies for software errors and bugs may not be wholly meaningful, when applied to blockchain, and typical software project deployment schedules and timelines may be difficult to adhere to.

Privacy. While one of the potential benefits of blockchain is stronger data security safeguards against loss, destruction, and unauthorized alteration of data and records, the nature of a distributed ledger is that the tens, hundreds, or thousands of ledger participants will have exact duplicates of the digital data and records. Even if the parties to a particular transaction do not consider the transaction record in the ledger to be confidential, it is possible that the underlying record data (especially if health, medical, or financial data) may be a material concern.

Technology Contracting. Blockchain is a technology, with its own open (as noted above) or proprietary platforms, software, and systems. Contracts for, or to use, blockchain technology, just as other company contracts for technology, are key vehicles to establish critical rights and obligations regarding representations and warranties, indemnities, limitations of liability, and intellectual property.

Bitcoin. Many companies will not typically have or deal in Bitcoin or other cryptocurrencies. The legal and regulatory landscape applicable to cryptocurrency is nascent and exceptionally dynamic and varies across U.S. and non-U.S. jurisdictions (and is beyond the scope of this post). Even for companies that merely or only occasionally transact business in cryptocurrency (and don’t issue, exchange, or administer cryptocurrency), potential issues can include how cryptocurrencies are treated and taxed (different legal authorities consider them to be “currencies,” “commodities,” or “property”), whether corporate insurance provides coverage or protection for cryptocurrency transactions, and whether the use of cryptocurrency is even legal.

Blockchain is an algorithm-intensive, complex technology that may provide great benefits, efficiencies, and cost savings to its users. While this post does not speak to many of its features, including smart contracts, permissioned versus unpermissioned ledgers, and cryptocurrency mining, hopefully it provides a “bit” of useful information.

Your Emoji Use Just Formed a Contract

Or, did it?

As confirmed in a very recent Wall Street Journal article, the legal impacts and effects of using emojis and emoticons in business and workplace communications and dealings are growing. For attorneys, contract professionals, and business executives and teams discussing, negotiating, and communicating about technology, business, deals, and transactions, the use of emojis (pictographs) and emoticons (punctuation marks, letters, and numbers) should be a concern.

Depending on the circumstances, using an emoji or emoticon to respond to another party’s email or message may have the same effect as if precisely crafted words had been used. Unless the author of the email or message is careful, casually sending a 👍, :-), 👌, or ☺ in response to an email putting forth a proposal or offer to do business may be the same as stating, “I agree to your terms.” At a minimum, replying to a message with an emoji may convey contractual intent. Bottom line, before using emojis or emoticons in emails and other communications, it is critical to consider how they may be received or interpreted.

The use of emojis clearly is on the rise. In its November 2016 report, Emogi reported that 2.3 trillion messages incorporating an emoji would be sent in 2016 – and the report did not include the use of emojis in emails. In addition, the Unicode Consortium recently announced that 157 new emojis have been added in 2018, bringing the total number of standard emojis to 2,823. As more of the business world adopts technology to communicate, it becomes more important for business leaders, procurement and purchasing professionals, and others to be mindful of their use of emojis and emoticons in emails, texts, and other message formats. To those businesses and companies that have “careful communications” policies, has your policy been updated to address the use of emojis?

Aside from general contract concerns, the use of emojis has and will increasingly impact parties’ legal rights and obligations. This includes in the areas of labor and employment, promissory estoppel, jury instructions, and criminal cases. According to research by Santa Clara University law professor Eric Goldman, for the set of reported cases that he was able to identify as mentioning “emoji” or “emoticon” over the 2004-2016 period, over 30% of the cases were from 2016, and nearly 50 were from 2015 and 2016.

And, if you needed another reason to be overly cautious when using emojis and emoticons in correspondence and communications, be aware that the true meaning attributed to any particular emoji may be vague, at best, or non-existent, at worst. Moreover, the form and appearance of the emoji you send may not be the same as the form and appearance seen by the recipient. In addition, different cultures, generations, and geographic regions interpret emojis differently. (The most confusing emoji? It’s 🤗.)

The reality is that emojis are easy to use and can be fun and communicative. They are, and will continue to be, used in emails, texts, and communications between and among business parties, their advisors, and others. Just be sure to 👀 before you 🏃.

RETURN TO SENDER: Aetna to Pay $17M to Settle Claims Related to Vendor Mailer Data Breach

Aetna has agreed to pay $17.2 million and to implement a “best practices” policy regarding sensitive policyholder data, in order to settle class action litigation brought against it arising from a mass mailing sent by one of its mailing vendors. As discussed in a blog post last year, federal class action litigation was brought against Aetna and its mailing vendor in 2017 based on the vendor’s use of glassine envelopes to communicate HIV medication information to Aetna insureds. The envelopes revealed that the named addressee was contacted about options for filling HIV medication prescriptions. The litigation alleged violations by Aetna and its vendor of several laws and legal duties related to security and privacy.

The contract lessons for customers and vendors that arise from the events in question, which were identified in the earlier post, remain the same. Do your contracts for non-IT and non-healthcare services fully consider the risk of privacy and security litigation? Do your contract’s indemnification and limitation of liability clauses contemplate the possibility of class action litigation? Before entering into a contract, have you considered whether the specific vendor services being provided to the particular customer in question implicate laws you hadn’t considered? And, Have you considered which specific aspects of vendor services may directly impact potential legal liability, and have you adequately identified and addressed them in the contract?

Importantly, the newly announced settlement, itself, provides three bonus lessons.

Published data breach cost statistics are helpful, to a point.

In its 2017 Cost of Data Breach Study, Ponemon Institute reports that the average per capita cost of data breach in the U.S. for the period of the study was $225. It also reports that, for the same period, the average total organizational cost in the U.S. for a data breach was $7.35 million. Somewhat remarkable, as part of its settlement Aetna agreed to pay $17.2 million in connection with the breach in question – a figure that is about $10 million over the average reported by Ponemon Institute. But, Aetna’s payment is not out of the ballpark, as averages are averages, after all. Much more remarkable, however, is the per capita settlement amount. Aetna’s settlement figure represents a per capita amount of $1,272 – that number is more than five times the reported average. (For reference, that per capita cost would put Equifax’s settlement number for its recent breach at $185 billion dollars.) Bottom line, when considering or counseling clients as to the financial impacts of data breaches, the average cost figures for data breaches are as important as the qualification of the figures, themselves, as only averages (with any number of data security breaches costing more, or less, than the averages).

Data breach cost statistics often do not compare well with litigation settlement amounts.

Yes, Aetna agreed to pay $17.2 million as part of the settlement, as compared to Ponemon Institute’s reported $7.35 million average U.S. data breach cost. While the $7.35 million figure includes forensics costs, customer churn, post data breach costs, and other direct and indirect expenses, the $17.2 million figure is not as comprehensive. It does not include, for example, Aetna’s legal fees incurred to defend and settle the class action litigation, nor does it include other pre-settlement costs and expenses incurred by Aetna. As efficient or helpful as it may be to compare published per capita or per breach data statistics with litigation settlement amounts, it’s also important to identify the full scope of costs and expenses that the published statistics include, as well as what costs and expenses are not included in the settlement amounts.

Data breach cost statistics and litigation settlement amounts don’t include non-monetary settlement obligations.

Cost-per-record, cost-per-breach, and litigation settlement figures can be particularly meaningful and relatable, especially when considering or counseling clients as to the potential financial impacts of data security breaches. Notably, however, the material obligations of defendants settling data breach litigation matters typically are not limited to monetary payments. Aetna, for example, as part of its settlement, also agreed to develop and implement a “best practices” policy for use of certain personally identifiable information, to provide policy updates for five years, to provide policy training for certain Aetna personnel for five years, and to require outside litigation counsel to sign business associate agreements, among other commitments. These activities will require Aetna to incur additional costs and expenses, including costs and expenses for internal and, possibly, external resources in connection with the performance of these activities.

Supplementing the earlier post on this Aetna class action litigation and lessons learned, the recent Aetna settlement and the new lessons cited above provide an even fuller picture of data and security breach and related contract considerations. Not only is it invaluable to consider data privacy and security issues in contracts and the roles of vendors and service providers, it also is important to consider and counsel clients as to the full potential impacts of data breaches, including potential litigation settlement amounts, costs and expenses in addition to settlement amounts, and non-monetary settlement-related obligations.

Lessons Learned: Vendor Sued in Class Action Suit for Security Misses

You’re thinking that something about the title of this post sounds familiar, right? Information technology (IT) vendors and third party service providers have been in the spotlight for security breaches for some time (see, for example, vendor-based security lapses affecting Target, CVS, and Concentra, as just a few), and it doesn’t sound surprising that an IT vendor has been sued related to a security incident. After all, whether you’re an IT vendor or an IT customer, if you draft or negotiate contracts for a living, these situations are what you try to contract for, right?

Right…but…the recent federal class action suit filed in Pennsylvania against Aetna and its vendor surfaces several new privacy and security considerations for vendors and their customers. The vendor in question was not an IT vendor or service provider. Instead, the plaintiff’s allegations relate to Aetna’s use of a mailing vendor to send notification letters to Aetna insureds about ordering HIV medications by mail. According to the complaint, the vendor used envelopes with large transparent glassine windows – windows that did not hide the first several lines of the enclosed notification letters. The plaintiff asserts that anyone looking at any of the sealed envelopes could see the addressee’s name and mailing address – and that the addressee was being notified of options for filling HIV medications. As a result, the vendor and Aetna are alleged to have violated numerous laws and legal duties related to security and privacy.

For all vendors and service providers, but especially those that don’t focus primarily on privacy and security issues, the Aetna complaint is enlightening. To these vendors and service providers, and to their customers: Do your customer-vendor contracts and contract negotiations contemplate what Aetna and its mailing vendor may not have?

Do your contracts for non-IT and non-healthcare services fully consider the risk of privacy and security litigation? A noteworthy facet of the Aetna case is that the mailing vendor was sued for privacy and security violations that were not exclusively due to the customer’s acts or omissions. That is, while the contents of the mailer certainly were key, the vendor’s own conduct as a mailing services provider (not an IT or healthcare provider) was instrumental in the suit being filed against the vendor (and Aetna). Vendor services that previously didn’t, or ordinarily don’t, warrant privacy or security scrutiny, may, after all, need to be looked at in a new light.

Do your contract’s indemnification and limitation of liability clauses contemplate the possibility of class action litigation? Class action litigation creates a path for plaintiffs to bring litigation for claims that otherwise could not and would not be brought. Class action litigation against data custodians and owners for security breaches is the norm, and the possibility and expense of class action litigation is frequently on the minds of their attorneys and contract managers who negotiate contracts with privacy and security implications. But, for vendors and service providers providing arguably non-IT services to these customers – the idea of being subject to class action litigation is often not top-of-mind.

Before entering into a contract, have you considered whether the specific vendor services being provided to the particular customer in question implicate laws you hadn’t considered? Vendors that operate in the information technology space – and their customers – generally are well-aware of the myriad of privacy and security laws and issues that may impact the vendors’ business, including, as a very limited illustration, the EU General Data Protection Regulation, HIPAA, New York Cybersecurity Requirements, Vendors that aren’t “IT” vendors (and their customers), on the other hand, may not be. For example, the Aetna mailing vendor may not have contemplated that, as alleged by the Aetna plaintiff, the vendor’s provision of its services to Aetna would be subject to the state’s Confidentiality of HIV-Related Information Act and Unfair Trade Practices and Consumer Protection Law.

Have you considered which specific aspects of vendor services may directly impact potential legal liability, and have you adequately identified and addressed them in the contract? No, this is not a novel concept, but it nonetheless bears mention. A key fact to be discovered in the Aetna litigation is whether it was Aetna, or the vendor, that made the decision to use the large-window envelopes that, in effect, allegedly disclosed the sensitive and personally identifiable information. Given the current break-neck pace at which many Legal and Contract professionals must draft and negotiate contracts, however, unequivocally stating in a contract the details and descriptions of every single aspect of the services to be provided is often impractical (if not impossible). But, some contract details are still important.

Whether or not this class action suit is an outlier or is dismissed at some point, consider data security and other privacy and security issues in contracts and how vendor or service provider conduct may give rise to a security breach or security incident.

What Does Ransomware Cost Companies?

In its 10-Q filing for the quarter ended September 30, 2017, Merck & Co., Inc. stated the following:

On June 27, 2017, the Company experienced a network cyber-attack that led to a disruption of its worldwide operations, including manufacturing, research and sales operations. … [T]he Company was unable to fulfill orders for certain other products in certain markets, which had an unfavorable effect on sales for the third quarter and first nine months of 2017 of approximately $135 million. … In addition, the Company recorded manufacturing-related expenses, … as well as expenses related to remediation efforts … , which aggregated $175 million for the third quarter and first nine months of 2017.

Worth noting, this $310 million amount likely does not include all legal fees, forensic costs, and all other costs, expenses, and losses related to the cyber-attack. Nor does it appear to include other costs, expenses, and losses that may be indirectly revealed elsewhere in Merck’s business or operations. The attack in question is the NotPetya ransomware attack, which impacted countless companies worldwide on June 27 of this year.

Lost Business Resulting from Ransomware

Merck’s announcement is remarkable for several reasons, especially for those who negotiate technology contracts and agreements with data privacy and security implications. First, it’s noteworthy in its relatively clear quantification of lost business resulting from the ransomware attack. That is, often it is difficult to quantify lost business, lost sales, and consequential damages when negotiating liability provisions related to data security and information security in technology agreements and other commercial contracts. This is not to say that Merck’s recitation of these amounts is a new rule-of-thumb or benchmark, but it may start a conversation.

Quantifiable Losses

Second, the loss numbers reported by Merck are not small ones. It is common to discount publicly announced forecasts of ransomware impacts that are viewed as extreme – $75 billion per year, according to one recently cited resource. But the concreteness of Merck’s number and the specificity of the ransomware attack merits attention.

Ransomware is Fact-Specific

Third, the Merck announcement implicitly underscores the criticality of the precise facts surrounding the NotPetya ransomware attack and the unique business and situation of Merck. Not all ransomware or malware attacks can cause the same sort or amount of losses reported by Merck, nor does the same ransomware or other malware give rise to the same quality or quantity of losses for every corporate victim. When negotiating data privacy and data security provisions in commercial technology contracts and similar agreements, it is important for all sides to consider the specific circumstances and risks related to the transaction and parties in question.

Ransomware Impacts Are Not Necessarily Per-Record

And, fourth, the Merck report sheds light on the financial repercussions of ransomware, as opposed to other malware and hacking activities. That is, there are a number of industry and other reports and surveys that speak to the financial and other impacts of data breaches and security breaches on a per-record basis (for example, cost per record, records per breach, etc.). The 2017 Ponemon Institute Cost of a Data Breach Study, Verizon’s 2017 Data Breach Investigations Report, and Gemalto’s Breach Level Index Findings for the First Half of 2017 are just a few. However, in many cases the particular per-record numbers reported do not provide a clear picture of the financial effects of ransomware, which often is not the kind or scope of cyber-attack that can be assessed on a per-record basis.

Merck’s 10-Q for the third quarter of 2017 is definitely not a quick-fix answer to the question of how much a ransomware attack would or could financially impact a company. However, for attorneys, contract professionals, and others who draft and negotiate technology agreements and contracts and, specifically, information and data security and privacy provisions, the Merck quarterly report is potentially meaningful.

How to Negotiate Your IT/Tech NDA Faster (or, Living with a Suboptimal NDA)

Recently I found myself watching a past episode of HBO’s award-winning tech comedy series, Silicon Valley. If you’ve never watched it, it’s about a Silicon Valley tech start-up and its struggles, successes, and missteps. Although at times the show can be a bit gratuitous, part of its interest derives from the proximity – at least on some conceptual level – of many of its plot lines to reality.

Because I routinely help clients with non-disclosure agreements (NDAs) and related issues, I cringed watching the “Runaway Devaluation” episode from the second season. In this episode, the start-up (a data compression company called Pied Piper) is invited to an initial meeting with a potential funding source (Branscomb Ventures), which has already invested in a competing compression company, Endframe. Shortly after the meeting begins, the Pied Piper team begins sharing critical details of how its data compression technology is built and works. Later, realizing that Branscomb’s intention for the meeting was only to gather these details for the improvement of Endframe’s products, Pied Piper storms out of the meeting.

While it appears there was no NDA between Pied Piper and Branscomb Ventures covering the meeting’s discussions, in reality it is routine for parties to potential IT and technology transactions to put an NDA in place. Vendors, customers, and others in the IT/technology industry generally understand the need to protect their trade secrets and other valuable information when sharing them to evaluate potential relationships with vendors who provide software, hosting, outsourcing, professional technology services, and data breach investigation and remediation services. Among typical participating parties, the need to put in place an NDA is rarely disputed, and many NDA terms and conditions are quite common.

That said, NDA negotiations can nonetheless become time-consuming or contentious. Whether based on a party’s bad experience in a previous situation, defensive or offensive tendencies, or need to avoid deviations from company policies, otherwise common NDA terms can lead to uncommonly protracted negotiations. For a vendor looking to sell to a new customer, lengthy or difficult NDA negotiations can cause the potential customer to view the vendor as being difficult to deal with, or, worse, to drop the vendor from consideration entirely. For a customer wanting to urgently find a vendor to provide services to address a data breach, time to negotiate an NDA is not a luxury.

Even with NDAs, though, there are ways to speed up the negotiations – which, additionally or alternatively, can also provide mitigations to living with a less-than-desirable NDA. The following steps are a few that may allow an NDA party to get comfortable with otherwise problematic NDA terms in a specific case. (Importantly, these measures should not be implemented if contrary to a contractual obligation or law, nor should they replace sound judgment and risk management.)

For a disclosing party that:

(1) After discussions start, is concerned that the receiving party may not handle or treat its confidential information in way that is satisfactory (or that the NDA’s confidentiality terms are not optimal), the disclosing party can do as Pied Piper did and cease providing any more information. (Though, this may stifle productive business discussions, and the party should attempt to put a retroactive NDA in place.)

(2) Believes that the confidentiality terms are not ideal or has concerns about the receiving party’s handling or treatment of its confidential information, the disclosing party can proactively intentionally limit disclosure to only its least sensitive information. (This step, too, may hamper meaningful discussions between the parties.)

(3) Is concerned that the duration of the NDA may cover discussions too far in the future to be appropriately covered under the NDA, the disclosing party can terminate the NDA after the then-presently contemplated discussions.

(4) Has concerns about the information protections provided by the NDA or the receiving party, the disclosing party can conspicuously mark all information disclosed as “CONFIDENTIAL” – that is, even if the NDA doesn’t require it. And, after disclosing confidential information orally, the disclosing party can follow each such disclosure with a written notice expressly identifying the orally disclosed information as “CONFIDENTIAL.”)

For a receiving party that:

(1) Has concerns about its ability to fully adhere to the NDA’s limitations on use and disclosure of the disclosing party’s information, the receiving party can actively limit the number of its personnel who see or have access to the information.

(2) Is concerned about its risk of non-compliance with the NDA’s confidentiality terms, the receiving party can consciously limit the number of copies it makes of the disclosing party’s information (including copies in the form of email attachments). (This assumes copying is permitted.)

(3) Has concerns that it may struggle to meet the NDA’s limitations on disclosure and use of the disclosing party’s information, the receiving party can immediately destroy (or return) the information once it is no longer needed.

As for Pied Piper, it turns out that Endframe did indeed improve its products using Pied Piper’s technology. However, whether due to the lack of an NDA – or, more likely, the constraints of a ten-episode television season for Silicon Valley – Pied Piper was forced to take other, non-legal actions to advance its interests.