Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Out of Sight, Out of Mind: What You Need to Know about Preventing and
Arbitrating Business-to-Business (“B2B”) Data Breaches
March 9, 2017 – 1:00 pm to 2:30 pm ET
PROGRAM SUMMARY
Speakers: P. Jean Baker, Joseph DeMarco, Sandra Jeskie, and Sherman Kahn Data breaches are now a fact of life. Almost everyone is familiar with breaches that occur when someone gains unauthorized access to consumer data held by a business – the “business-to-consumer” or “B2C” breach. Far less publicized are the “business-to-business (“B2B”) breaches. These breaches often occur quietly and don’t often appear on the front page of the newspaper but are not less important and can have disastrous effects on business. This webinar will provide an analysis of the two kinds of breaches and answer questions that should be of foremost consideration.
AGENDA 1:00 p.m. Welcome and Introduction of Speakers (5 minutes) 1:05 p.m. Data Breaches – B2C and B2B (75 minutes)
• What are the relevant differences between the two types of breaches? • Why do B2B breaches often raise the same problems as B2C breaches?
(Answer: employees!) • What are some of the domestic and international legal regulations
applicable to both types of breaches? • How can/should business parties reduce/allocate the risk of a computer-
based breach when they enter into a contractual relationship? • Why should parties prefer arbitration over litigation of disputes arising
from B2B breaches? • How can AAA’s online tool (Clause Builder) assist with drafting an
effective/efficient arbitration provision? • What security considerations should lawyers and arbitrators keep in mind
during arbitration or litigation of data/cybersecurity disputes?
2:20 p.m. Conclusion and Questions (10 minutes) 2:30 p.m. Evaluation (5 minutes) 2:35 p.m. Adjourn
Copyright 2017 American Arbitration Association
P. Jean Baker, Esq.
District Vice President American Arbitration Association
1776 Eye Street N.W. Suite 850
Washington, DC 20006 [email protected]
Ms. Baker provides daily oversight of AAA’s Commercial Division activities in NJ, PA, DE, MD, VA and Washington, DC. Ms. Baker routinely conducts presentations for public and private sector audiences, both domestic and international, on a variety of ADR-related topics, assists large and small businesses with the design and implementation of commercial ADR programs, and serves as a mediator and trainer for AAA on special projects. In addition to authoring numerous articles, Ms. Baker is Co-Editor of the ABA Section of Litigation’s ADR Committee Newsletter, Conflict Management. Ms. Baker has taught ADR courses as an adjunct law professor at Georgetown University and Catholic University. Her inclusion since 1996 as an ADR professional in Who’s Who in American Law serves to highlight Mr. Baker’s contributions to the practice and theory of Alternative Dispute Resolution. Ms. Baker received her Juris Doctor degree from California Western School of Law, a Master of Business Administration from Northeastern University and her Bachelor of Science degree (summa cum laude) from Wright State University. In addition to her legal background, Ms. Baker held a variety of management positions at the following major corporations: General Electric, Racal Dana, and Fluke Manufacturing. She was included in the Silver anniversary edition of Who’s Who in American Women and the Diamond anniversary edition of Who’s Who in America. (June 2011)
Joseph V. DeMarco is a partner at DeVore & DeMarco LLP where he specializes in counseling clients on complex issues involving information privacy and security, theft of intellectual property, computer intrusions, on-line fraud, and the lawful use of new technology. His years of experience in private practice and in government handling the most difficult cybercrime investigations handled by the United States Attorney’s Office have made him one of the nation’s leading experts on Internet crime and the law relating to emerging technologies.
From 1997 to 2007, Mr. DeMarco served an Assistant United States Attorney for the Southern District of New York, where he founded and headed the Computer Hacking and Intellectual Property (CHIPs) Program, a group of five prosecutors dedicated to investigating and prosecuting violations of federal cybercrime laws and intellectual property offenses. Under his leadership, CHIPs prosecutions grew from a trickle in 1997 to a top priority of the United States Attorney’s Office, encompassing all forms of criminal activity affecting e-commerce and critical infrastructures including computer hacking crimes; transmission of Internet worms and viruses; electronic theft of trade secrets; illegal use of “spyware”; web-based frauds; unlawful Internet gambling; and criminal copyright and trademark infringement offenses. As a recognized expert in the field, Mr. DeMarco was frequently asked to counsel prosecutors and law enforcement agents regarding novel investigative and surveillance techniques and methodologies, and regularly provided advice to the United States Attorney concerning the Office’s most sensitive computer-related investigations. In 2001, Mr. DeMarco also served as a visiting Trial Attorney at the Department of Justice Computer Crimes and Intellectual Property Section in Washington, D.C., where he focused on Internet privacy, gaming, and theft of intellectual property.
Since 2002, Mr. DeMarco has served as an Adjunct Professor at Columbia Law School, where he teaches the upper-class Internet and Computer Crimes seminar. He has spoken throughout the world on cybercrime, e-commerce, and IP enforcement. He has lectured on the subject of cybercrime at Harvard Law School, the Practicing Law Institute, the National Advocacy Center, and at the FBI Academy in Quantico, Virginia, and has served as an instructor on cybercrime to judges attending the New York State Judicial Institute.
Prior to joining the United States Attorney’s Office, Mr. DeMarco was a litigation associate at Cravath, Swaine & Moore in New York City, where he concentrated on intellectual property, antitrust, and securities law issues for various high-technology clients. Prior to that, Mr. DeMarco served as law clerk to the Honorable J. Daniel Mahoney, United States Circuit Judge for the Second Circuit Court of Appeals.
Mr. DeMarco holds a J.D. magna cum laude from New York University School of Law. At NYU he was a member of the NYU Law Review. He received his B.S.F.S. summa cum laude from the Edmund A. Walsh School of Foreign Service at Georgetown University. Mr. DeMarco is active in numerous professional associations including the:
• International Bar Association (Technology and Litigation Sections); • American Bar Association, Criminal Justice Committee (Co-Chair, Cybercrime Committee, 2010-2011); • New York State Bar Association, Commercial and Federal Litigation Section (Co-chair, Internet and IP
Committee, 2009-present); and • New York City Bar Association (Member, Copyright Committee; Past Member, Information Technology
Committee).
Mr. DeMarco is a Martindale-Hubbell AV-rated lawyer for Computers and Software, Litigation and Internet Law, and is also listed in Chambers USA: America’s Leading Lawyers for Business guide as a leading lawyer nationwide in Privacy and Data Security. He has also been named as a “SuperLawyer” for his expertise and work in the area of Intellectual Property Litigation. He has published numerous articles and appeared on major news programs in his practice areas; is a member of the Professional Editorial Board of the prestigious Computer Law and Security Review (Elsevier); and serves on the Board of Advisors of the Center for Law and Information Policy at Fordham University School of Law.
Mr. DeMarco has received numerous professional awards, including the U.S. Department of Justice Director’s Award for Superior Performance, as well as the Lawyer of Integrity Award from the Institute for Jewish Humanities. In his spare time he enjoys parenting, golf, and listening to classical piano.
Sandra A. Jeskie, Esq.Neutral ID : 159311
The AAA provides arbitrators to parties on cases administered by the AAA under its various Rules, which delegate authority to the AAA on various issues, including arbitrator appointment and challenges, general oversight, and billing. Arbitrations that proceed without AAA administration are not considered "AAA arbitrations," even if the parties were to select an arbitrator who is on the AAA's Roster.
Sandra A. Jeskie, Esq.Duane Morris LLP
Current Employer-Title Duane Morris LLP - Partner
Profession Attorney, Arbitrator
Work History Partner, Duane Morris LLP, 2005-present; Litigation Associate, Duane Morris LLP, 1997-2005; Senior Computer Scientist, Computer Sciences Corporation, 1981-05; Computer Programmer, Sperry Univac, 1980-81.
Experience Litigation and trial attorney experienced in representing clients (plaintiffs and defendants) in all aspects of trial, arbitration and mediation and experienced in serving as a court-appointed special master. Cases handled have included complex commercial litigation, contract and licensing disputes, intellectual property litigation (including patent infringement, trade secret, copyright, trademark, trade dress), software litigation, business tort, antitrust, class actions, real estate, lender claims, products liability, estate claims, defamation, privacy, security and employment. Matters entailed gaining some familiarity with many different businesses and industries, including software, technology, internet, pharmaceutical,precious metals, hotel/hospitality, telecommunications, real estate, electronics, retail, consumer products, mass transit security, restaurants, banking, plastics, and healthcare. 50% of practice devoted to a broad range of intellectual property matters and 50% devoted to commercial disputes.
Taught at dozens of professional education conferences in numerous cities in the United States and around the world and is quoted in numerous publications. Co-author of chapter in the acclaimed treatise, Business and Commercial Litigation in Federal Courts, as well as other books and articles. Recognized by name in BTI Consulting Group's annual polling of in-house counsel in a client satisfaction survey as one of only 57 litigators for "delivering the absolute best client service". Chair of Duane Morris' Information Technology and Telecom practice group and co-Chair of the firm's e-discovery committee.
Alternative Dispute Resolution Experience
Special Master Experience
- IpVenture Inc. v. Sony Electronics Inc., et al. (D. Del.) - court-appointed special master to address discovery disputes in patent infringement case. Prepared a written report and recommendation, which was accepted by the Court.
- Signature Systems, Inc. v. Richard Bowman, et al. (E.D. Pa.) - court-appointed expert to address issues relating to software for point-of-sale restaurant systems. Prepared a written report and recommendation, which was accepted by the Court.
- Rhoads Industries, Inc. v. Building Materials Corp. of America, et al. (E.D. Pa.) - court-appointed special master to engage in fact finding and address certain e-
Sandra A. Jeskie, Esq.Neutral ID : 159311
The AAA provides arbitrators to parties on cases administered by the AAA under its various Rules, which delegate authority to the AAA on various issues, including arbitrator appointment and challenges, general oversight, and billing. Arbitrations that proceed without AAA administration are not considered "AAA arbitrations," even if the parties were to select an arbitrator who is on the AAA's Roster.
discovery issues in construction case. Investigation included interviews of counsel, witness and party representatives and resulted in a settlement of the case.
- In re Processed Egg Products Antitrust Litigation (E.D. Pa.) - court-appointed special master to address e-discovery issues in MDL antitrust case. Prepared and filed a written report and recommendation, which was accepted by the Court.
- Appointed to the roster of special masters for electronic discovery by the U.S. District for the Western District of Pennsylvania.
Alternative Dispute Resolution Training
AAA Chairing an Arbitration Panel: Managing Procedures, Process & Dynamics (ACE005), 2016; AAA Avoiding Ten Common Missteps Arbitrators Make (ACE010), 2015; AAA Ethics 101: Arbitrators, Mediators & Attorneys, 2014; Arbitration in IP / Technology Disputes, 2013; AAA Arbitration Awards: Safeguarding, Deciding & Writing Awards (ACE001), 2012; AAA Arbitration Fundamentals and Best Practices for New AAA Arbitrators, 2012; New Jersey Association of Professional Mediators, Basic Mediation Skills Training Course, 2011; Institute for Conflict Management, Arbitration Certification Training, 2010.
Professional Licenses Admitted to the Bar: New Jersey; Pennsylvania; U.S. District Court: Eastern and Western Districts of Pennsylvania; District of New Jersey; U.S. Court of Appeals: First and Third Circuits. Real Estate License (escrow)
Professional Associations
International Technology Law Association (Past President); Philadelphia Bar Association (Business Law Section, Past Chair); American Bar Association.
Education LaSalle University (BA, Computer Science-1984; MBA, Finance specialization -1991); Temple University School of Law (JD, magna cum laude-1997).
Publications and Speaking Engagements
Selected Publications - Co-author, "Contracts", Business and Commercial Litigation in Federal Courts, Thomson Reuters, Third Edition (2011), Second Edition (2005) - Miscellaneous other publications
Selected Speaking Engagements - Speaker, "Arbitration and Mediation in Commercial Disputes: Maximizing Results While Minimizing Costs," Association of Corporate Counsel Delaware Valley In-House Counsel Conference, Philadelphia, Pennsylvania, 2010 - Moderator, Litigation: Cross-border discovery and data protection; Pre-Trial/Arbitration Discovery (US) and Court-appointed Appointed Expert Fact-Finding Procedures (EU) - Use and abuse in technology litigation; ITechLaw Annual European Conference, Berlin, 2010 - Speaker, "Overview of Software Licenses," Pennsylvania Bar Institute, Philadelphia, PA, December 5, 2011 - Miscellaneous other speaking engagements
Citizenship United States of AmericaLanguages EnglishLocale Philadelphia, Pennsylvania, United States of America
Sherman W. Kahn, Esq.Neutral ID : 158907
The AAA provides arbitrators to parties on cases administered by the AAA under its various Rules, which delegate authority to the AAA on various issues, including arbitrator appointment and challenges, general oversight, and billing. Arbitrations that proceed without AAA administration are not considered "AAA arbitrations," even if the parties were to select an arbitrator who is on the AAA's Roster.
Sherman W. Kahn, Esq.Mauriel Kapouytian Woods LLP
Current Employer-Title Mauriel Kapouytian Woods - Attorney
Profession Attorney, Arbitrator, Mediator
Work History Attorney, Mauriel Kapouytian Woods, 2013-present; Morrison & Foerster LLP (New York Office), 2003-13; Morrison & Foerster LLP (Tokyo Office), 1998-03; Morrison & Foerster LLP (Palo Alto Office), 1995-98; Brown & Bain, 1994-95; Law Clerk to Hon. Mariana Pfaelzer, U.S. District Court, Central District of California, 1993-94; Law Clerk, Brown & Bain, 1992-93.
Experience Experience with all aspects of complex business litigation with a particular emphasis on intellectual property, information technology and international issues.
Patent litigation and advice regarding technologies including semiconductor processing, communication software, medical devices, memory devices, programmable logic devices, 3D sound technology, construction lasers, video controllers, LCD and Plasma display technology, semiconductor circuit layout and design, telephony and videoconferencing, business systems, LED control, biotechnology, and supercomputer architecture.
Significant experience with Internet Protocol, VoIP, networking and security and encryption software. Significant experience with variety of software patent issues.
Experience with trademark and copyright infringement litigation.
Experienced with trademark and patent issues in apparel industry. Experience in matters involving art and antiquities.
International arbitration proceedings typically involving industrial, mining or IT issues including: Arbitration in Zurich regarding construction of hot strip steel mill in Brazil; International IT outsourcing disputes in London and New York; International arbitration in Denver regarding performance of mining contractor at mine in Bolivia.
Handles litigation and government investigations regarding privacy and information security including data breach, privacy regulation, telemarketing regulation and behavioral advertising issues.
Handles matters in recording industry including privacy issues, intellectual property issues and government investigation of celebrity fan club website.
Practiced in Tokyo, Japan for five years. During that time was licensed as
Sherman W. Kahn, Esq.Neutral ID : 158907
The AAA provides arbitrators to parties on cases administered by the AAA under its various Rules, which delegate authority to the AAA on various issues, including arbitrator appointment and challenges, general oversight, and billing. Arbitrations that proceed without AAA administration are not considered "AAA arbitrations," even if the parties were to select an arbitrator who is on the AAA's Roster.
gaikokuho jimu bengoshi.
Alternative Dispute Resolution Experience
Sat as panel chair, sole arbitrator, and wing arbitrator in numerous international anddomestic arbitrations with subject matter including IT outsourcing, software development, mining, patent infringement and other IP issues, trademark licensing,unfair competition and trade disparagement, and other commercial issues.
Counsel in major international and domestic arbitration proceedings including, for example, a construction dispute regarding a steel mill in South America; international IT outsourcing disputes; and a dispute regarding a South American mining operation.
Other arbitrations have involved issues including semiconductor manufacturing; domain name disputes; a reinsurance dispute; and a variety of commercial issues.
Arbitrated under variety of institutional and ad hoc rules including AAA, ICDR, JCAA, and WIPO.
Mediated numerous commercial disputes.
Alternative Dispute Resolution Training
AAA/ICDR/Mediation.org Panel Conference, 2016; AAA Substance Abuse & the Twinkie Defense in ADR, 2015; AAA Pro Se Parties in Arbitration 2015; AAA The 31st Annual Joint Colloquium, NY, 2014; AAA Damages for Neutrals 2014; Faculty, AAA Webinar, Current Trends in the Use of ADR in Outsourcing Relationships, 2014; ICDR International Symposia in Advanced Case ManagementIssues, 2012; Southern District of New York, Two Day Mediation Training, 2012; New York State Bar, Dispute Resolution Section 3-Day Mediation Training, 2012; AAA Arbitration Awards: Safeguarding, Deciding & Writing Awards (ACE001), 2011; AAA Arbitration Fundamentals and Best Practices for New Arbitrators, 2011.
Professional Licenses Admitted to the Bar: California, 1993; District of Columbia, 2003; New York, 2004; U.S. District Court: Southern and Eastern Districts of New York; Eastern District of Texas; Western District of Michigan; Central, Eastern and Northern Districts of California; U.S. Court of Appeals: Federal, Second, Ninth, and Eleventh Circuits.
Professional Associations
Chair, New York State Bar Association Dispute Resolution Section (2014-15) (previously Co-Chair Legislation Committee, Co Chair; Arbitration Committee); Co-Chair, Technology Committee, New York International Arbitration Center ; Subcommittee Chair, Task Force on New York Law in International Matters; Fellow, Chartered Institute of Arbitrators (FCIArb); New York Intellectual Property Law Association; California State Bar Association (Intellectual Property Section; International Section); International Arbitration Club of New York; New York City Bar Arbitration Committee; Director, member Tech List, Silicon Valley Arbitration and Mediation Center.
Education University of California, Berkeley (BA-1989; JD-1993).
Sherman W. Kahn, Esq.Neutral ID : 158907
The AAA provides arbitrators to parties on cases administered by the AAA under its various Rules, which delegate authority to the AAA on various issues, including arbitrator appointment and challenges, general oversight, and billing. Arbitrations that proceed without AAA administration are not considered "AAA arbitrations," even if the parties were to select an arbitrator who is on the AAA's Roster.
Publications and Speaking Engagements
PUBLICATIONS: Will Patents Be the Next Wave in Investor State Arbitration, NEW YORK DISPUTE RESOLUTION LAWYER, Spring 2014, Vol. 7., No. 1; An Emphasis on Arbitrator Authority? Arbitration at the Supreme Court (2012 to 2013 Term), NEW YORK DISPUTE RESOLUTION LAWYER, Fall 2013, Vol 6.No.2"; Administering Arbitration Clauses in Online Terms of Services Agreements," SOCIALLY AWARE, April 2013; "Arbitration at the Supreme Court (2011 to 2012 Term)," NEW YORK DISPUTE RESOLUTION LAWYER, Fall 2012, Vol 5. No. 2; "Browsewrap Arbitration - Enforcing Arbitration Provisions in Online Terms of Service, NEW YORK DISPUTE RESOLUTION LAWYER, Fall 2012, Vol. 5, No. 2; Co-author, "Click-Accept Arbitration: Enforcing Arbitration Provisions in Online Terms of Service," SOCIALLY AWARE, Vol. 3, Issue 2, April 2012; "Developments in Supreme Court Jurisprudence: The Court's AT&T Decision and the Second Circuit's Treatment of Stolt-Nielsen," NEW YORK DISPUTE RESOLUTION LAWYER, Vol. 4, No. 3, Fall 2011; co-author, White Paper -- "Benefits of Arbitration and Mediation for Dispute Resolution in Intellectual Property Law," NEW YORK DISPUTE RESOLUTION LAWYER, Vol. 4, No. 2, Summer 2011; co-author, White Paper --"Benefits of Arbitration and Mediation for Dispute Resolution in Outsourcing Agreements," NEW YORK DISPUTE RESOLUTION LAWYER, Vol 4, No. 2, Summer 2011; co-author, "Practical Uses of ADR in Outsourcing Relationships," NEW YORK DISPUTE RESOLUTION LAWYER, vol. 4, no. 1, Spring 2011; "Developments in Arbitration: Arbitration in the United States Supreme Court -- October Term 2009," NEW YORK DISPUTE RESOLUTION LAWYER, vol. 3, no. 2, Fall 2010; co-author, "When Outsourcing Turns Sour," computing.co.uk, 24 June 2010 (on line publication); co-author, "Balancing Discovery with EU Data Protection in International Arbitration Proceedings," NEW YORK DISPUTE RESOLUTION LAWYERS, vol. 3, no. 1, Spring 2010; "Developments in Arbitration: Arbitration at the United States Supreme Court, October Term 2008," NEW YORK DISPUTE RESOLUTION LAWYER, vol. 2, no. 2, Fall 2009.
SPEAKING ENGAGEMENTS: Panelist - New York State Bar Association Business Law and Corporate Counsel Section Annual Meeting, New York Lawyersin International Matters, January 29, 2014; Faculty, 3-Day Commercial Arbitration Training, New York State Bar Association, Dispute Resolution Section, June 2015,July 2014, June 2013 July 2012; Alternative Dispute Resolution Workshop, 2012 Outsourcing World Summit, Orlando, Florida, February 2012; Co-chair, New YorkState Bar Association, Dispute Resolution Section Annual Meeting, New York, January 2012; New York Dispute Resolution Section Fall Meeting, October 2011 (Judicial Response to Break the Gridlock: Focus on Arbitration); Faculty, New York State Bar Association, Dispute Resolution Section, 3 Day Commercial Arbitration Training: Comprehensive Training for the Conducting of Commercial Arbitrations Pursuant to Contemporary Best Practices (presenting on arbitration discovery in domestic and international arbitration and e-discovery), June 28-30, 2011; panelist, New York Global Law Week, Concluding Plenary Session, New York Law as an International Standard: Report on the Work of the NYSBA Task Force on New York Law in International Matters, May 13, 2011; co-chair and moderator, 2011 New York State Bar Association Dispute Resolution Section Annual Meeting, January 2011 (moderated panel on settlement in arbitration); panelist, 2010 New York State Bar Association Dispute Resolution
Sherman W. Kahn, Esq.Neutral ID : 158907
The AAA provides arbitrators to parties on cases administered by the AAA under its various Rules, which delegate authority to the AAA on various issues, including arbitrator appointment and challenges, general oversight, and billing. Arbitrations that proceed without AAA administration are not considered "AAA arbitrations," even if the parties were to select an arbitrator who is on the AAA's Roster.
Section/International Section Annual Meeting, January 2010 (Managing Arbitration: Discovery v. Privacy in International Arbitration); panelist - 2009 NewYork State Bar Association Dispute Resolution Section Fall Meeting, October 2009(The U.S. Supreme Court and Arbitration - Current and Future Directions).
Citizenship United States of AmericaLanguages EnglishLocale New York, New York, United States of America
There is no shortage of atten-
tion in the media to data
breaches affecting consum-
ers in the United States—so
called “business to consum-
er,” or “B2C” data breaches. And right-
fully so—the Identity Theft Resource
Center, which has been tracking data
breaches in the United States since
2005, released a report in January
2015 which showed that U.S. B2C data
breaches hit a record high of 783 in
2014.1 This number represents an
increase of 27.5 percent over similar
breaches reported in 2013, and pushes
the total number of U.S. data breach
incidents tracked since 2005 to 5,029
reported incidents involving over
675 million estimated records.2
For example, in January 2014, Target
revealed that it had been the victim
of a computer hack through which
the contact information of 70 million
individuals and information relating
to 40 million credit and debit card
accounts were stolen.3 In early 2015,
Anthem announced that a cyberat-
tack had compromised the person-
al information of almost 80 million
individuals, including names, dates of
birth, Social Security numbers, health
care ID numbers, home addresses,
email addresses, and employment
information.4
In large part, it is the number of
consumers affected that has led to
the increased media onslaught that
follows these types of B2C breaches,
as well as the call to arms for legisla-
tive changes to address these security
issues across industries. It is no coinci-
dence that the Obama Administration
has made consumer data protection
a priority with its proposed data pro-
tection act, which will, among other
things, require companies to publicly
disclose a data compromise within
30 days of it occurring.5
In the midst of all this focus on
consumer data protection and B2C
breaches, however, the media and the
Legislature have largely ignored data
privacy breaches that are not directly
consumer-facing privacy concerns—
so-called “business to business,” or
“B2B” breaches. Such breaches tend
to occur quietly, for two main reasons:
(1) there are currently no overarch-
ing statutory obligations to report
data breaches that do not involve
statutorily defined categories of per-
sonally identifiable information (PII)
belonging to consumers; and (2) it is
in a company’s best interest to keep
breaches of this nature (really, any
breaches at all) quiet, so as to prevent
SE
RV
ING THE BENCH
AND BAR SINCE 1888
Volume 254—No. 2 moNday, July 6, 2015
Strategies for Navigating Business-to-Business Data Breaches
Outside Counsel
www. NYLJ.com
By Joseph V. DeMarco
And Urvashi Sen
Even if no consumer data is im-pacted by the breach, the impact of a B2B breach can result in tremendous losses to a company.
Joseph V. demarco is a partner at DeVore & DeMarco and previously served as an assistant U.S. attorney for the Southern District of New York, where he founded and headed the Computer Hacking and Intellectual Property Program. urVashi seN is counsel at DeVore & DeMarco.
Expert Analysis
the public airing of their potential
security flaws.
It is also for these reasons that
companies tend not to focus their
attention, and their resources, on
B2B breach scenarios. It is easy to
understand why a B2C breach, which
can so directly affect a company’s bot-
tom line in a much clearer and more
quantifiable manner through public
notification and media involvement, is
generally where companies put their
best thinking and resources. However,
to ignore the potential damage that
B2B breaches can cause would be
a huge mistake. Indeed, companies
can go a long way toward protecting
themselves from B2B data breach inci-
dents by implementing two simple,
yet critical, measures: (1) retaining
expert privacy counsel to perform
due diligence on potential business
partners and vendors, and (2) ensur-
ing that vendor and other business
contracts contain key clauses address-
ing potential cybersecurity incidents—
in particular, arbitration clauses that
cover data breaches.
B2B Breaches
While it is certainly in neither party’s
interest in a B2B data breach to air
its grievances publicly, this does not
mean that such situations are simple
affairs that are quickly and painlessly
resolved. In fact, the opposite is most
likely the case—without regulatory
or statutory parameters to inform
the discussion, and without a direct
public fallout to steer companies in the
right direction, these types of “quiet”
breaches can result in very conten-
tious disputes that may drag on and
become difficult to resolve.
In one public example of just how
far the fallout from a B2B breach can
extend, it was reported in March 2014
that a security breach had impacted
the e-commerce platform of Createthe
Group (CTG), a digital luxury agency
that provides e-commerce solutions to
a number of recognizable brands in the
retail and fashion space, including Cal-
vin Klein, H&M, Hugo Boss, Louis Vuit-
ton, and many more.6 CTG ultimately
retired its e-commerce platform and
exited the e-commerce space alto-
gether (although the security breach
was not cited specifically by CTG as a
reason for this decision).7 Notably, in
this case the security breach resulted in
the alleged compromise of credit card
numbers belonging to customers of
the various brands CTG represented,8
no doubt one of the reasons why the
breach was reported in the press at all.
Even without a public media back-
lash, however, it is not difficult to imag-
ine how damaging a B2B data breach
incident can be to a company. A com-
promise of a company’s systems,
whether through malware received
from a vendor or business partner, or
through a breach of such a third par-
ty’s own security systems, consumes
the time, energy, and resources of an
organization. Even if no consumer
data is impacted by the breach,9 the
impact of a B2B breach can result
in tremendous losses to a company,
including the costs involved in assess-
ing the breach itself, which often can
encompass its impact on the compa-
ny’s systems and data, determining
and implementing solutions necessary
to prevent such an incident to future,
spending employee and attorney
(in most cases, outside counsel) hours
interfacing with the third party respon-
sible for the breach, and managing any
reputational damage that may have
occurred.
Pre-Contract Due Diligence
One important step a company
should take prior to entering into
an agreement with a business partner
or vendor is to ensure that these
third parties follow robust, industry-
appropriate security and privacy pro-
tocols. What these protocols should
be will vary greatly depending on the
industry and the size of the third party
in question. As such, it is essential that
each company contemplating a third-
party business relationship retain out-
side, expert counsel to guide them in
this process. The amount of money
at stake in each business relationship
and the level of data connectivity that
will result between the company and
the third party will determine how
much due diligence is necessary prior
to entering into a contractual relation-
ship.
Smaller, simpler associations may
only require a basic review of the
third party’s policies and procedures,
whereas for more complex and long-
term relationships, a more robust
moNday, July 6, 2015
vetting of the third party’s cyberse-
curity policies and protocols may be
appropriate. In all cases, the vetting
should be done under counsel privi-
lege to the maximum degree permitted
by law.
While such due diligence may, on
its face, appear arduous, in fact this
type of “pre-screening” not only goes
a long way toward preventing a poten-
tial external security breach that may
affect the company, but also sends a
very clear message about the level of
importance the company places on
cybersecurity matters. This can often
be a critical deterrent to a third party
that may ordinarily choose to play
fast and loose with cybersecurity best
practices.10
Contracts and Arbitration
Another key strategy companies
can employ in protecting themselves
from potential B2B data breaches is to
ensure that contracts with vendors
and business partners specifically
address cybersecurity matters, from
preventative measures, to risk allo-
cation and dispute resolution in the
event of a data security breach.
As a preliminary matter, contracts
should outline the data security
procedures and protocols that the
third party agrees to comply with.
What these procedures should be
will, ideally, become clear in the due
diligence phase discussed above.
Contracts should also address the
procedures that should be followed
in the event of a security breach and
how risk in that context should be
allocated.
Specifically, companies should
ensure that (1) the third party is
contractually obligated to report any
security incidents in a reasonably
prompt manner to the company; (2)
the contract includes a clause allo-
cating risk for certain basic types of
data breach incidents; (3) the con-
tract addresses indemnification in
the data breach context; and (4) the
contract includes a broad-form arbi-
tration clause covering all disputes,
including disputes relating to data
security and privacy matters, and
data breaches in particular.11
An arbitration clause is, in our view, a
critical component to handling data
security breaches in B2B relationships.
There are undoubtedly numerous
advantages to companies across vari-
ous industries that choose to arbitrate,
rather than litigate, their contractual
disputes, regardless of the subject mat-
ter of the dispute itself. However, B2B
data breach incidents actually present
what appears to be the perfect case for
the use of arbitration clauses.
First, arbitrating a B2B security
incident is more likely to result in
a speedier, more efficient, and less
costly resolution, not least of all
because the evidentiary hearing can
proceed uninterrupted, hour-to-hour,
on sequential days as needed, as
opposed to courtroom proceedings
with myriad interruptions and off-
days. Additionally, pre-hearing proce-
dures such as discovery and motion
practice are streamlined. This frees
up company resources to address and
rectify the root problems that resulted
in the breach, particularly when pre-
ceded by mediation, as is generally
recommended by the various arbitra-
tion associations.12
Notably, the efficiency of an arbi-
tration proceeding can be greatly
increased by carefully negotiating con-
tractual agreements between parties,
such as including a “stepped” arbitra-
tion clause, which requires the parties
to engage in meaningful mediation prior
to entering into a formal arbitration pro-
ceeding, and an indemnification clause
that covers various security incident
scenarios. Here, too, having knowledge-
able, expert data privacy counsel to
review contracts with third parties for
data security issues will go a long way
in preventing long and messy disputes
when breaches do occur.
Second, an arbitration not only can
ensure that legitimate subject-matter
expert arbitrators, with all the technical
qualifications necessary to understand
complex data security and privacy
moNday, July 6, 2015
Arbitration affords parties the ability to elect in advance whether to have the arbitrator (or arbitrators) issue a bare, standard award or a reasoned award, which has implications relating to delay, expense, and susceptibility to vacatur.
matters, will resolve the matter, but
also eliminates the possibility that an
emotional jury, panicking at the pros-
pect of potential effects on consum-
ers from the breach and ill-equipped
to comprehend the technical nature of
the subject matter, will be the ultimate
decision-makers. Additionally, arbitra-
tion affords parties the ability to elect in
advance whether to have the arbitrator
(or arbitrators) issue a bare, standard
award or a reasoned award, which has
implications relating to delay, expense,
and susceptibility to vacatur.
Third, arbitration proceedings can
be kept confidential, whereas court-
room proceedings typically cannot be,
even if a jury is not involved. This is
a key factor for companies navigating
a security breach incident, particu-
larly in the current climate of intense
scrutiny facing reported breaches. In
many cases, it is a tremendous uphill
battle to recover from the reputational
damage that can result from the public
revelation of a data breach, for both
parties involved—so much so, that
without the option of a confidential
arbitration, companies may choose to
forgo dispute resolution, swallowing
their losses instead. Arbitration pro-
vides an ideal environment to ensure
that such situations do not arise.
Fourth, arbitration affords far great-
er finality of decision than court pro-
ceedings, where appellate possibili-
ties abound. In data breach disputes,
this finality allows both parties to put
the dispute behind them quickly, and
focus their energies on rectifying the
breach and working toward preventing
future incidents.
Top of the Agenda
Ultimately, in this current environ-
ment of record-high breaches and,
undoubtedly, record-high scrutiny
of companies impacted by breaches,
it is in each company’s best interest
to put cybersecurity at the top of the
agenda, regardless of whether or not
consumer data is likely to be impli-
cated in a security incident. Preventive
and protective measures can go a long
way toward saving a company from
catastrophic losses, both financial and
reputational.
•••••••••••••••••••••••••••••1. See “Data Breach Reports, Dec. 31,
2014,” Dec. 31, 2014, available at http://www.idtheftcenter.org/images/breach/DataBreach Reports_2014.pdf.
2. “Identity Theft Resource Center Breach Re-port Hits Record High in 2014,” Jan. 12, 2015, available at http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html.
3. See “Data Breach FAQ,” https://corpo-rate.target.com/about/shopping-experience/ payment-card-issue-faq.
4. See “Anthem Facts,” last updated May 8, 2015, https://www.anthemfacts.com/; see also “State Breakdowns: Anthem Breach by the Numbers,” Feb. 26, 2015, available at http://www.scmagazine.com/victims-of-the-anthem-breach-stretch-across-multiple-states/ article/400489/.
5. “Fact Sheet: Safeguarding American Con-sumers and Families,” Jan. 12, 2015, available at https://www.whitehouse.gov/the-press-office/ 2015/01/12/fact-sheet-safeguarding-american-consumers-families.
6. “American Express Customers Receiv-ing New Breach Notifications,” June 20, 2014, http://www.csoonline.com/article/2365803/data-protection/american-express-customers-receiving-new-breach-notifications.html.
7. “Fashion Firms Probing Alleged Data Breach,” March 26, 2014, http://www.zeere-port.com/breaking_news/4023-Fashion_Firms_Probing_Alleged_Data_Breach.html.
8. “American Express Customers Receiving New Breach Notifications,” supra note 6.
9. Notably, it is also possible that a B2B or other type of breach will impact certain cus-tomer data, but not the types of data that trigger reporting obligations. For example, in New York (and many other states), name, date of birth, and address information, although considered “personal information,” are not, standing alone, “private information” that, if compromised, requires notification of either individuals impacted or governmental agen-cies. See N.Y. GBS. Law §899-aa.
10. Of course, it is also crucial for companies to ensure they have appropriate cybersecu-rity insurance coverage that will protect them from security incidents prior to entering into contracts with third parties. This is not an easy task—all too often companies purchase expensive products that are peppered with loopholes, either rendering the coverage inef-fective even in some of the most basic breach scenarios, or requiring policy modifications in order to become effective. Legal expertise, through outside data privacy counsel, can be critical here to ensure that the most cost- effective, robust policy is purchased, and that it appropriately covers B2B data breaches.
11. There are a range of reasons why arbitra-tion clauses may be beneficial for all business-to-business matters. While a discussion of those reasons is beyond the scope of this article, we note that broad-form arbitration clauses are, at the very least, procedurally preferable. This is because carving up disputes into different silos for different treatment can be incredibly problematic and inefficient, particularly if par-ties are forced to arbitrate certain claims and litigate others (and, indeed, to go to court to determine what disputes are covered by the scope of the arbitration clause).
12. For example, under the American Arbitra-tion Association Rules, parties must mediate disputes for claims in excess of $75,000 unless one of them actively opts out of the mediation process. See American Arbitration Associa-tion’s Commercial Rules and Mediation Proce-dures, Rule 9.
moNday, July 6, 2015
Reprinted with permission from the July 6, 2015 edition of the NEW YORK LAW JOURNAL © 2016 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or [email protected]. # 070-10-16-33
Click here to go to the Commercial Arbitration Rules
Click here to go to the Commercial Arbitration Rules Effective 10/1/13
Click here to go to the Construction Arbitration Rules
Click here to go to the Employment Arbitration Rules
Click here to go to the Labor Arbitration Rules