Attorneys are like undertakers: services are expensive, inevitable, and (regardless of an individual’s talent or charisma) unpleasant. Therefore, many clients dislike revisiting prior legal work for updates or allowing a secondary review.
Unfortunately for managed service providers and managed security service providers (MSPs/MSSPs), who constantly combat cyber crime and rising software costs, failure to consistently review and update their client agreements can be devastating for 2 reasons:
1. Case law on cyber liability constantly changes.
Technology law attorneys must dedicate themselves to consistent research in their field of study as new cases constantly emerge, challenging previously held opinions. And unlike ancient legal fields like property and criminal law, technology law does not enjoy decades (or centuries) of reliable precedent.
For example, last month, the Eastern District of Louisiana issued a significant opinion on potential cyber liability in response to a property management company’s alleged mishandling of personal identifying information (PII) belonging to its tenants. In Merrell v. 1st Lake Properties, 2024 WL 640013 (E.D. La., Feb. 15, 2024), Judge Sarah Vance found that the tenants’ claims for negligence could proceed against the property management company, as “failure to ‘implement and maintain reasonable [data] security procedures and practices’ constitutes ‘an unfair act or practice.’” Id. at *11. Using Section 5 of the Federal Trade Commission Act (FTC Act) as the duty standard, Judge Vance stated that the FTC Act provides specific standards of care for purposes of pleading a duty as part of a negligence claim.
This opinion officially opens the flood gates for negligence claims against faulty data handlers in Louisiana, finally offering case law that supports lawsuits by private citizens as the FTC Act otherwise denies citizens such rights.
And, because Louisiana law requires specific language before anyone can forever waive rights or assume risks in contractual arrangements, MSP/MSSP contracts need to include both assumption of risk provisions and waivers of claims pursuant to Section 5 of the FTC Act in their contracts.
2. Case law on cyber insurance constantly changes.
Similar to case law on cyber liability, case law on insurance coverage for cyber-related events is also still developing.
In October 2023, the Western District of Louisiana in Benoit Ford v. Lexington Ins. Co., 2023 WL 6450545 (W.D. La, Oct. 2, 2023), restricted the application of a cyber insurance policy that provided coverage for fraudulent funds transfer.
Benoit Ford was a car dealership, which during Covid, creating an online marketplace for customers in which they could purchase vehicles virtually and later arrange for the vehicle’s transfer to its customer. Once sale documents were complete, the lender would tender the purchase price to Benoit, who would assign the credit agreement to the lender.
Unfortunately for Benoit, cyber criminals took advantage of the virtual purchasing process, purchasing vehicles with fraudulent identities, never paying the lender, leaving Benoit to pay the lenders after the cars already left Benoit’s possession. Benoit’s cyber insurance included coverage for “Funds Transfer Fraud” in which the insurer would pay for “direct funds transfer loss that you incur resulting from a funds transfer fraud first discovered by you during the policy period.” Benoit made a claim for insurance benefits, which its insurer denied. Benoit then sued to enforce its rights under the policy.
However, the Court denied coverage as the plain language of the “Funds Transfer Fraud” did not cover vehicle theft. Further, the Court found that Benoit did not directly suffer the funds transfer fraud – the lender did. The Court dismissed Benoit’s claims against the insurer.
Benoit suffered a novel crime not yet truly anticipated by a cyber risk policy – the theft of a physical item. Unlike homeowners’ insurance, the endorsements and coverage areas in cyber risk policies are not standardized like wind, hail, and fire. And because insurance companies lack the desire to standardize policies, which would decrease profit margins, individuals and businesses must inspect and seriously consider their policies before purchasing coverage.
Third-party fraud risks and betterment coverage should be required for every MSP/MSSP client in the services contract to reduce potentially liability for the MSP/MSSP as a third-party defendant.
Kommentare