In this age of big data, the transportation industry is increasingly utilizing e-commerce and leveraging data to increase productivity in the areas such as managing customers, capacity information, pricing information, fleet maintenance, fleet management, and driver compensation analytics. Data collected is often shared with third parties, which raises the risk of a data breach. Businesses commonly protect against such risks through enhanced employee training and, more recently, through the purchase of cyber insurance. An often overlooked method of mitigating the risk of a data breach or other cyber threat is contract drafting.
The transportation industry is replete with contractual relationships between the various parties in the supply chain. Each contractual relationship provides an opportunity for a business to protect its own data, mitigate the damage resulting from the loss of its data, or protect against the loss of another's data. To manage these cyber risks, it is essential that a business first have a thorough understanding of the data within its control:
- Does your business share data with third parties?
- Does your business collect data from third parties?
- With whom do you share data or collect data from?
- What data do you share or collect?
These key pieces of information enable a business to assess potential cyber risks and respond accordingly. When contractually addressing cyber security issues, there are two key focuses: the protection of data and the allocation of risk.
Protecting Your Data
When data is shared between two or more entities, it is essential that all parties acknowledge and agree who owns the data. Determining ownership is critical as it is the foundation for the ability to restrict access to data and how it can be used. A business should consider placing reasonable restrictions on the use of its data. Restrictions may include limiting access to certain employees, restricting the storage of data for future use, or restricting the sharing of data with third parties.
Additional steps should be taken to ensure the safeguarding of data. Many businesses now have some form of cyber security policies and procedures to ensure the safe guarding of sensitive information. Entities with whom you conduct business should be held to the same standards your business is held. Consider the inclusion of a contractual warranty that the third party with whom you are contracting have and maintain policies and procedures for the maintenance and protection of data. Policies and procedures should include an incident response plan that sets forth how a breach or other incident will be handled and, most importantly, how and when your business will be notified in the event of a data breach. Similarly, require the compliance with industry standards such as those promulgated by International Organization for Standardization, the National Institute of Standards and Technology, or the Payment Card Industry Data Security Standard.
Another contractual consideration is the preservation or disposal of data. What happens to the data when the business relationship ends or the transaction is complete? A contract should address the preservation of information for possible future use, consistent with any instructions provided. Similarly, a business may dictate when and under what circumstances data will be disposed.
Lastly, a business should retain the right to conduct an audit, either by itself or by a third party, to ensure compliance with all contractual terms.
Allocation of Risk
The allocation of risk addresses which party is responsible for the safeguarding of data and who is responsible for managing the consequences flowing from a data breach. The foremost consideration is which party is responsible for complying with any applicable state or federal statutes or regulations dealing with data breaches. As the frequency of data breaches have increased, many states and government agencies have responded with enhanced notification requirements in the event of a breach. Compliance with such notification requirements often represents the largest expense associated with a data breach.
Contracts routinely include provisions dealing with indemnification and/or limitations on liability. These clauses should be expanded to apply to a data breach. Indemnification clauses should clearly state under what circumstances indemnification will be triggered and whether there are any limits of liability.
As mentioned above, businesses also address cyber threats through the procurement of cyber insurance. In addition to the inclusion of an indemnification and/or limitation of liability clauses, businesses should contractually mandate that those with whom they conduct business maintain cyber insurance that would cover a breach. Moreover, your business should be identified as an additional insured under any such policies.
The transportation industry will increasingly assimilate, analyze, and utilize data to conduct business. It is commonplace for transportation businesses to contractually mitigate risks associated with cargo loss or damage, and motor vehicle accidents- the risk of a data breach must now also be addressed. Cyber related contract provisions are increasingly appearing in transportation contracts, and the use and complexity of such provisions will only increase. Identify what data is shared or collected. Take steps now to contractually safeguard that data. If it is not already, data will become your business's most valuable asset – act now to protect it!