A significant theme of this issue of Law à la Mode is fashion retailers’ increasing embrace of new technological innovations in the areas of Big Data and the Internet of Things (IoT) to better communicate with and respond to customers in a personalized and intimate manner, as well as to more effectively streamline their own business processes – for example, improving inventory and supply chain management. The myriad of legal issues associated with such new and exciting innovations are discussed elsewhere in this issue. This article focuses on how retailers can better allocate and mitigate risks arising from the brave new world of Big Data.
Most retailers will not implement such innovative technology unaided, instead engaging third party vendors via services agreements. And, although data privacy laws hold a company ultimately accountable for any security breaches related to its data, financial exposure and risk can be at least partially mitigated and allocated in the retailer and technology vendor’s services agreement.
Retailers should ask for specific representations about the nature, extent and quality of the vendor’s data security measures and policies. In the event the vendor breaches its contractual representations, the retailer will have a damages claim allowing for at least partial offset of damages resulting from the vendor’s failure to observe its security representations. Retailers should also push for rights to verify the vendor’s security capabilities, including the right to conduct ongoing audits to determine if the vendor continues to observe the security representations it has made.
Retailers should also ensure that the services agreement contains breach notification provisions, under which the vendor will notify the retailer of even potential or suspected data breaches, allowing both parties to mobilize to prevent or mitigate more extensive harm. However, parties should be mindful of the business and security realities at play – in the event of a major incident, resources may be best focused on taking immediate steps to mitigate and repair the breach, as opposed to preparing notification letters.
Indemnity provisions remain crucial, and vendors and retailers will want to negotiate indemnity provisions that are fair, but which compensate the retailer for vendor negligence or breach of contractual representations.
Insurance is a classic way to allocate risk, and retailers should make sure that the vendor has sufficient policies in place to cover potential indemnification claims or claims for breach of contractual representations. Retailers should also assess and evaluate whether their own current insurance policies provide sufficient coverage for data breaches. Most commercial general liability policies exclude coverage for electronic data and intangible property damage. A more specialized technology errors and omissions policy can help fill in the gaps. And, although not happily discussed, both parties should be mindful of what will happen in the event of a break-up. Retailers should consider requesting that the vendor either return customer data or destroy it, with a certification of its destruction.
Good housekeeping practices may require retailers to regularly conduct internal reviews of their services agreements to determine whether the security measures and protections in these agreements remain current, even as the technological landscape evolves at a rapid pace.