With the New Year comes a heavy dose of "year in review" specials. A summary of key events that occurred in the retail real estate industry for 2015 would certainly include numerous stories of how retailers have been impacted by data privacy concerns and breaches. However, landlords and landlord representatives, such as property managers or brokers, have also been impacted by data breach incidents or other cyber security concerns. For example, a security firm discovered that a network of 900 CCTV surveillance cameras in offices, homes, and stores across the world had been hacked and used to launch denial-of-service attacks on internet websites.
When a data breach occurs, federal, state, or international laws may apply depending on the nature of the breach, the location of the party who suffered the breach or the data subjects whose information was compromised, or the types of information subject to the breach. In the United States, in addition to the application of federal law, 47 states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have legislation in place that may require an entity to notify individuals of breaches involving personally identifiable information (typically any data that could, on its own or with other information, potentially identify, contact, or locate a specific individual).
A recent study by IBM and the Ponemon Institute determined that the average cost for each lost or stolen record in a data breach was $217. The total average cost paid by organizations suffering a breach was $6.5 Million. More than half of that cost pertained to indirect costs, including loss of customers in the normal course of business as a result of the breach. These costs not only impact the party's bottom line, they can also have an effect on percentage rent due to a likely decrease in foot traffic to the shopping center.
Cyber security or other data privacy concerns may arise in a variety of situations, including the following:
-
Public or guest wi-fi offered within the shopping center by landlord or tenant
-
Frequent customer programs offered by landlord or tenant
-
Use of cloud or mobile technologies, including employee use of unsecured smartphones
-
Intelligent buildings utilizing HVAC, lighting or other advanced building management systems
-
Integration of landlord and tenant IT or other systems
-
Records regarding the landlord-tenant relationship, including rental applications, financial documents, or lease agreements that may contain personal information or confidential information. Mixed-use properties that include residential tenants are particularly at risk.
The areas of risk, as well as the legal and regulatory landscapes are rapidly evolving. Landlords and tenants should take steps before an incident or breach occurs to minimize risk and identify areas of exposure. Some suggestions include:
-
Review cyber and data security practices and procedures;
-
Adopt written policies regarding cyber security and the collection and transfer of data, especially personally identifiable information;
-
Review lease documentation to confirm compliance with insurance requirements and assess potential exposure if a data breach or other cyber security incident occurs (e.g. indemnification provisions or limitations of liability); and
-
Review existing insurance coverage. General liability insurance policies typically do not cover the costs associated with a data breach. Landlords and tenants should discuss cyber insurance or other appropriate coverage with risk managers or insurance brokers.