Kathy Winger, attorney at the Law Office of Kathy Delaney Winger, will help partners and MSSPs understand their own liability when a client incurs a data breach, and what to do to protect them both.

She’s giving this timely and in-depth talk, “Cybersecurity and Data Breaches From a Business Lawyer’s Perspective,” as part of the business strategy conference track sponsored by Nextiva, April 10, at the Channel Partners Conference & Expo in Las Vegas.

Kathy Winger

Channel Futures’ MSSP Insider talked to Winger ahead of her presentation to get her thoughts on some of the new liabilities for partners, MSSPs and their clients. We edited her answers for length and clarity.

Channel Futures’ MSSP Insider: Data breaches are common, unfortunately, so everyone is interested in hearing how best to protect themselves legally from liability. I know you’ll cover more in your presentation, but as a preview, what are a few steps channel partners and their customers should take before, during or after a data breach?

Kathy Winger: Before a data breach occurs, there are a wide range of actions that business owners can take to help protect their electronic data.  From a legal perspective, businesses must be able to establish that they took commercially reasonable measures to prevent a data breach.

These measures can vary depending on the size of the business, the amount and type of data it possesses and the manner in which it uses that data. Nonetheless, commercial reasonable measures typically involve what security experts refer to as “best practices,” which include things like securing wireless networks, using antivirus software, backing up critical data and educating employees about cybersecurity.

Once a data breach occurs, businesses have a duty to carefully investigate its cause in a timely fashion and comply with various legal obligations, such as providing notice of the breach to affected parties and reporting the breach to regulators. It’s wise to involve a lawyer who is well-versed in cybersecurity in the process as soon as possible. After a breach has occurred, businesses must take whatever measures are necessary to help ensure that it does not happen again.

CFMI: Third-party risks are a hot topic in security these days. But what liability do third-party providers like channel partners face?

KW: In the cybersecurity arena, third-party risk typically involves vendors (i.e., the third parties) that businesses hire to perform services. If a business shares its electronic data with a vendor and the vendor experiences a data breach, both the business and the vendor can be held liable for the breach. Because of this, businesses must choose vendors carefully and insure that that their vendor’s data security practices are as good or better than their own.

Vendors, on the other hand, should not be surprised if their business customers require them to prove that they have implemented and follow good cybersecurity practices. Moreover, because of this distribution of liability, businesses and vendors often must address …

… allocation and coverage of cyber risk in their service contracts and cyber insurance policies.

CFMI: You’ll be covering a lot of the ins and out of cyber insurance in your presentation, but can you share something about cyber insurance with us that most people don’t know to look for, or simply don’t understand about it?

KW: One of the most important things to know or to remember about cyber insurance is that it does not and cannot take the place of good cybersecurity practices. The role of cyber insurance is to protect a business in the event a data breach occurs. However, it will not prevent a data breach from occurring. Thus, whether or not they are covered by cyber insurance, businesses remain obligated to take commercially reasonable steps to prevent a breach.

CFMI: What other things will you be covering in your presentation?

KW: As you can see, I mentioned the “commercially reasonable” standard in my previous responses. In my presentation, I will talk about the history of that standard, what it means and how it is applied in data breach cases.

I will also talk about recently implemented and soon-to-be-implemented cybersecurity laws and regulations. In cybersecurity, there are constant new developments on the regulatory front and it’s critical that businesses learn what their current obligations are and what their future obligations may be.

Finally, I plan to discuss recent trends in data-breach litigation.