The Law Office of Hale Stewart, JD, LLM
832.330.4101
  • Home
  • About Us
  • Blog
  • Captive Questionnaire

Hale Stewart's Law Blog

Why a Cyber Breach as a Small or Medium-Sized Service Firm is an Extinction-Level Event, Pt III

5/19/2020

 
If you'd like to discuss this or other risk issues, please set up an appointment with my Calendly link.

In the first post in this series, I argued that a cyber incident was an extinction level event for a small to medium sized professional service firm.  The second post explained why: professional service firms utilize confidential client information, stored in electronic format.  The unauthorized release of this information harms clients, who then sue the service providers.

The ISO cyber policy defines the primary way for the data to be released as a “security breach” which is:

“… the acquisition of “personal information” held within a “computer system” or in non-electronic format while in the care, custody or control of the “insured” or “authorized third party” by a person:

a. Not authorized to have access to such information, or
b. Authorized to have access to such information but whose access results in the unauthorized disclose of such information.

Please see the previous post for a discussion of personal information.

“Care, custody, or control” is a legal term of art referencing bailment, which occurs when one person or entity entrusts their property to another.  The law imposes a duty of care on the property-holding party while the property is in their “care, custody, or control.”  This duty of care applies to professional service firms who hold client data.

The ISO policy defines a “third party” as “any entity that you engage under the terms of a written contract to perform services for you.”  This definition encompasses cloud computing companies and contracts, which is another potential area of vulnerability.

According to the ISO definition, covered property can be held in electronic or non-electronic format.  This data is then wrongfully acquired in one of two ways. 


  1. An unauthorized third person gains access, almost always by hacking,
  2. A person authorized to have access allows an unauthorized person to access the information.

The method of unauthorized access is unimportant.  The definition’s breadth allows it to apply to new and as of yet unknown threats.
Key to this situation is that confidential information leaves the service firms’ “care, custody, or control.”  It then goes to a third-party who is not authorized to access it.  This transfer will cause irreparable harm to the service firm’s client, who will then sue for damages.
 


Comments are closed.

    Link From Our Previous Blog

    Our old blogger platform has a complete series on the OECD Model Treaty and Captive Insurance Case Law.   Please click on this link to go there.

    Archives

    June 2020
    May 2020
    May 2019
    February 2019
    January 2019
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    February 2017
    January 2017
    November 2016
    October 2016
    September 2016
    August 2016
    April 2016
    March 2016
    February 2016
    February 2014
    January 2014
    December 2013

    RSS Feed

    Categories

    All

Home
About
Contact
The Law Office of Hale Stewart
734A E. 29th Street
Houston, Texas 77009
832.330.4101
Halestewart@halestewartlaw.com
  • Home
  • About Us
  • Blog
  • Captive Questionnaire