Cyber Risks and Self Storage

The self storage market has been valued globally at over forty billion dollars. As part of the industry’s growth and expanded use of technology to operate these businesses, self-storage operators are increasingly exposed as the targets of potential litigation, especially in the area of cyber liability and data breach. These days, self-storage operators must not only tackle the regulatory compliance issues that are part of their state lien laws but they must also hold themselves accountable to a myriad of other laws that impact their day to day management. Based on the size of their operations, facility operators must be aware of and comply with the Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act of 2003 (FACTA), California Consumer Privacy Act (CCPA), state and federal security breach notification laws, the Payment Card Industry Data Security Standard (PCI DSS), global requirements under the European Union’s General Data Protection Regulation (GDPR), and other federal and state cyber and data requirements.

As it stands now, all fifty states have enacted some form of data breach notification law, which imposes certain obligations on companies to notify customers when personally identifiable information is compromised. These laws require businesses to provide notification to their affected customers. In some states, notification is required to be made to state regulators and oftentimes incurs the expense of credit monitoring for the customer’s ongoing protection. Another growing area of potential cyber liability arises from the privacy laws that have been enacted already in a number of states, including California, Colorado and Virginia. . These state privacy laws control the types of data that companies can collect, limit how that information can be shared and provide rights to the customer to “opt out” of any third-party sales (including the right to data destruction after use). Although there have been discussions about the creation of a federal law to cover all privacy rights, it appears more likely that we’ll see the introduction of state-by-state privacy protection laws, each with their own compliance requirements. Self-storage operators need to be prepared to address these risks and the likely litigation issues which may arise from these risks as part of their standard operations. The following are some risk management obligations for self-storage operators to consider:

1. Re-drafting all web-based and mobile application privacy policies and terms of service provisions to address statutory legal notice requirements.
2. Reviewing all third-party technology licensing agreements and any data sharing agreements to address indemnity provisions for data loss.
3. Preparing action plans to respond to potential allegations of misuse of data, including requests for information from state attorney generals and/or the Federal Trade Commission.
4. Preparing action plans to respond to issues including online defamation and/or violations of social media terms of service.
5. Reviewing cyber insurance coverage solutions to handle data breach defense and related liability expenses.
6. Performing privacy and security-based due diligence to assess risks in mergers and acquisitions including the area of post-closing data integration management.
7. Developing incident response plans and cyber-attack response measures including breach containment, incident investigation, consumer notification, law enforcement and government relations communications, data and evidence preservation, regulatory reporting and litigation management.

Unfortunately, the risks of cyber liability and compromise via data breach cannot be ignored as the self-storage industry shifts to more and more web-based and mobile applications where customer data is collected, stored and utilized on a regular basis. The time has come to address these risks and prepare accordingly.

This article was originally published by Scott Zucker, January 2022