The self-storage market has been valued globally at over $40 billion. As part of the industry’s growth and expanded use of technology to operate these businesses, self-storage operators are increasingly exposed as the targets of potential litigation, especially in the area of cyber and data liability. These days, self-storage operators must not only tackle the regulatory compliance issues that are part of their state lien laws, but they must also hold themselves accountable to a myriad of other laws that impact their day-to-day management. Based on the size of their operations, facility operators must be aware of and comply with the Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act of 2003 (FACTA), California Consumer Privacy Act (CCPA), state and federal security breach notification laws, the Payment Card Industry Data Security Standard (PCI DSS), global requirements under the European Union’s General Data Protection Regulation (GDPR), and other federal and state cyber and data requirements.
As it stands now, all 50 states have enacted some form of data breach notification law, which imposes certain obligations on companies to notify customers when personally identifiable information is compromised. These laws require businesses to provide notification to their affected customers. In some states, notification is required to be made to state regulators and oftentimes incurs the expense of credit monitoring for the customer’s ongoing protection. Another growing area of potential cyber liability arises from the privacy laws that have been enacted already in a number of states, including California, Colorado, and Virginia. These state privacy laws control the types of data that companies can collect, limit how that information can be shared, and provide rights to the customer to “opt out” of any third-party sales (including the right to data destruction after use). Although there have been discussions about the creation of a federal law to cover all privacy rights, it appears more likely that we’ll see the introduction of state-by-state privacy protection laws, each with their own compliance requirements. Self-storage operators need to be prepared to address these risks and the likely litigation issues which may arise from these risks as part of their standard operations. The following are some risk management obligations for self-storage operators to consider:
1. Re-drafting all web-based and mobile application privacy policies and terms of service provisions to address statutory legal notice requirements.
2. Reviewing all third-party technology licensing agreements and any data sharing agreements to address indemnity provisions for data loss.
3. Preparing action plans to respond to potential allegations of misuse of data, including requests for information from state attorney generals and/or the Federal Trade Commission.
4. Preparing action plans to respond to issues including online defamation and/or violations of social media terms of service.
5. Reviewing cyber insurance coverage solutions to handle data breach defense and related liability expenses.
6. Performing privacy and security-based due diligence to assess risks in mergers and acquisitions including the area of post-closing data integration management.
7. Developing incident response plans and cyber-attack response measures including breach containment, incident investigation, consumer notification, law enforcement and government relations communications, data and evidence preservation, regulatory reporting, and litigation management.
Unfortunately, the risks of cyber liability and compromise via data breach cannot be ignored as the self-storage industry shifts to more and more web-based and mobile applications where customer data is collected, stored, and utilized on a regular basis. The time has come to address these risks and prepare accordingly.