Attorneys in Cincinnati Oh & N. KY | Blog

Kentucky Enacts New Data Breach Law

Posted on Sun, May 11, 2014 @ 01:58 PM

Jospeh S. Burns

by Joseph S. Burns

The Kentucky General Assembly has enacted a new law regarding data breaches (H.B. 232), making it the 47th state to have a data breach notification law.  The new laws will take effect on July 15, 2014.

The new law applies to any person or business conducting business in Kentucky that is not otherwise governed by Title V of the Gramm-Leach-Bliley Act (“GLBA”) or the Health Insurance Portability and Accountability Act (“HIPAA”).  The law covers unencrypted unredacted computerized “personally identifiable information,” which is defined as an individual’s first name and (a) a driver’s license number, (b) bank or credit card account number, or (c) social security number.   

The duty to notify under the new law is triggered when unencrypted unredacted computerized data is acquired in an unauthorized fashion, thereby compromising the security of an individual’s personally identifiable information.  After discovering a breach, the information holder must notify any Kentucky resident whose personally identifiable information is reasonably believed to have been acquired by an unauthorized person.  The effected individual(s) must be contacted in writing without “unreasonable delay.”  While the information holder is not required to notify the Kentucky Attorney General, if more than 1,000 persons are affected by the discloser, the information holder must notify consumer reporting agencies.

For businesses, the new law highlights the importance of (i) encrypting electronic data; and (ii) maintaining policies and procedures regarding data security and the investigation of security breaches, and training employees on such policies and procedures.

Tags: Business Law, Corporate Law, Data Breach

Don't Gloss Over Boilerplate Provisions

Posted on Tue, May 06, 2014 @ 11:51 AM

by Joseph S. BurnsJoseph S. Burns

On March 27, 2014, in a decision styled Biotronik AG v. Conor Medsystems Ireland, Ltd., the New York Court of Appeals highlighted, in a 4-3 decision, the pitfalls of glossing over boilerplate contract language, when it ruled that a “no consequential damages” clause in an agreement did not preclude the plaintiff from proceeding with a $100 million claim for lost profits.

Plaintiff, an exclusive distributor of defendant’s medical devices, sued for breach of contract – claiming lost profits – when the defendant terminated the distribution agreement. A clause in the agreement provided as follows: "Neither party shall be liable to the other for any indirect, special, consequential, incidental, or punitive damages with respect to any claim arising out of this agreement (including without limitation its performance or breach of this agreement) for any reason."  Relying on this provision, defendant argued that plaintiff’s claim for lost profits was clearly barred, as lost profits fell within the definition of consequential damages.

It is generally believed that lost profits – particularly those that do not directly flow from a breach of the agreement – are consequential damages.  The Biotronik court pointed out, however, that lost profits may be either general or consequential damages, depending on whether the non-breaching party bargained for such profits and such profits were the direct and immediate fruits of the contract – i.e., such profits were a direct and likely result of the breach. Indeed, after conducting a very fact-intensive analysis, the court concluded that plaintiff’s lost profits should be considered general damages (rather than consequential) because the damages were a direct and probable result of the breach, even though the profits would have been earned pursuant to a contract other than the breached agreement. As such, the court concluded that plaintiff’s claim for loss profits was not barred by the provision prohibiting the recovery of consequential damages.

The takeaway from this decision is that attention should be paid to these sorts of standard boilerplate clauses. Indeed, such provisions should be crafted to avoid the scenario in Biotronik. For instance, consider the following:

  • Identify with specificity any and all damages that should be excluded.  For example, the limitation of liability provision could specify that the other party shall not, in any event, be entitled to recover “lost profits, lost revenue, lost income, or any revenue arising from loss of anticipated business, even if such damages were or should have been foreseeable by the breaching party.”

  • Include a liquidated damages provision that excludes recovery for actual damages, and be sure to note that such sum is not a penalty, but a reasonable estimate of damages in the event of a breach.

  • Specify that the limitation of liability provision is an integral part of the agreement that has been bargained for by the parties, and that such provision will remain in effect even if any other provision of the agreement fails of its essential purpose.

Tags: Business Law, Corporate Law, Contracts