Cybersecurity in Commercial Equipment Leases

As a leasing (financing) company, lessors (at least in their leasing role) are not the manufacturer of the leased equipment, and (typically) the lessor is not providing support or maintenance for the equipment. However, when the lease expires (or is earlier terminated), the lessor often takes back the equipment into its inventory; and then releases or sells that equipment to a third party.

If the lease does not address data (and more to the point, data removal) stored on the leased equipment, the lessor could unwittingly put itself in the liability chain of mishandling of personally identifiable information (PII). And if the leased equipment was used by a “covered entity” or a business associate of a covered entity under the Health Insurance Portability and Accountability Act (HIPAA), the data at issue could be protected health information (PHI).

At a minimum, lessors would be well advised to include in their leases the mandate that the lessee remove all PII, PHI and/or proprietary and/or confidential data from the leased equipment prior to its return, with the requirement that an officer of the lessee certify to such removal. As of this writing, many of the leases that we reviewed for this article fail to include such a requirement. Further, few (if any) of the leases that we reviewed require that the lessee maintain cyber insurance and/or crime coverage. At present, the only insurance typically mandated in these leases is property insurance, and in some cases, general commercial liability coverage.

Indemnities and Notification

The broad indemnities in most lease forms today do not address data-related claims. Even assuming that the very broad indemnity included in a typical lease were to cover third-party claims related to misuse or mishandling of data, without insurance to stand behind the indemnification, the indemnification may be worth the paper it is written on, and not much more.

Some lessors offer, for a fee, the service of wiping data from returned leased equipment. However, in doing so, the lessor potentially puts itself back into the liability chain — and with the likelihood of the lessee seeking indemnity from the lessor were the lessor to fail to properly wipe the equipment before re-leasing the equipment.

Even assuming that the lessor requires that the lessee certify to the removal of any and all data (including PII, PHI and any other data that may be confidential and/or proprietary), if the lessee has not in fact done this, or has not done it effectively, and if the lessor were to then relet or sell the same equipment to a third-party, the lessor is likely to find itself subject to liability.

Forty-eight different states have various breach notification statutes mandating that if a party release or otherwise allows unauthorized access to PII and/or PHI, notice must be given to: 1) designated law enforcement officials in each of those jurisdictions; and 2) the impacted persons. The likelihood of civil claims from impacted persons and the resulting liability could be crippling to the leasing company.

Equipment lessors should also be mindful that their customers (if they are “covered entities” under HIPAA, or financial, banking or insurance institutions registered in New York State), may be viewing lessors as “vendors” and requiring lessors to meet the mandates for vendors to proactively undergo risk assessments, have appropriate policies and procedures in place, and have incident response plans.

To the extent that lessors have in their control (whether on returned leased equipment, or pursuant to personal guarantees from customers) any PII and/or PHI, California, Massachusetts and Rhode Island all mandate that lessors have robust information security programs in place, and 10 other states mandate that parties that have such data maintain “reasonable” measures to secure it.

Infected Equipment

The foregoing discussion has focused on the data that a lessee intended to store, process and/or manipulate on the equipment. Query what liability the lessor may have if the computer systems and/or operating software for a piece of equipment has been infected with malware, and the compromised equipment is returned to the lessor and then re-leased or sold with the malware in place. Even with liability disclaimers in the re-lease or sale terms, a lessor may in fact not be able to evade responsibility here.

Our recommendations to lessors include the following:

• Include in equipment leases the requirement that all data be wiped from any leased equipment prior to the return of the equipment, with a certification from an officer of the company that this has been done.
• Include a robust indemnification related specifically to data breaches, including without limitation, improper or inadequate data destruction practices, with the indemnity including all notification costs, attorneys; fees, fines, credit protection, etc.
• Require the lessee to represent and warrant, as of the return date, that the lessee has not experienced a cyber incident or breach that impacted or affected the equipment in any way.
• Before re-leasing or selling any returned equipment, the lessor may want to consider the proactive step of undertaking the forensic examination to confirm that no malware is active on the equipment. It may be wise for a lessor to consider such costs in the pricing of the original lease and/or the resale/re-lease terms.
• Include in any terms for release or sale a disclaimer as to any malware, and require the (re)lessee or purchaser to indemnify the lessor. It is important to note, however, that such disclaimers may not be bullet-proof.
• Require the lessee (and any re-lessee or purchaser of “second-hand” equipment) to maintain cyber insurance and crime coverage (and require that the policies be provided in advance to confirm the type of coverages, limits and exclusions), on which the lessor should be named as an additional insured.
• We strongly recommend that you maintain your own cyber insurance and crime coverage.
• Either: 1) do not offer data wiping services; or 2) if you offer such services, be absolutely certain that your process truly and permanently removes all data.
• Do not offer maintenance services for leased equipment that stores data; or if you do offer such services, consider doing so only through limited-access, customer-controlled points of entry.
• If you repossess equipment due to a lessee default, undertake a thorough examination of the equipment and remove as necessary all data, it being likely that the defaulting lessee did not take any such action prior to the equipment being recaptured by the lessor.
• In all cases, understand the equipment you are leasing — including its ability to capture data — and the type of data it may store given the business of the customer. If the equipment was at any time interfacing with a company's overall systems, data well beyond the function of the equipment itself may be stored on the equipment's systems.

Conclusion

Equipment leasing can, and should continue to be, a viable business model with limited liability, provided that lessors are mindful of the ever-changing landscape regarding data security. We encourage you to review your current forms of contract with knowledgeable leasing and cybersecurity counsel and with your insurance advisers.

*****
Michelle Schaap, Frank Peretore and Robert Hornby are members of Chiesa Shahinian & Giantomasi PC. Schaap ([email protected]) concentrates on cybersecurity and corporate law, cybersecurity/privacy regulatory compliance, cybersecurity preparedness and incident response. Peretore (fperetore @csglaw.com) focuses on commercial lending, leasing and cybersecurity, with a concentration in equipment finance. Hornby ([email protected]) represents national and regional banks and finance companies in all aspects of equipment leasing and asset based lending, in addition to counseling clients on cybersecurity matters.