In previous articles, we’ve talked about what the Cost-Per-(Flight)-Minute (CPM) metric is, how to use it to improve your drone operations, how to collect the data for CPM, how to make sure you own the data and to make sure that you can move the data to another vendor.
In this article, we’re going to talk about how to protect all of that CPM data from data breaches and ransomware attacks.
Let’s first do some background.
What is a data breach? More likely than not you’ve received a data-breach notice in the mail from a hotel chain, a government agency, or some other company you’ve never heard of stating that your personal information was “exposed” during a cyber attack. Well, what does that even mean?
Here’s the most common form of breach. The “bad actor” (usually some guy living in his parent’s basement) finds a way to get an employee’s legitimate login information for a company’s systems (typically by sending an email with a link that incorporates remote access software installed on the employee’s computer) and then just cruises around that company’s systems looking for personal information. And, because the bad actor is using legitimate employee login information, it’s super hard to detect and, even when detected, it’s super hard to figure out what the bad actor was looking at versus the real employee.
That’s why the data-breach notice says “exposed.” It’s a short-hand way of saying: “we have no clue what the bad actor actually did or even if the bad actor actually looked at your personal information - but they could have.” The bad actor, of course, sells your personal information on what’s called the “dark web” or tries using it to get loans, credit cards, etc.
What is a ransomware attack? Ransomware attacks often start the same way as data breaches (i.e., through legitimate employee login) but they have a different aim. They lock the company out from its own systems - until the company pays the ransom.
But do you need to worry about data breaches or ransomware attacks? The answer is: YES if you haven’t read this article, but, after you’ve read this article then NO.
Data breaches or ransomware attacks are something that your drone-ops-platform vendor really doesn’t want to talk about (especially during the sales process) for two reasons.
- First, nearly all tech companies have experienced a breach or attack, so the odds are very high that your drone-ops-platform vendor has as well (or is in the process of dealing with one or will in the very near future).
- Second, the legalese in their contract will almost certainly have a Limitation of Liability (“LOL”) and/or a Disclaimer that specifically states that either the vendor is only liable up to the amount of annual fees paid or, even worse, the vendor is not liable at all. That means that, if there is a data breach or ransomware attack, the vendor can legally state that it’s not their problem. It’s your problem.
The good news is that it’s very unlikely that you have any personal information on the drone ops platform. If you do have personal information, then that is bad news because the dollar amounts get big fast. It costs about $2k to $5k per record (containing personal information) to do all of the reporting required by each and every legal jurisdiction where each “exposed” person is located. Think: lots of attorneys figuring that mess out + at $1000 per billable hour = boat loads of cash.
OK. Then how do you fix this? First a disclaimer. We are offering these as examples and not as legal advice. In other words, you need to get your own attorney to advise as to whether these provisions work for you or not.
Contractual Provisions. Ideally, you’d have a provision in your contract stating that the vendor is liable for any and all data breaches or ransomware attacks, but this is pretty much dead on arrival. There is just too much money at stake. One breach or attack could kill the vendor as a company. The compromise here is to put in an indemnity with a “super cap” on the LOL (limitation of liability), i.e., instead of one year’s worth of fees, the “super cap” increases it to 3 to 5 times annual fees.
“Vendor will indemnify, defend and hold Client, its owners, officers, employees, agents, successors and assigns harmless from and against any and all claims, actions, proceedings, judgments, losses, liabilities, costs and expenses (including attorneys’ fees) arising from and/or relate to any data breaches, ransomware attacks, and/or any unauthorized access to and/or use of the Vendor Systems (the “Cyber Indemnity”). However, notwithstanding any other provision of this Agreement, the total aggregate liability of Vendor for the Cyber Indemnity will be limited to the amount paid by Client to Vendor for the most recent one year period of the agreement up to the date such liability arose multiplied by 5.”
Insurance. Better yet, push to get the below cyber-liability insurance provision included in the contract. Insurance is actually a better solution than the indemnity provision above, because, if there is a breach or attack, the vendor is just going to file a claim with their insurance carrier anyway and you’d need to sue the insurance carrier. Not fun. But, if you use the provision below, you’ll be filing a claim and dealing with their adjuster team directly. Yes, the bad news you have to deal with insurance company but this is all about making a bad situation less bad.
“Prior to the Effective Date and each anniversary of the Effective Date, Vendor will provide Client with a Certificate of Insurance evidencing the existence of valid and enforceable insurance policies as follows: Professional Liability (Errors and Omissions Liability) insurance including Cyber Liability (Network Security and Privacy Liability) insurance with a minimum limit of $2,000,000 per occurrence or per claim. The policy shall cover professional misconduct or lack of ordinary skill for those positions providing services pursuant to this Agreement, including without limitation installation, programming, implementation, training, support, or warranty services. The insurance shall provide coverage for the following risks (a) liability arising from theft, dissemination and/or use of personal information stored or transmitted in electronic form, (b) Network Security Liability arising from the unauthorized access to, use of or tampering with computer systems including hacker attacks, inability of an unauthorized third party to gain access to a computer system connected with a Service including denial of service, unless caused by a mechanical or electrical failure and (c) liability arising from the introduction of a computer virus into, or otherwise causing damage to, Client’s or a third person's computer, computer system, network or similar computer related property and the data, software, and programs thereon. The aforementioned insurance coverages shall be placed with insurers that are authorized to do business in the state(s) where the services contemplated herein are being performed and with insurers that have at least an A-VII A.M. Best rating. All of the above insurance shall be maintained without any lapse throughout the Term of this Agreement. Vendor will furnish a Certificate(s) of Insurance reflecting all of the above coverages and a provision providing for at least thirty (30) days' prior notice of cancellation.”
That’s definitely a mouthful but it’s better than explaining to your boss that you have to pay some guy in his parent’s basement a ransom to get your data and system access back.
In the next article, we’ll talk about some of the common issues affecting CPM and what to do about them.
About the Authors:
Eno Umoh is an expert in marketing and business operations and is the co-founder of Global Air Media & The Global Air Drone Academy where he has taught in 26 countries over 18,000 students about drone technology, best practices, and how to make a drone business scale and get to profit. Eno collaborates with drone businesses to help them achieve their goals.
Justin Call is the Co-Founder and CEO of Modovolo, a start-up that's built a drone to carry any payload for hours instead of minutes at a cost far below anything on the market. You'll want to see it for yourself. He has been an executive at venture capital and private-equity-backed technology and data companies with three exits ranging from $1.5 billion to $130 million. He has deep experience in leveraging data to understand and build businesses.
Comments