The self- storage market has been valued globally at over forty billion dollars. As part of the industry’s growth and expanded use of technology to operate these businesses, self-storage operators are increasingly exposed as the targets of potential litigation, especially in the area of cyber and data liability. These days, self-storage operators must not only tackle the regulatory compliance issues that are part of their state lien laws but they must also hold themselves accountable to a myriad of other laws that impact their day to day management. Based on the size of their operations, facility operators must be aware of and comply with the Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act of 2003 (FACTA), California Consumer Privacy Act (CCPA), state and federal security breach notification laws, the Payment Card Industry Data Security Standard (PCI DSS), global requirements under the European Union’s General Data Protection Regulation (GDPR), and other federal and state cyber and data requirements.
As it stands now, all fifty states have enacted some form of data breach notification law, which imposes certain obligations on companies to notify customers when personally identifiable information is compromised. These laws require businesses to provide notification to their affected customers. In some states, notification is required to be made to state regulators and oftentimes incurs the expense of credit monitoring for the customer’s ongoing protection. Another growing area of potential cyber liability arises from the privacy laws that have been enacted already in a number of states, including California, Colorado and Virginia. . These state privacy laws control the types of data that companies can collect, limit how that information can be shared and provide rights to the customer to “opt out” of any third-party sales (including the right to data destruction after use). Although there have been discussions about the creation of a federal law to cover all privacy rights, it appears more likely that we’ll see the introduction of state-by-state privacy protection laws, each with their own compliance requirements. Self-storage operators need to be prepared to address these risks and the likely litigation issues which may arise from these risks as part of their standard operations. The following are some risk management obligations for self-storage operators to consider:
Unfortunately, the risks of cyber liability and compromise via data breach cannot be ignored as the self-storage industry shifts to more and more web-based and mobile applications where customer data is collected, stored and utilized on a regular basis. The time has come to address these risks and prepare accordingly.
This article was originally published by Scott Zucker, January 2022