In a recent case decided by the United States District court of the Northern District of Illinois, the defendant alarm company’s motion to dismiss was denied. The facts of the case indicated that the plaintiff stored merchandise in a warehouse. The alarm company had a contract with the owner of the warehouse, under which it provided and monitored the warehouse’s security system. The alarm company was given access to the warehouse to assess and document security vulnerabilities, with the understanding that the resulting information was confidential and was to be securely maintained.  The alarm company performed its assessment and prepared diagrams and descriptions of the warehouse that revealed security vulnerabilities.

Burglars broke into the warehouse and stole merchandise. They did so by cutting through the roof at a location that was not monitored and bypassed the security system. The plaintiff filed its lawsuit for negligence, alleging that the alarm company negligently maintained the information allowing it to fall into the hands of burglars, and further alleging that the information had been compromised and that the defendant failed to warn the warehouse company or its tenants and failed to increase security.

The alarm company moved to dismiss, arguing that it owed the plaintiff no tort duty and further alleging the exculpatory and limitation of liability provision which was included in the contract between the alarm company and the landlord.

In its complaint, the plaintiff alleged that the alarm company negligently maintained the information identifying security vulnerabilities and that the burglars received and exploited that information to commit their crimes. The alarm company argued that it cannot be sued in negligence because it acted pursuant to a contract.

The court pointed out that the defendant’s argument was foreclosed by the Illinois Supreme Court, which held that the “plaintiff’s action is better characterized as a tort action than as a contract action and as such, no privity is required.” Further, the court stated that in a previous decision the court held that the company owed a duty, to people lawfully on the property, to exercise reasonable care in the performance of its contractual obligations.

Therefore, the court found that the defendant alarm company’s claim that it owed no duty in tort because it acted pursuant to a contract must be rejected, and that the alarm company’s alternative argument that the plaintiff should be bound by the exculpatory and damages-limiting provision in the contract with the owner of the warehouse is foreclosed, as the plaintiffs were not bound by contracts to which they are not a party.

Therefore, the alarm company’s motion to dismiss was denied and the matter will go to trial.

In preparing alarm contracts for security companies we always attempt to add a third-party indemnification provision, which effectively states that in the event an action is brought against the alarm company by a third party, then the party to the contract (subscriber) with the alarm company will indemnify the alarm company for any claims that may be made by any third party.  Normally, the party to the contract will have liability insurance that would cover them for any loss.

In this case, the plaintiff was insured and apparently a good portion of the loss was paid by the insurance carrier, who was the true plaintiff in this matter by way of subrogation. I have not seen the contract in this case, but I would have to assume that there was no third-party indemnification provision in the contract or the result would have been much different, because it would have allowed the alarm company to seek indemnification from the owner of the property.

Q:  Is there a federal or California state requirement that pertains to cloud-based storage needing to be located on U.S. soil or can it be hosted in another country? I understand that there might be corporate or Department of Defense (DOD) requirements, but is there any legal precedent?To read the answer, go to SDMmag.com. Click the Columns tab and select Security & the Law.

To ask Les Gold a question, e-mail sdm@bnpmedia.com.

Answer:

This question comes up frequently, particularly in the export context, so I have discussed it with my partner Su Ross, who is our resident expert on export matters. Ross advises there are restrictions about what products and their technical data can be either physically exported or made available for viewing by foreign nationals (either in their home country or when visiting the U.S. company). In that context, companies usually contract for the server to be located in the U.S. The other area where the topic comes up is in government contracts where the government agencies impose the requirement that the servers be located in the U.S. 

In addition, there are two other categories of limitations to keep in mind. The U.S. has economic sanctions on various countries, so the servers could not be located in one of those countries, such as Iran, Syria, Sudan, Cuba, North Korea, etc. The related issue would be that the U.S. government publishes lists of individuals and entities with which Americans are barred from doing business, domestically and internationally, called Denied Parties. As such, any outside-the-U.S. provider (such as the host of the foreign-based server) would need to be screened against those lists. Other than that, we are not aware of any legal or regulatory restrictions limiting where U.S. company servers may be located.