Commercial Leases – Part 2

I started this series on commercial leases one month ago. My goal is to cover all of the major issues in a commercial lease over the course of four posts (or maybe more). If you have any specific questions, please feel free to contact me for more information.

Buildout

Buildout tends to be a big topic for tenants looking to rent space for their business. By buildout, I mean the process of reconfiguring the space to suit the needs of the new tenant. Some buildouts are small, maybe moving a wall or adding a door, but some can be huge like installing a kitchen.

Sometimes landlords will do the buildout for the tenant. Generally, when this happens the landlord adds some cost to the rent every month, meaning that the tenant will pay for the buildout over the length of the lease.

I actually like this system for many new businesses, because it defers the cost of renovation for the tenant and works a bit like financing from a bank. Buildouts can cost quite a bit. Large expenses can swamp a small business early in life. By spreading the expense out, the business can more effectively manage its cash flow.

But landlord buildouts are not always a good deal. I recommend that tenants get an estimate of what the buildout will cost and seriously consider the additional rent they will pay. Sometimes the landlord is gouging the tenant on the cost of the buildout.

For example, I represented a tenant that wanted a fairly small buildout for a commercial office. He wanted some walls moved and some glass doors added. Nothing insane, but it wasn’t cheap, either. The estimate for the work was around $18,000. The landlord wanted to add an additional $600/month for the buildout. On a five-year lease that added $36,000 to the cost of the lease (not including the increase in rent every year, which was a percentage increase). The landlord wanted to charge double for the buildout. We decided it wasn’t worth that price tag and the client went elsewhere.

Options

An option allows the tenant to extend the lease at its termination. Generally, there is a period of time where an option is allowed, something like not less than 90 before the end of the lease but not more than 180 days. During that window, the tenant has the right to inform the landlord of its desire to extend the lease for a predetermined length of time. Sometimes the added time is a new term, and sometimes the added term is shorter.

Normally, the extension comes with an increase in rent, which the tenant should plan for. Otherwise, the same terms that applied to the first lease remain in full force and effect.

I consider these provisions to be a benefit to the tenant. It gives the tenant a lot of flexibility. Landlords shouldn’t mind them, either, since they encourage tenants to stay more than one term. They can easier be a win-win situation.

When possible, I encourage tenants to ask for an option. There is usually very little risk for the landlord to agree to an option up-front, whereas once the tenant has been in the space it’s harder to negotiate extensions on term because the landlord might believe that it can get more rent from another tenant.

Arbitration Clauses

Arbitration clauses are becoming very popular in virtually all agreements I review. These clauses normally call for some version of AAA arbitration. Essentially, each party chooses an arbitrator to hear the case and those arbitrators choose a third arbitrator to break ties. This all sounds great in theory, but arbitration doesn’t work for everyone.

Arbitration can be very slow. The process is somewhat unwieldy and there is no central body, like a court, to moderate disputes in the process. Frequently, parties would be happier having the matter heard by a local judge. Despite most people wanting to avoid litigation, arbitration does not necessarily save time or money.

If you are signing a lease with an arbitration clause, I urge you to read it and understand the timelines and requirements it imposes. These provisions usually contain specific deadlines for demanding arbitration and choosing arbitrators. Don’t assume that the other side is familiar with the requirements, either. I find that these provisions are included by lawyers without much discussion with clients.

Next Time

In my next post I plan to discuss security deposits, common area expenses, taxes, and insurance. I post these articles monthly so if you have a burning question before then, please do not hesitate to contact me.

Commercial Leases – Part 1

I recently led a seminar on commercial leases for my local Small Business Development Center. I have led two such seminars, and I realized that I could share what we discussed as part of my blog and maybe help many more people.

I expect that this will be a series of posts, perhaps four or so.

What is a lease?

Legally, property rights can be divided into two main rights: the right of ownership and the right of possession. When you own a home or office, you have both of those rights, but when you lease a space you are paying for the right of possession only.

The right of possession generally means that you have the right to occupy the space and prevent others from occupying it. You can use the space in any way you see fit for the length of the lease. But there are caveats that are imposed by the lease that dictate how the space is used and how much you must pay for it.

You will hear certain terms thrown around when discussing commercial leases. Two important terms that you should be aware of are “gross lease” and “net lease”. A gross lease is a lease where the utilities and real estate taxes are included in the rental price. A net lease is a lease where those other expenses are charged to the tenant separately. One is not better than the other, but it is important to understand what is included in your rent.

What do I look for in a lease (or contract) generally?

I always ask myself three questions when I’m reading a contract, and a lease is merely a specific form of contract.

  1. What does this section mean?
  2. Why does this section matter?
  3. How would I improve this section?

I ask these questions over and over again as I review a lease. If you cannot answer one of these questions, you need to dig deeper or talk to an expert. In my experience, there are rarely sections in a contract that have no meaning or effect.

By the way, I missed the most important thing you will learn from this series: read the contract. Again, READ THE CONTRACT. Too many people simply take the broker’s word for what is in the contract and sign away without taking the time to read it. I understand that you may not have the funds to hire a lawyer, but that doesn’t mean you should sign something blindly.

The last thing I look for in a contract or lease is clarity. You should always seek clarity. Any time you see language that says “this will be decided later” or “whatever the landlord needs to make this happen” a huge red flag should pop out in your mind. Every term should be clearly defined. Don’t assume that these things can be ironed out later. Once a conflict starts, you will want to rely on the contract to work through the issues. If the contract is not clear, the conflict may spiral out of control.

Important Terms

The rest of this series will be dedicated to discussing specific terms that occur in commercial leases. I want to talk about what they mean and why you should pay attention to them.

Square Footage

Every lease will define the space that is being leased. It will lay out the space that the tenant controls and the space controlled by the landlord. There should be a calculation of square footage included. This is important for a few reasons.

First, you need to understand how much space you really need. Commercial leases are generally signed for three to five-year terms (we will discuss term later). That means that you need to consider the space you will need today and three years from now. Is your business growing, for example? Better plan on a little more space to grow into. This is not a legal consideration, but it’s a serious consideration nonetheless.

Second, the square footage affects other provisions of the lease. For example, you may qualify for a sign on the outside of the building, if you have enough space. It will also dictate the common area expenses you will have to pay, which are normally calculated based on a pro-rata share of overall square footage. Taxes are also influenced heavily by the square footage of your space. You need to pay attention to how sections on square footage interact with other sections of the lease.

Term

Term refers to the length of the lease. As I mentioned earlier, commercial leases are generally three to five-year leases. Many new business owners want to sign a short lease because they, accurately, realize that it limits their liability in the event the business does not work out. But there is risk in both long and short leases.

A long lease potentially carries high liability for the business owner in the event the business fails. This is also true if the business grows very rapidly and needs more space – this is also a problem, but the best kind of problem. Therefore, by signing a long lease the owner is taking a risk.

But a short lease is also a risk. If you have a retail location, a short lease can be a major liability in the event the business does well. If you have a retail location that is growing rapidly and has a dedicated following, renegotiating your lease can be very difficult. Your landlord can charge you much more to stay in the space, and if you leave your business will likely die. That is a tough spot to be in a year into a business endeavor.

A three-year lease is a good starting spot. Be confident in your business and sign a lease that makes sense for both success and failure.

Is a Company Liable for Being Hacked?

Data breaches are becoming everyday news. When large companies are hacked, we all hear about it, but small companies get hacked too. Hacking isn’t like the movies, either. It’s not a solo person in their parents’ basement typing vigorously through your firewall. No, hackers are likely breaking into your system by sending emails. It’s the most common way companies are attacked.

Frequently, I hear people explain how companies get sued after a data breach. I recently read an article that cautioned businesses that “consumers have successfully sued a company for wrongfully disclosing their information, whether due to hacking or employee negligence, in hundreds of cases,” (“3 Legal Repercussions of Cyber Attacks”, Larry Alton). With due respect to Larry, what lawsuits is he referring to? There are thousands of security breaches every year, and I couldn’t think of one lawsuit that had been successfully brought by an injured consumer. (By the way, Larry was not the only person to provide these kinds of stats. Many websites warn businesses of the dangers of cybersecurity-based lawsuits)

The reason there aren’t many lawsuits might be because companies tend to be pretty proactive following a breach. Many even pay for identity protection insurance for injured consumers. The other reason might be that many people don’t even know that they had their data breached.

But I suspect that the real reason we don’t hear about these lawsuits is that it is much harder to sue for negligent data breach than people realize.

Consumer Lawsuits Based on Data Breach

A lawsuit based on data breach will most likely be a negligence claim. Consumers would allege that the company did not take reasonable precautions to protect their data. Unless the company purposely disclosed consumer information, this would be the most likely path to a lawsuit.

But what is actually required to make a claim for negligence? It’s not enough to show that data was disclosed. You have to show that the company was negligent in protecting it.

Let’s assume that the company had a duty to protect a consumer’s data. That consumer would still need to prove that the company’s negligence caused the data breach and that the consumer was damaged by the breach. I think both of these items are difficult to establish in court.

Causation in Data Breach

There are two types of causation: factual cause and proximate cause. To prove factual cause, the plaintiff needs to show that but-for the negligence the injury would not have happened. This is generally easy to prove. Proximate cause, on the other hand, requires that the plaintiff prove that the injury was a foreseeable result of the negligence. Generally, an independent actor, like a hacker, would sever the chain of proximate cause because it’s not a foreseeable outcome.

Courts have previously ruled that someone committing a crime is not necessarily foreseeable. For example, if I own a bar and a patron punches another patron in the face, I am not likely liable because assault is not necessarily foreseeable. Don’t get me wrong, there are factual circumstances that can make something like that foreseeable, but normally it is not.

The same applies to data security. As a company, it is not foreseeable to have someone make a concerted, criminal action towards its computer system.

Or is it? I definitely think that we are heading towards a place where these kinds of attacks are foreseeable, especially in regard to certain kinds of businesses. Hospitals and law firms are being hacked more and more regularly. At what point is a hack foreseeable?

Damages

Damages can also be difficult to prove in a negligence claim based on data breach. Let’s say that your personal information gets disclosed in a massive hack on your bank. But let’s also assume that your accounts are fine. How do you know that you have been damaged?

HIPAA laws assume damages, but other forms of breach don’t have those same assumptions. The tricky thing about a data breach is that your information may not be used against you any time soon. Your personal information can bounce around the internet for years before your identity is stolen. When it is stolen it will be nearly impossible to link its theft to a specific data breach.

Until you actually see the impact of your data being used, how do you prove damages? Perhaps you can prove potential damages, but those are tricky for courts and juries to understand. How do we weigh the risk of identity theft in connection to a breach? I honestly don’t know.

Should we take precautions?

Just because a company can’t be successfully sued doesn’t mean that we shouldn’t take precautions. If your company has a massive breach, you will likely lose clients, which should be incentive enough to avoid these problems.

Companies should invest in security. We all use cloud computing now, but that’s no real excuse for ignoring security protocol. I recommend that companies have regular training on common threats and regularly update their systems to prevent intrusion. I also think every company should have a plan in the event they are hacked. How will they notify their clients? How will they contain the threat? How will the stop the next attack?

Companies should also consider insurance for cybersecurity breaches. Many commercial insurance policies include provisions for data breach now, sometimes for no additional premium. These policies can offset the cost of resetting a computer system and may allow a company to offer identity theft protections to its clients.

The trick is that some precautions are probably necessary to avoid liability.

For example, let’s say that I have my clients’ social security numbers in a file in my office. Am I liable if someone breaks into my office and steals that file? Probably not. But what if I leave that file in front of my glass door and label it in big, bold letters “SSN’s”? What if I leave my office unlocked? Then I’m probably liable.

It’s the same for cybersecurity threats. Right now, very little is necessary to satisfy your duty to your customers. But it seems to me that over the next few years, courts will start to expect a modicum of security to be implemented. Little things will be necessary at first – updating your system, training employees on the risks of unknown email attachments, etc. Eventually, you may need actual IT security systems in place in order to avoid liability.

Just because a company isn’t liable doesn’t mean it should be cavalier with data. We need to establish good practices. Our clients should expect it now, and the courts will expect it in the future.