Commercial Leases – Part 1

I recently led a seminar on commercial leases for my local Small Business Development Center. I have led two such seminars, and I realized that I could share what we discussed as part of my blog and maybe help many more people.

I expect that this will be a series of posts, perhaps four or so.

What is a lease?

Legally, property rights can be divided into two main rights: the right of ownership and the right of possession. When you own a home or office, you have both of those rights, but when you lease a space you are paying for the right of possession only.

The right of possession generally means that you have the right to occupy the space and prevent others from occupying it. You can use the space in any way you see fit for the length of the lease. But there are caveats that are imposed by the lease that dictate how the space is used and how much you must pay for it.

You will hear certain terms thrown around when discussing commercial leases. Two important terms that you should be aware of are “gross lease” and “net lease”. A gross lease is a lease where the utilities and real estate taxes are included in the rental price. A net lease is a lease where those other expenses are charged to the tenant separately. One is not better than the other, but it is important to understand what is included in your rent.

What do I look for in a lease (or contract) generally?

I always ask myself three questions when I’m reading a contract, and a lease is merely a specific form of contract.

  1. What does this section mean?
  2. Why does this section matter?
  3. How would I improve this section?

I ask these questions over and over again as I review a lease. If you cannot answer one of these questions, you need to dig deeper or talk to an expert. In my experience, there are rarely sections in a contract that have no meaning or effect.

By the way, I missed the most important thing you will learn from this series: read the contract. Again, READ THE CONTRACT. Too many people simply take the broker’s word for what is in the contract and sign away without taking the time to read it. I understand that you may not have the funds to hire a lawyer, but that doesn’t mean you should sign something blindly.

The last thing I look for in a contract or lease is clarity. You should always seek clarity. Any time you see language that says “this will be decided later” or “whatever the landlord needs to make this happen” a huge red flag should pop out in your mind. Every term should be clearly defined. Don’t assume that these things can be ironed out later. Once a conflict starts, you will want to rely on the contract to work through the issues. If the contract is not clear, the conflict may spiral out of control.

Important Terms

The rest of this series will be dedicated to discussing specific terms that occur in commercial leases. I want to talk about what they mean and why you should pay attention to them.

Square Footage

Every lease will define the space that is being leased. It will lay out the space that the tenant controls and the space controlled by the landlord. There should be a calculation of square footage included. This is important for a few reasons.

First, you need to understand how much space you really need. Commercial leases are generally signed for three to five-year terms (we will discuss term later). That means that you need to consider the space you will need today and three years from now. Is your business growing, for example? Better plan on a little more space to grow into. This is not a legal consideration, but it’s a serious consideration nonetheless.

Second, the square footage affects other provisions of the lease. For example, you may qualify for a sign on the outside of the building, if you have enough space. It will also dictate the common area expenses you will have to pay, which are normally calculated based on a pro-rata share of overall square footage. Taxes are also influenced heavily by the square footage of your space. You need to pay attention to how sections on square footage interact with other sections of the lease.


Term refers to the length of the lease. As I mentioned earlier, commercial leases are generally three to five-year leases. Many new business owners want to sign a short lease because they, accurately, realize that it limits their liability in the event the business does not work out. But there is risk in both long and short leases.

A long lease potentially carries high liability for the business owner in the event the business fails. This is also true if the business grows very rapidly and needs more space – this is also a problem, but the best kind of problem. Therefore, by signing a long lease the owner is taking a risk.

But a short lease is also a risk. If you have a retail location, a short lease can be a major liability in the event the business does well. If you have a retail location that is growing rapidly and has a dedicated following, renegotiating your lease can be very difficult. Your landlord can charge you much more to stay in the space, and if you leave your business will likely die. That is a tough spot to be in a year into a business endeavor.

A three-year lease is a good starting spot. Be confident in your business and sign a lease that makes sense for both success and failure.

Is a Company Liable for Being Hacked?

Data breaches are becoming everyday news. When large companies are hacked, we all hear about it, but small companies get hacked too. Hacking isn’t like the movies, either. It’s not a solo person in their parents’ basement typing vigorously through your firewall. No, hackers are likely breaking into your system by sending emails. It’s the most common way companies are attacked.

Frequently, I hear people explain how companies get sued after a data breach. I recently read an article that cautioned businesses that “consumers have successfully sued a company for wrongfully disclosing their information, whether due to hacking or employee negligence, in hundreds of cases,” (“3 Legal Repercussions of Cyber Attacks”, Larry Alton). With due respect to Larry, what lawsuits is he referring to? There are thousands of security breaches every year, and I couldn’t think of one lawsuit that had been successfully brought by an injured consumer. (By the way, Larry was not the only person to provide these kinds of stats. Many websites warn businesses of the dangers of cybersecurity-based lawsuits)

The reason there aren’t many lawsuits might be because companies tend to be pretty proactive following a breach. Many even pay for identity protection insurance for injured consumers. The other reason might be that many people don’t even know that they had their data breached.

But I suspect that the real reason we don’t hear about these lawsuits is that it is much harder to sue for negligent data breach than people realize.

Consumer Lawsuits Based on Data Breach

A lawsuit based on data breach will most likely be a negligence claim. Consumers would allege that the company did not take reasonable precautions to protect their data. Unless the company purposely disclosed consumer information, this would be the most likely path to a lawsuit.

But what is actually required to make a claim for negligence? It’s not enough to show that data was disclosed. You have to show that the company was negligent in protecting it.

Let’s assume that the company had a duty to protect a consumer’s data. That consumer would still need to prove that the company’s negligence caused the data breach and that the consumer was damaged by the breach. I think both of these items are difficult to establish in court.

Causation in Data Breach

There are two types of causation: factual cause and proximate cause. To prove factual cause, the plaintiff needs to show that but-for the negligence the injury would not have happened. This is generally easy to prove. Proximate cause, on the other hand, requires that the plaintiff prove that the injury was a foreseeable result of the negligence. Generally, an independent actor, like a hacker, would sever the chain of proximate cause because it’s not a foreseeable outcome.

Courts have previously ruled that someone committing a crime is not necessarily foreseeable. For example, if I own a bar and a patron punches another patron in the face, I am not likely liable because assault is not necessarily foreseeable. Don’t get me wrong, there are factual circumstances that can make something like that foreseeable, but normally it is not.

The same applies to data security. As a company, it is not foreseeable to have someone make a concerted, criminal action towards its computer system.

Or is it? I definitely think that we are heading towards a place where these kinds of attacks are foreseeable, especially in regard to certain kinds of businesses. Hospitals and law firms are being hacked more and more regularly. At what point is a hack foreseeable?


Damages can also be difficult to prove in a negligence claim based on data breach. Let’s say that your personal information gets disclosed in a massive hack on your bank. But let’s also assume that your accounts are fine. How do you know that you have been damaged?

HIPAA laws assume damages, but other forms of breach don’t have those same assumptions. The tricky thing about a data breach is that your information may not be used against you any time soon. Your personal information can bounce around the internet for years before your identity is stolen. When it is stolen it will be nearly impossible to link its theft to a specific data breach.

Until you actually see the impact of your data being used, how do you prove damages? Perhaps you can prove potential damages, but those are tricky for courts and juries to understand. How do we weigh the risk of identity theft in connection to a breach? I honestly don’t know.

Should we take precautions?

Just because a company can’t be successfully sued doesn’t mean that we shouldn’t take precautions. If your company has a massive breach, you will likely lose clients, which should be incentive enough to avoid these problems.

Companies should invest in security. We all use cloud computing now, but that’s no real excuse for ignoring security protocol. I recommend that companies have regular training on common threats and regularly update their systems to prevent intrusion. I also think every company should have a plan in the event they are hacked. How will they notify their clients? How will they contain the threat? How will the stop the next attack?

Companies should also consider insurance for cybersecurity breaches. Many commercial insurance policies include provisions for data breach now, sometimes for no additional premium. These policies can offset the cost of resetting a computer system and may allow a company to offer identity theft protections to its clients.

The trick is that some precautions are probably necessary to avoid liability.

For example, let’s say that I have my clients’ social security numbers in a file in my office. Am I liable if someone breaks into my office and steals that file? Probably not. But what if I leave that file in front of my glass door and label it in big, bold letters “SSN’s”? What if I leave my office unlocked? Then I’m probably liable.

It’s the same for cybersecurity threats. Right now, very little is necessary to satisfy your duty to your customers. But it seems to me that over the next few years, courts will start to expect a modicum of security to be implemented. Little things will be necessary at first – updating your system, training employees on the risks of unknown email attachments, etc. Eventually, you may need actual IT security systems in place in order to avoid liability.

Just because a company isn’t liable doesn’t mean it should be cavalier with data. We need to establish good practices. Our clients should expect it now, and the courts will expect it in the future.

Legalities of Contract Tracing Precautions

I appeared in court last week in a courthouse that I have not visited since March. I have plenty of cases there, but the judges have been very efficient at keeping attorneys out of the courtrooms. I had to attend because I had clients who were appearing.

When I arrived, security asked me a battery of questions including if I had any symptoms of COVID or if I had come in contact with anyone who had symptoms of COVID. They then took my temperature using a thermal camera. Once I was allowed into the courthouse, I was asked to fill out a half sheet of paper, detailing who I was, my contact info, and which courtroom I was to appear in. Finally, a bailiff escorted me to the courtroom.

All of these procedures felt a bit overboard to me, and I was concerned that I would have too high a temperature to be let in the building. I didn’t have any signs of COVID, but I know that thermal cameras can be very inaccurate at measuring body temperatures. I wondered if I would be black-listed if I registered higher than 100.4 degrees. Being escorted also seemed a bit silly since it’s a public building. Plus, they did not escort me out, which meant I was free to roam the premises. I didn’t, but it did seem to undermine the value of the original escort.

But this got me thinking, is this legal? What if I had refused to comply with one of these steps? I assume I would have been barred from entering the courthouse, but can they do that?

The short answer is yes, they can do all of these things, but I think it warrants some discussion.

What businesses (and government) are doing

Businesses and governments are pulling out all stops on the COVID prevention routines. I have seen some form of each of the following techniques:

Recording customer information

Taking names, phone numbers, and, possibly, email addresses.

Taking temperatures

The temperature that is most cited with refusing admittance is 100.4. I have heard stories of patrons being forced to wait for their temperature to reduce before being admitted, but I have never heard of anyone who was actually barred due to temperature.

I recently heard about someone who tested at 107, which would mean that they were dead. Eventually, their temperature came down and they were allowed into the establishment, but it begs an important question: what happens when the machine is clearly wrong?

Asking COVID-related questions

These questions normally include whether you have symptoms, which can be tricky since the list of symptoms is pretty long, and I am yet to hear of an establishment identifying what the symptoms are. Do you have to report if you have a headache but no fever? I don’t know. I imagine that many people lie about these questions. I’m not sure what value they actually have.

Limiting the number of customers on the premises

Limiting customers may be mandated by the government order. This limitation makes sense, but it can be applied in kind of silly ways. For example, I visited a local game store recently and the manager told me that he had to limit the store to five customers. He lamented to me that sometimes this meant separating families – a mother, father, and their four children, for example. One person would have to wait outside. But of course, that’s silly because those six people live together and don’t pose any additional risk by being allowed in together, not even to him.

Requiring the use of masks

This requirement is mandated by the government and makes perfect sense. Masks have been proven to reduce the risk of spreading the illness and pose no hazard to the wearer. If you disagree with me, don’t bother letting me know. I don’t care about your opinion, you are wrong.

Mandating social distancing

This is also an obvious solution to the problem. The little dots that businesses ask you to stand on help to keep space between people and reduce the spread of the infection.

Some places are using one or two of these strategies, and some places are using all of them.

Is it legal?

Businesses cannot refuse to serve someone based on a discriminatory reason, and, generally, when we consider limitations such as the ones listed above, we need to consider whether the limitations imposed satisfy a legitimate business purpose.

The legitimate business purpose is to limit the spread of COVID. That is clearly a reasonable purpose so the actions taken are legal because they are pursuing that purpose, even if it means that the business is refusing to serve some people.

Therefore, you can’t claim discrimination when a business makes you leave because you’re not wearing a mask. First, I’m not sure there is discrimination there at all. Requiring you to wear a shirt is not discriminating. Second, they are fulfilling a legitimate business purpose in protecting their employees and other customers.

But what about some of the other requirements?

For example, taking temperatures has been proven to not prevent the spread of COVID. Thermal cameras are frequently wrong, and not everyone who has COVID gets a fever. Further, the actual problem with COVID is that the vast majority of people have no symptoms at all, including fever. Therefore, arguably taking temperatures does not satisfy the legitimate purpose of limiting the spread of infection. Can businesses or governments use a method that doesn’t work and still satisfy the legitimate purpose?

We see this in other areas. Consider the security theater that occurs before getting on a plane. Taking off your shoes almost certainly does not prevent attacks on airplanes, but we do it anyway. I actually read an article years ago (that I cannot cite due to lack of memory) that discussed how the FBI conducted a test whereby it was able to smuggle an outrageous number of bombs aboard airplanes. My point is that these security requirements are allowed despite not being very effective so it stands to reason that judges will also allow the taking of temperatures to enter a store or government building.

In short, yes, I think the security theater will be allowed, and if you refuse to comply with the requirements, they can refuse to admit you.