BreachExchange mailing list archives
Vendor Breached Your Company Data? Sorry, You're Still Liable
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 20 Jul 2017 04:02:57 -0500
http://www.corpcounsel.com/id=1202793368880/Vendor-Breached-Your-Company-Data-Sorry-Youre-Still-Liable?mcode=1202617073467&curindex=0&curpage=ALL Call it the summer of vendor security mishaps. In June, a data firm hired by the Republican National Committee inadvertently exposed the personal information of almost 200 million American voters by misconfiguring an Amazon cloud server. A month later, Verizon's customer service vendor NICE Systems made the same mistake and exposed data from 6 million Verizon customers. While in both cases personal data was only made public for a short amount of time and was not reported lost or stolen, the disclosures highlight one of the most overlooked vulnerabilitiescompanies face in today's ever-connected economy: their third-party vendors. From Target to Netflix, third-party vendors have caused some of the largest and most notorious breaches to date. Such incidents caused not only bad press and data security headaches but a slew of lawsuits and high fines. Yet while potentially devastating, the liabilities companies face from a vendor's mistake can vary based on the particular breach situation and the actions companies take beforehand. As it turns out, the devil is in the details—and the data. 'Custodian of Data' Depending on the particular situation, a breach or exposure of proprietary company data by a third-party vendor may open a company up to legal and regulatory liabilities under various state, federal and international data security and breach notification laws. Jarno Vanto, a shareholder at Polsinelli, explained that even though a cybersecurity incident happens outside an enterprise, the enterprise is still legally liable for the situation given that it is the "custodian of the data." In the case of NICE Systems' exposure of Verizon user information, Vanto noted that Verizon was legally responsible for such data no matter where it was hosted. It was likewise also responsible "to retain vendors that can keep the data secure," he said. But while liable for vendors' mistakes, the extent of legal and regulatory action companies such as Verizon may face depends on many variables, including the type of data comprised. Vanto explained, for instance, that many state notification laws only regulate data that includes certain personally identifiable information (PII) such as Social Security numbers or credit card numbers. In addition, legal liability can vary based on industry. Compared with other sectors, financial companies whose vendors released information, for example, can often face more stringent action by local and federal regulators, empowered by such laws as the Gramm-Leach-Bliley Act of 1999 and the Federal Deposit Insurance Act of 2003. Many of these laws hold financial companies accountable not only for the disclosure of PII, but for managing the cybersecurity risks of their vendors. And some, such as the New York State Department of Financial Services' (NYSDFS) data security regulation, even specifically spell out the protections vendors must have. Beyond legal pitfalls, companies also face contractual liabilities depending on "certain promises" made in their privacy statements or customer contracts regarding the security of their data, Vanto said. "Using vendors that don't secure data properly," he added, can sometimes be a clear violation of such contractual agreements. Though potentially less worrisome than legal and contractual liabilities, civil liability can also be a burden for comprised companies if their customers or agencies such as the FTC allege that the breach caused people harm. Such civil action, however, is difficult to prove. Jim DeGraw, a partner in Ropes & Gray's corporate technology group, explained that it's not just a question of "whether or not the [breach] caused any potential damages, but the kind of data that could have caused harm, and is the harm traceable to that particular data breach or is it traceable to other data breaches?" Limiting Liability In any vendor-related breach, there is no getting around liability. "There is really not too much you can do in terms of protecting yourself if your vendor breaks the law," Vanto said. But there are ways, of course, to limit one's exposure to these liabilities and their consequences. DeGraw, for example, noted that a company's legal liability is greatly limited if a company and its vendors are found to have "reasonable cybersecurity protections" in place as defined by commonly used industry best practices and federal and state agency guidelines. Brookes Taney, vice president of data breach solutions at Epiq Systems, added that companies can also limit their civil liability after breaches by freely offering such products as individual credit monitoring and ID theft restoration to lessen the effects of PII exposure and subsequent customer harm. There are likewise ways to mitigate the financial effects such liabilities can entail, such as obtaining cyberinsurance to recoup any financial loss incurred when dealing with a vendor breach. Vanto cautioned, however, that companies should seek "the broadest possible coverage" that covers a variety of cybersecurity incidents and situations, lest they are left uncovered during a time when they are most exposed. He also noted that companies can include indemnities in their vendor contracts that require vendors to compensate the company for "the damage cost and claims made by third parties" should a breach occur. This may be easier said than done, however. Speaking from a vendor's perspective, Alison Wisniewski, vice president and corporate counsel at Epiq Systems, said, "We would like to negotiate contracts where we are not responsible financially." "Notification costs are extremely expensive, and we on our end try to limit our liability when it comes to those sorts of breaches," she added. "But a company whose data is being sent to a third-party vendor may want the language to read differently." _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Vendor Breached Your Company Data? Sorry, You're Still Liable Destry Winant (Jul 20)