Written by Ruth E. Promislow and Katherine F.M. Rusk
Names, emails, credit card numbers, and home addresses: chances are good that your business collects client data with information that is valuable to hackers on the black market. A hacker will at some point try to access those records. When they do, who bears responsibility for the attack? These are the questions that hundreds of companies, including Uber, OKCupid, Cisco, and Fitbit, are likely asking themselves after news of the “Cloudbleed” bug broke late last month.
At least 3,400 websites were directly impacted, all of which hired Cloudflare to provide Internet infrastructure and security. Although the Cloudbleed bug was fixed within seven hours of discovery and so far seems to be significantly less harmful than it could have been, it raises the question of who can be held liable for the breach. Questions of this nature also arose in July 2016, when Wendy's learned that over one thousand locations were affected by a malware-driven credit card breach resulting from a compromised third-party service provider. Looking further back, Target's massive credit card breach in 2013 was traced back to credentials stolen from a third-party vendor. Further notable examples of breaches through third-party vendors include T-Mobile, Lowe's, Home Depot, Walmart, Costco, Sam's Club, R.T. Jones Capital, Boston Medical Centre, and J.P. Morgan Chase.
The average cost of a breach is approximately US$4 million per incident, according to a June 2015 report by IBM's security division. At larger scales, the cost can escalate. Target, for example, has estimated that their data breach will cost approximately US$252 million, including US$10 million to settle a consumer class action lawsuit. The use of a third party also does not remove the prospect of regulatory enforcement. In 2012, Upromise Inc. settled with the FTC, as they had hired a third-party service but did not verify that the service provider followed Upromise Inc.'s privacy and security policies. Two years later, GMR Transcription settled with the FTC for failure to require that the company they hired to transcribe sensitive audio files take reasonable security measures.
Reliance on third-party providers to manage client information and internet infrastructure is nothing new. As the sophistication and proliferation of cyberattacks increases, companies have increased their use of specialized third-party providers instead of managing data in-house. But doing so does not absolve the company from liability.Companies should consider the following issues when dealing with a third-party service provider:
- While you may delegate management of personal data to a third-party service provider, you cannot delegate responsibility for this task. You may be ultimately responsible for the manner in which the third-party service provider handled the data.
- What steps have you taken to satisfy yourself that the third-party service provider is taking all reasonable steps to manage your customers' personal data? Confirmation from your third-party service provider that they are Payment Card Industry compliant is not necessarily enough.
- Have you satisfied yourself on an ongoing basis that the third-party service provider is continuing to take all those reasonable steps?
- Are there any provisions in your contract with your third-party service provider that will limit your ability to seek damages against them for failing to take reasonable steps in protecting your customers' data?
For further information on how to manage your third-party relationships, the Bennett Jones Cybersecurity team comprises a group of highly skilled partners and associates in the area of cybersecurity.