• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
  • FR
Background Image
Bennett Jones Logo
  • People
  • Expertise
  • Knowledge
  • Search
  • FR Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management ESG Strategy and Solutions Governmental Affairs & Public Policy
View Client Work
International Experience
Insights News Events
New Energy Economy Series Business Law Talks Podcast Economic Outlook
ESG & the CIO Subscribe
People
Practices
Industries
Advisory Services
Client Work
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Know the Risks of a Cyberattack on Your Third-Party Service Providers

March 14, 2017

Written By Ruth E. Promislow and Katherine F.M. Rusk

Names, emails, credit card numbers, and home addresses: chances are good that your business collects client data with information that is valuable to hackers on the black market. A hacker will at some point try to access those records. When they do, who bears responsibility for the attack? These are the questions that hundreds of companies, including Uber, OKCupid, Cisco, and Fitbit, are likely asking themselves after news of the “Cloudbleed” bug broke late last month.

At least 3,400 websites were directly impacted, all of which hired Cloudflare to provide Internet infrastructure and security. Although the Cloudbleed bug was fixed within seven hours of discovery and so far seems to be significantly less harmful than it could have been, it raises the question of who can be held liable for the breach. Questions of this nature also arose in July 2016, when Wendy's learned that over one thousand locations were affected by a malware-driven credit card breach resulting from a compromised third-party service provider. Looking further back, Target's massive credit card breach in 2013 was traced back to credentials stolen from a third-party vendor. Further notable examples of breaches through third-party vendors include T-Mobile, Lowe's, Home Depot, Walmart, Costco, Sam's Club, R.T. Jones Capital, Boston Medical Centre, and J.P. Morgan Chase.

The average cost of a breach is approximately US$4 million per incident, according to a June 2015 report by IBM's security division. At larger scales, the cost can escalate. Target, for example, has estimated that their data breach will cost approximately US$252 million, including US$10 million to settle a consumer class action lawsuit. The use of a third party also does not remove the prospect of regulatory enforcement. In 2012, Upromise Inc. settled with the FTC, as they had hired a third-party service but did not verify that the service provider followed Upromise Inc.'s privacy and security policies. Two years later, GMR Transcription settled with the FTC for failure to require that the company they hired to transcribe sensitive audio files take reasonable security measures.

Reliance on third-party providers to manage client information and internet infrastructure is nothing new. As the sophistication and proliferation of cyberattacks increases, companies have increased their use of specialized third-party providers instead of managing data in-house. But doing so does not absolve the company from liability.Companies should consider the following issues when dealing with a third-party service provider:

  • While you may delegate management of personal data to a third-party service provider, you cannot delegate responsibility for this task. You may be ultimately responsible for the manner in which the third-party service provider handled the data.
  • What steps have you taken to satisfy yourself that the third-party service provider is taking all reasonable steps to manage your customers' personal data? Confirmation from your third-party service provider that they are Payment Card Industry compliant is not necessarily enough.
  • Have you satisfied yourself on an ongoing basis that the third-party service provider is continuing to take all those reasonable steps?
  • Are there any provisions in your contract with your third-party service provider that will limit your ability to seek damages against them for failing to take reasonable steps in protecting your customers' data?

For further information on how to manage your third-party relationships, the Bennett Jones Cybersecurity team comprises a group of highly skilled partners and associates in the area of cybersecurity.

Download PDF

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

How Sustainable is the Government of Canada's Current Fiscal Plan?

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Blueberry River First Nation, Treaty 8 First Nations [...]

January 30, 2023
       

Blog

Requisitioning the Closure of Open Building Permits

January 30, 2023
       

Blog

Field Notes: Recent Pesticide Initiatives in Canada

January 26, 2023
       

Blog

Canada Border Services Agency Publishes Update of [...]

January 25, 2023
       

Blog

Balancing Act: Facilitating Trade and Worker Protection [...]

January 18, 2023
       
Bennett Jones Centennial Footer
Bennett Jones Centennial Footer
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Montréal
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2023. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones