Blog

Know the Risks of a Cyberattack on Your Third-Party Service Providers

Ruth E. Promislow and Katherine F.M. Rusk
March 14, 2017
Social Media
Download
Download
Read Mode
Subscribe
Summarize

Names, emails, credit card numbers, and home addresses: chances are good that your business collects client data with information that is valuable to hackers on the black market. A hacker will at some point try to access those records. When they do, who bears responsibility for the attack? These are the questions that hundreds of companies, including Uber, OKCupid, Cisco, and Fitbit, are likely asking themselves after news of the “Cloudbleed” bug broke late last month.

At least 3,400 websites were directly impacted, all of which hired Cloudflare to provide Internet infrastructure and security. Although the Cloudbleed bug was fixed within seven hours of discovery and so far seems to be significantly less harmful than it could have been, it raises the question of who can be held liable for the breach. Questions of this nature also arose in July 2016, when Wendy's learned that over one thousand locations were affected by a malware-driven credit card breach resulting from a compromised third-party service provider. Looking further back, Target's massive credit card breach in 2013 was traced back to credentials stolen from a third-party vendor. Further notable examples of breaches through third-party vendors include T-Mobile, Lowe's, Home Depot, Walmart, Costco, Sam's Club, R.T. Jones Capital, Boston Medical Centre, and J.P. Morgan Chase.

The average cost of a breach is approximately US$4 million per incident, according to a June 2015 report by IBM's security division. At larger scales, the cost can escalate. Target, for example, has estimated that their data breach will cost approximately US$252 million, including US$10 million to settle a consumer class action lawsuit. The use of a third party also does not remove the prospect of regulatory enforcement. In 2012, Upromise Inc. settled with the FTC, as they had hired a third-party service but did not verify that the service provider followed Upromise Inc.'s privacy and security policies. Two years later, GMR Transcription settled with the FTC for failure to require that the company they hired to transcribe sensitive audio files take reasonable security measures.

Reliance on third-party providers to manage client information and internet infrastructure is nothing new. As the sophistication and proliferation of cyberattacks increases, companies have increased their use of specialized third-party providers instead of managing data in-house. But doing so does not absolve the company from liability.Companies should consider the following issues when dealing with a third-party service provider:

  • While you may delegate management of personal data to a third-party service provider, you cannot delegate responsibility for this task. You may be ultimately responsible for the manner in which the third-party service provider handled the data.
  • What steps have you taken to satisfy yourself that the third-party service provider is taking all reasonable steps to manage your customers' personal data? Confirmation from your third-party service provider that they are Payment Card Industry compliant is not necessarily enough.
  • Have you satisfied yourself on an ongoing basis that the third-party service provider is continuing to take all those reasonable steps?
  • Are there any provisions in your contract with your third-party service provider that will limit your ability to seek damages against them for failing to take reasonable steps in protecting your customers' data?

For further information on how to manage your third-party relationships, the Bennett Jones Cybersecurity team comprises a group of highly skilled partners and associates in the area of cybersecurity.

Social Media
Download
Download
Subscribe
Republishing Requests

For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.

For informational purposes only

This publication provides an overview of legal trends and updates for informational purposes only. For personalized legal advice, please contact the authors.

Latest Insights

See All Insights
The Implications of AI on Performance Marketing
Blog

The Implications of AI on Performance Marketing

October 9, 2025
Benjamin K. ReingoldStephen D. Burns
Benjamin K. Reingold & Stephen D. Burns
Placeholder
Blog

Trend Watch: Determining COMI in US Chapter 15 Proceedings

October 8, 2025
Sean ZweigAndrew FrohJames Atkinson
Sean Zweig, Andrew Froh & James Atkinson
The Q3 2025 PE Briefing
Blog

The Q3 2025 PE Briefing

October 7, 2025
Dom SorbaraElizabeth K. DylkeJames G. Morand
& 1 more