• About
  • Offices
  • Careers
  • News
  • Students
  • Alumni
  • Payments
Background Image
Bennett Jones Logo 100 Years
  • People
  • Expertise
  • Knowledge
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
View all
Practices
Corporate Litigation Regulatory Tax View all
Industries
Capital Projects Energy Funds & Finance Mining View all
Advisory
Crisis & Risk Management Environmental, Social & Governance (ESG) Governmental Affairs & Public Policy
Insights News Events
New Energy Economy Series COVID-19 Resource Centre Business Law Talks Podcast
Subscribe
Bennett Jones Centennial Menu
People
Practices
Industries
Advisory Services
About
Offices
News
Careers
Insights
Law Students
Events
Search
Alumni
Payments
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
 
Blog

Know the Risks of a Cyberattack on Your Third-Party Service Providers

March 14, 2017

Written by Ruth E. Promislow and Katherine F.M. Rusk

Names, emails, credit card numbers, and home addresses: chances are good that your business collects client data with information that is valuable to hackers on the black market. A hacker will at some point try to access those records. When they do, who bears responsibility for the attack? These are the questions that hundreds of companies, including Uber, OKCupid, Cisco, and Fitbit, are likely asking themselves after news of the “Cloudbleed” bug broke late last month.

At least 3,400 websites were directly impacted, all of which hired Cloudflare to provide Internet infrastructure and security. Although the Cloudbleed bug was fixed within seven hours of discovery and so far seems to be significantly less harmful than it could have been, it raises the question of who can be held liable for the breach. Questions of this nature also arose in July 2016, when Wendy's learned that over one thousand locations were affected by a malware-driven credit card breach resulting from a compromised third-party service provider. Looking further back, Target's massive credit card breach in 2013 was traced back to credentials stolen from a third-party vendor. Further notable examples of breaches through third-party vendors include T-Mobile, Lowe's, Home Depot, Walmart, Costco, Sam's Club, R.T. Jones Capital, Boston Medical Centre, and J.P. Morgan Chase.

The average cost of a breach is approximately US$4 million per incident, according to a June 2015 report by IBM's security division. At larger scales, the cost can escalate. Target, for example, has estimated that their data breach will cost approximately US$252 million, including US$10 million to settle a consumer class action lawsuit. The use of a third party also does not remove the prospect of regulatory enforcement. In 2012, Upromise Inc. settled with the FTC, as they had hired a third-party service but did not verify that the service provider followed Upromise Inc.'s privacy and security policies. Two years later, GMR Transcription settled with the FTC for failure to require that the company they hired to transcribe sensitive audio files take reasonable security measures.

Reliance on third-party providers to manage client information and internet infrastructure is nothing new. As the sophistication and proliferation of cyberattacks increases, companies have increased their use of specialized third-party providers instead of managing data in-house. But doing so does not absolve the company from liability.Companies should consider the following issues when dealing with a third-party service provider:

  • While you may delegate management of personal data to a third-party service provider, you cannot delegate responsibility for this task. You may be ultimately responsible for the manner in which the third-party service provider handled the data.
  • What steps have you taken to satisfy yourself that the third-party service provider is taking all reasonable steps to manage your customers' personal data? Confirmation from your third-party service provider that they are Payment Card Industry compliant is not necessarily enough.
  • Have you satisfied yourself on an ongoing basis that the third-party service provider is continuing to take all those reasonable steps?
  • Are there any provisions in your contract with your third-party service provider that will limit your ability to seek damages against them for failing to take reasonable steps in protecting your customers' data?

For further information on how to manage your third-party relationships, the Bennett Jones Cybersecurity team comprises a group of highly skilled partners and associates in the area of cybersecurity.

PDF Download

Author

  • Ruth E. Promislow Ruth E. Promislow, Partner

Bennett Jones Marks 100 Years of Service and Trust

Related Links

  • Insights
  • Media
  • Subscribe

Recent Posts

Blog

Alberta Court Denies Application to Hear Motion to [...]

May 17, 2022
       

Blog

Alberta Court of Queen's Bench Finds Conflict of Interest [...]

May 16, 2022
       

Blog

The UK’s New Economic Crime Legislation–A Sign of Things to Come?

May 16, 2022
       

Blog

Canada's Federal Budget 2022 and Canadian Sanctions Implications

May 12, 2022
       

Blog

Alberta Court of Appeal Releases Reference Opinion [...]

May 11, 2022
       
Bennett Jones Centennial Footer 100 Years
Bennett Jones Centennial Footer 100 Years
About
  • Leadership
  • Diversity
  • Community
  • Innovation
  • Security
  • History
Offices
  • Calgary
  • Edmonton
  • Ottawa
  • Toronto
  • Vancouver
  • New York
Connect
  • Insights
  • News
  • Events
  • Careers
  • Students
  • Alumni
Subscribe

Stay informed on the latest business and legal insights and events.

LinkedIn LinkedIn Twitter Twitter Vimeo Vimeo
© Bennett Jones LLP 2022. All rights reserved.
  • Privacy Policy
  • Disclaimer
  • Terms of Use
Logo Bennett Jones