[BreachExchange] Are You Prepared for Your Vendor’s Data Breach?

[Audrey McNeil]

http://www.jdsupra.com/legalnews/are-you-prepared-for-your-vendor-s-data-84536/

Ever since the Target and Home Depot breaches were traced to intrusions at
their vendors, the management of cybersecurity at third-party vendors has
been a focus of companies and regulators. The FTC has flagged the issue, as
has the SEC. The DoD has imposed strict cybersecurity requirements for
contractors that “flow down” to sub-contractors.

But despite an increasing focus on the full lifecycle of third-party risk
management, vendor incidents continue to represent a high percentage of
reported data breaches. According to a March 2016 Ponemon Institute report,
49 percent of survey respondents indicated that their organization
experienced a data breach caused by a vendor.

While vendor management programs can help mitigate cyber risks, part of the
issue appears to be a lack of ongoing collaboration between vendors and the
organizations they serve. For example, many vendors rely on an individual’s
social security number (“SSN”) and date of birth (“DOB”) to authenticate
employees seeking access to a portal with personal information, such as
employee tax forms, payroll statements, 401(k) plans or health benefits.
This information may be used consistently, or just for initial account
registration, after which the individual creates a unique user name and
password. These procedures may have been agreed-upon years ago in
negotiated service agreements, but because of more recent data breaches,
SSNs and DOBs are frequently available on the black market, and bad actors
are using the information to access vendor sites. This type of unauthorized
access has recently affected ADP, Equifax, Greenshades and many other
vendors.

There are also significant complications in incident response with a
vendor-based data breach. The vendor and customer may have different
interests when determining what constitutes a “data breach,” whether there
are breach notification obligations, the extent to which forensic
investigations are necessary, and what level of information-sharing is
appropriate between the parties. These issues are compounded when multiple
customers are affected by a vendor breach, each with a different view on
how to handle the response.

Revisiting third-party risk management in view of recent cyber attacks
presents some important takeaways for companies and vendors to consider:

- Collaborate on data security – There should be open lines of
communication between a vendor and its customers, and parties should not
shy away from making changes to previously agreed-upon procedures in order
to address evolving cyber threats.
- Be prepared for a breach – Corporate incident response plans can include
guidelines for vendor situations, and vendors’ response plans should be
consistent with contractual obligations and be designed to meet expected
customer needs.
- Review your contractual terms – It may be time to update contractual
terms so they include specific provisions with pragmatic requirements for
monitoring and audit rights, breach response, and information-sharing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160516/be0fa30a/attachment.html>