[BreachExchange] Vendor Breached Your Company Data? Sorry, You're Still Liable

[Destry Winant]

http://www.corpcounsel.com/id=1202793368880/Vendor-Breached-Your-Company-Data-Sorry-Youre-Still-Liable?mcode=1202617073467&curindex=0&curpage=ALL

Call it the summer of vendor security mishaps.

In June, a data firm hired by the Republican National Committee
inadvertently exposed the personal information of almost 200 million
American voters by misconfiguring an Amazon cloud server. A month
later, Verizon's customer service vendor NICE Systems made the same
mistake and exposed data from 6 million Verizon customers.

While in both cases personal data was only made public for a short
amount of time and was not reported lost or stolen, the disclosures
highlight one of the most overlooked vulnerabilitiescompanies face in
today's ever-connected economy: their third-party vendors.

>From Target to Netflix, third-party vendors have caused some of the
largest and most notorious breaches to date. Such incidents caused not
only bad press and data security headaches but a slew of lawsuits and
high fines.

Yet while potentially devastating, the liabilities companies face from
a vendor's mistake can vary based on the particular breach situation
and the actions companies take beforehand. As it turns out, the devil
is in the details—and the data.

'Custodian of Data'

Depending on the particular situation, a breach or exposure of
proprietary company data by a third-party vendor may open a company up
to legal and regulatory liabilities under various state, federal and
international data security and breach notification laws.

Jarno Vanto, a shareholder at Polsinelli, explained that even though a
cybersecurity incident happens outside an enterprise, the enterprise
is still legally liable for the situation given that it is the
"custodian of the data."

In the case of NICE Systems' exposure of Verizon user information,
Vanto noted that Verizon was legally responsible for such data no
matter where it was hosted. It was likewise also responsible "to
retain vendors that can keep the data secure," he said.

But while liable for vendors' mistakes, the extent of legal and
regulatory action companies such as Verizon may face depends on many
variables, including the type of data comprised. Vanto explained, for
instance, that many state notification laws only regulate data that
includes certain personally identifiable information (PII) such as
Social Security numbers or credit card numbers.

In addition, legal liability can vary based on industry. Compared with
other sectors, financial companies whose vendors released information,
for example, can often face more stringent action by local and federal
regulators, empowered by such laws as the Gramm-Leach-Bliley Act of
1999 and the Federal Deposit Insurance Act of 2003.

Many of these laws hold financial companies accountable not only for
the disclosure of PII, but for managing the cybersecurity risks of
their vendors. And some, such as the New York State Department of
Financial Services' (NYSDFS) data security regulation, even
specifically spell out the protections vendors must have.

Beyond legal pitfalls, companies also face contractual liabilities
depending on "certain promises" made in their privacy statements or
customer contracts regarding the security of their data, Vanto said.
"Using vendors that don't secure data properly," he added, can
sometimes be a clear violation of such contractual agreements.

Though potentially less worrisome than legal and contractual
liabilities, civil liability can also be a burden for comprised
companies if their customers or agencies such as the FTC allege that
the breach caused people harm.

Such civil action, however, is difficult to prove. Jim DeGraw, a
partner in Ropes & Gray's corporate technology group, explained that
it's not just a question of "whether or not the [breach] caused any
potential damages, but the kind of data that could have caused harm,
and is the harm traceable to that particular data breach or is it
traceable to other data breaches?"

Limiting Liability

In any vendor-related breach, there is no getting around liability.
"There is really not too much you can do in terms of protecting
yourself if your vendor breaks the law," Vanto said. But there are
ways, of course, to limit one's exposure to these liabilities and
their consequences.

DeGraw, for example, noted that a company's legal liability is greatly
limited if a company and its vendors are found to have "reasonable
cybersecurity protections" in place as defined by commonly used
industry best practices and federal and state agency guidelines.

‎Brookes Taney, vice president of data breach solutions at ‎Epiq
Systems, added that companies can also limit their civil liability
after breaches by freely offering such products as individual credit
monitoring and ID theft restoration to lessen the effects of PII
exposure and subsequent customer harm.

There are likewise ways to mitigate the financial effects such
liabilities can entail, such as obtaining cyberinsurance to recoup any
financial loss incurred when dealing with a vendor breach.

Vanto cautioned, however, that companies should seek "the broadest
possible coverage" that covers a variety of cybersecurity incidents
and situations, lest they are left uncovered during a time when they
are most exposed. He also noted that companies can include indemnities
in their vendor contracts that require vendors to compensate the
company for "the damage cost and claims made by third parties" should
a breach occur.

This may be easier said than done, however. Speaking from a vendor's
perspective, Alison Wisniewski, vice president and corporate counsel
at Epiq Systems, said, "We would like to negotiate contracts where we
are not responsible financially."

"Notification costs are extremely expensive, and we on our end try to
limit our liability when it comes to those sorts of breaches," she
added. "But a company whose data is being sent to a third-party vendor
may want the language to read differently."