Lessons from Equifax (part 2): Your vendor contracts are shields and swords
Posted on 02/27/2018 at 12:00 AM by Jesse Johnston
The costs of a data breach can be unfathomable. A recent IBM study found that it costs a U.S. company, on average, $7.35 million after a consumer data breach event. This figure includes notifications costs, forensic activities, and the loss associated with the churn rate (or loss of recurring customers). The worst part about this number? Companies are paying these costs for the negligence or bad acts of their service providers.
The most sensitive vendor arrangements are those where your vendor will have access to personally –identifiable information (PII). When you are negotiating a contract with a critical vendor like this, there are three crucial provisions to review in the contract: indemnifications, incident response procedures, and management of your vendor’s subcontractors (also known as third-party service providers or third-party vendors). Your vendors will provide you with a one-sided, pre-drafted agreement—do not let this be the final word.
Very few providers will offer express warranties for their products or services (they won’t even warrant that their product/service is fit for a particular use!). Your organization should look for an indemnification that will cover claims that may arise in the event the vendor experiences a security breach. If customer PII is exposed, there will be adverse reputational concerns for your organization, no doubt, but the expensive costs would likely be incurred from defending claims by exposed customers. If it’s the vendor’s fault, then make sure your contract requires the vendor to pay. For example, Equifax has confirmed that the attackers that hacked the credit-reporting company entered the system through a web-based application due to an unpatched software flaw that should have been patched months prior.
In order to have a strong indemnification like the one discussed above, the contract will need to have a well-drafted definition of security breach. Your organization will want this term drafted broadly, and will need provisions that ensure notification by the vendor in the event there is a security breach. The vendor should also have some post-breach investigation plan or procedure to ensure that the forensic data is maintained and evaluated.
Finally, the contract should have some promises to you that your vendor will ensure that any of their vendors or services providers who may also have access to PII are subject to the same indemnification and notification requirements as the vendor signing the bottom of your agreement. Your vendor or service provider is not the end of the line—they engage a host of vendors and service providers too. It is incumbent upon your firm or institution to know whom in this supply chain will have access to confidential information.
If you have any questions regarding Equifax or Cybersecurity please contact Jesse Johnson.
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
- Jesse Johnston
Categories: Jesse Johnston, Cybersecurity Law, Banking Law
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.