Are You Liable for a Vendor Data Breach?

According to the 2017 Ponemon Cost of Data Breach Study, the average global cost of a data breach is $3.62 million, and the average cost for each record lost or stolen with sensitive data is $141. The study also found that the size and number of breaches is increasing. And, not surprisingly, many of these incidents, approximately 63%, are the result of third-party vendor breaches. So where does responsibility lie for a vendor-caused data breach that affects your business?

Where Does the Buck Stop?

It might come as a surprise to learn that your business could be held responsible for a vendor’s data breach, or at least have some legal obligations. According to Littler Mendelson P.C., “when a business vendor suffers a data breach involving data that the vendor has created or received on the employer’s behalf, data breach notification laws impose ultimate responsibility for breach response on the employer”. Although regulations usually dictate that the business is required to notify those affected by the vendor breach, businesses would be wise to review their state, federal, and international responsibilities in regard to third-party vendor breaches that affect the business’ data.

The Importance of Vetting

Awareness of vendors’ roles in many recent attacks can—and should—make businesses weary about who has access to their sensitive data. Although it might be impossible to avoid a vendor data breach, companies can ensure they properly vet vendors about security postures and practices. Dig in and find out how the vendor handles data security training, incident response plans, confidentiality and nondisclosure agreements, security audits and inspections.

Mitigating Risk Through Sound Security

One of the best ways to protect your company is through firm-wide investment in how you internally handle data protection and security. Do you have all endpoints, mobile devices, applications, and so on covered by encryption, multi-factor authentication, and a software update and patch management process? Are your employees well-trained in security vigilance and how to spot potential risks, threats, and vulnerabilities? With an ongoing internal security process in place, move forward with vendor assessments and service level agreements (SLAs) that ensure the third parties your company is working with are also investing in security. Through training, awareness, and vigilance, you can help protect your company from the effects of a vendor breach.