Beware the Litigation and Regulatory Risks Posed by Vendor Cyber-Security Practices

November 21, 2014Alerts

Data privacy and data security breaches are big news these days. As companies scramble to fortify their networks and protect personal information, an often-overlooked risk is becoming increasingly significant: inadequate data security practices by vendors. A company could have the best cyber-security program in the world protecting its own network, only to see the personal information of its customers or employees stolen from the network of a trusted vendor. Unfortunately, a data breach at a vendor has many of the same effects as a breach of a company's own network, shattering public confidence and leading to lost business at the company that "trusted" the vendor.

Vendor security breaches are also quickly becoming a hot area for regulatory enforcement and litigation based on the theory that a company has a duty to supervise its vendors to ensure they are properly securing the consumer or employee information they are entrusted with. For example, in late October, the New York State Department of Financial Services sent letters warning dozens of banks regulated by the Department to "identify, monitor and mitigate any cybersecurity risks" posed by their third-party vendors.

Vendor supervision is also very important to the Federal Trade Commission, which has already brought over 50 privacy and cyber-security enforcement actions, including actions challenging inadequate vendor supervision. For example, the FTC brought an enforcement action against CBR, an umbilical cord blood and tissue bank, after one of its vendors retained a legacy database of unencrypted customer information after it was no longer needed (and which was later hacked into). Earlier this year, the FTC settled an enforcement action against GMR Transcription Services alleging that GMR failed to verify that an overseas service provider was using reasonable and appropriate security measures to protect medical transcript files that the vendor was transmitting and processing.

These vendor-related enforcement actions are only expected to become more common, e.g., in early November, the associate director of the FTC's division of privacy and identity protection publicly cautioned companies to pay close attention to how their third-party service providers handle and secure data. Accordingly, it is vital for companies that share sensitive or personal consumer or employee information with vendors to assess the cyber-security risks from such sharing and take steps to minimize those risks, such as negotiating contracts requiring vendors to use industry standard security and implementing proper vendor supervision and review processes.