Dont Let Your Suppliers Limit Too Much Breach Liability

Organizations often end up paying the consequential costs of data breaches when third-party vendor contracts arent scrutinized

Whether its from a vendor improperly securing database information its hosting for a customer or a storage company that leaves backup information unlocked in a truck, data breaches caused by third parties happen all the time. If organizations are not careful in the way they construct their contracts with those vendors, the organization itself could end up being on the hook for far more of the breach liability than it expected. But if they do it right, they could use that contract as a tool to mitigate risk to their organization.
As it currently stands the focus of risk mitigation with respect to security are technical controls and other security measures, and the importance of the contract as a risk mitigating tool is overlooked, says David Navetta, founding partner of the Information Law Group. As litigation increases in this area, for risk-conscious organization, the protections in the service provider contracts are going to become very important.
Litigation in these cases of third-party breaches is a common occurrence, frequently with the third-party organization ducking under the radar as their customer gets hammered by class action suits. For example, when a breach that exposed data for 4.9 million active and retired U.S. military personnel was caused by the theft of backup tapes from the car of an employee at Science Applications International (SAIC) Corp. working on behalf of TRICARE in September, the $4.9 billion lawsuit lobbied by effected individuals just last week was lodged against TRICARE and the Department of Defense, not SAIC.
Similarly, Stanford Hospital had a $20 million lawsuit filed against it after an employee at its billing contractor, Multi Specialties Collection Services (MSCS) inadvertently posted patient information on a homework help site online. Stanford has been on a publicity blitz claiming its outsourcer was totally to blame for the breach.
In most cases like those, the details of the actual contract between the organization and the supplier never really become public. Typically theyre buried in closed settlement deals and kept locked down with non-disclosures. But John Nicholson, counsel for the global sourcing practice at the Washington, D.C.-based law firm of Pillsbury Winthrop Shaw Pittman LLP., says that suppliers frequently evade the bulk of liability due to poorly drafted service contracts.
In many cases when a third party vendor enters a contract with a client, the supplier will provide a limitation of liability clause that covers just about anything under the sun. He says he warns his clients all the time not to accept those limitations so quickly.
They might include a provision that says with regard to data breaches, they will do whats required by law, but whats required by law is actually very limited, Nicholson says. Then youre in a situation where you have to pay the rest and that may be the bulk of the costs. The problem with the rest is that your mitigation, setting up your help desk to deal with calls from the affected individuals, the cost of credit monitoring, those are not required by law but are standard practices that are expected if you lose financial details.
He says that organizations need to ensure up that contracts detail that those consequential costs are considered as part of the suppliers responsibility should they be responsible for a breach. Navetta usually advises organizations to go one step further than to scrutinize the fine print in contracts after a vendor has been picked. Instead, organizations should be including liability requirements as early as the request for proposal (RFP) stage.
The key here is to create competition between potential service providers not only on price and scope of services, but also acceptance of risk and contract terms--those willing to accept more risk being potentially better candidates than those not so willing, he says. Organizations that wait to request protective contract terms until after they have selected a vendor may find those terms watered down during negotiations, and may be stuck holding all the risk of a service provider mistake.
According to Nicholson, organizations need to be careful not to go too far in the other direction. He believes that a customer shouldnt be aiming to make their supplier an insurer.
If youve got risks youre subject to right now the way you operate, then just because youve outsourced should not make your supplier liable for doing the exact same thing your own people could have screwed up, he says. So theres a balance in drafting those provisions. Because companies look at that and say Im outsourcing so you should be completely responsible for what happens. But when you look at it from the suppliers perspective, they say Wait a minute, this is a risk youre subject to right now and youre already getting coverage you dont have right now because Im going to compensate you for certain things that if your own people screwed up you wouldnt have any compensation for.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Dont Let Your Suppliers Limit Too Much Breach Liability