One problem that many companies discover as they develop cybersecurity measures is that third-party data breaches represent the weakest link in their data management chain. Many companies find it a business necessity to outsource some, if not all, data management, storage, and processing activities to third-party vendors. These vendors may include cloud hosting companies and other software as a service providers. Putting your company’s valuable data into the hands of a third party carries some risk, especially concerning the security of that data. Your company could have the most sophisticated cybersecurity protections in place to protect data, but if your third-party vendor has a lax attitude about cybersecurity, then your data could be at risk of being exposed in a data breach.

Third-Party Data Breaches are a Serious Threat to Business Cybersecurity

It is not uncommon for hackers to gain access to businesses through third-party vendors and to compromise data. A business might have its own cyber security protections in place, but must grant access to third parties. When network access spans outward from the business to third parties, it creates a potential weakness in the security of a network. Third party vendors make for good entry access points to company computer networks because for every link in the chain of access to the company’s computer network there is an increased likelihood of a vulnerability in the cybersecurity measures that protect the network, which can be exploited.

According to the Soha Systems Survey on Third Party Risk Management, 63% of all data breaches are linked in some way to third parties such as contractors, suppliers, or vendors that have access to a business’ system. Businesses are responsible for the data that they collect, transmit, use, and process, even if it is entrusted to a third-party vendor.

How Can Businesses Make Cybersecurity a Top Priority for Third-Party Vendors?

One way that a business can make cybersecurity a top priority for third-party vendors is through the use of a business agreement with the vendor. When hiring a third-party vendor, businesses can benefit from negotiating a contract with the vendor that specifically details the types of security measures and safeguards that the third-party vendor must use when handling data for the business. For instance, businesses can:

• Utilize a service-level agreement that provides specific measures of security performance that the vendor must produce or provide.
• Request that the vendor perform periodic security assessments on its systems.
• Require an audit clause to be included in the agreement that enables the business to verify the third party vendor’s compliance with specific security protocols by way of an independent security audit.
• Limit the third party vendor’s access to the business’s network. Only grant access to what the vendor needs to do its job and no more.

Having a business contract with the third-party vendor makes cybersecurity a priority for that company. The business can help mitigate risk associated with working with a third party. Third-party vendors need to know that their clients take cybersecurity seriously, so that they will take it seriously as well.

Who Is Legally Liable When a Third-Party Vendor Causes a Data Breach?

When a third-party vendor’s security failure results in unauthorized access to your customers’ data, your business — not the vendor — is the party your customers will hold responsible. Understanding the legal framework for third-party data breach liability is essential for any company that shares data with vendors.

Business Liability for Vendor Breaches Under State and Federal Law

State data breach notification laws impose notification obligations on the entity that owns or licenses the personal information, not on the vendor who stores or processes it. When a vendor breach exposes your customers’ data, your company is the entity legally required to notify affected individuals and, in many states, to notify the state attorney general. The vendor’s failure does not transfer or eliminate your company’s notification obligation.

The FTC’s enforcement authority under Section 5 of the FTC Act similarly attaches to the company that collects consumer data, not necessarily to the vendor. In its enforcement action against BJ’s Wholesale Club, the FTC found the company liable for a breach that occurred through a third-party vendor relationship, on the basis that BJ’s failed to adequately oversee the vendor’s security practices. The practical result is that your company’s security obligations extend to requiring and verifying adequate security from your vendors.

For healthcare entities, the HIPAA framework provides a specific mechanism: Business Associate Agreements (BAAs). Any vendor that accesses, stores, or processes protected health information on behalf of a covered entity is a “business associate” under 45 C.F.R. § 160.103, and the covered entity must have a compliant BAA in place with that vendor before sharing PHI. A vendor breach that occurs without a BAA in place creates independent HIPAA liability for the covered entity, in addition to whatever liability arises from the breach itself.

Contractual Claims Against Negligent Vendors

While your business bears primary legal responsibility to your customers when a vendor breach occurs, you have a separate set of legal claims against the vendor. The vendor contract is the foundation for these claims. A well-drafted vendor agreement will include:

• Specific security requirements. The contract should specify the security standards the vendor must maintain — encryption of data at rest and in transit, access control requirements, incident response procedures, and employee training requirements. Vague language like “commercially reasonable security” is enforceable but creates ambiguity about what the vendor was actually required to do.
• Breach notification obligations. The vendor should be required to notify your company of any security incident affecting your data within a specified timeframe — typically 24 to 48 hours. This contractual notification trigger must be shorter than your statutory notification deadlines so that you have time to comply with notification laws after receiving vendor notice.
• Indemnification provisions. The vendor should be required to indemnify your company for losses, including regulatory fines, litigation defense costs, and settlement payments, that result from the vendor’s security failures. The scope and enforceability of indemnification provisions depends heavily on how they are drafted and on applicable state contract law.
• Right to audit. Your company should retain the right to conduct or commission security audits of the vendor’s practices. Vendors that resist audit rights are vendors that have something to hide — treat audit resistance as a significant red flag in vendor due diligence.
• Insurance requirements. Require the vendor to maintain cyber liability insurance with minimum coverage limits appropriate to the risk, and require your company to be named as an additional insured. A vendor that lacks adequate insurance may be judgment-proof if a major breach occurs.

Notable Third-Party Breach Cases

The 2013 Target breach is the canonical example of third-party breach risk. Target’s payment network was accessed using credentials stolen from a HVAC vendor, Fazio Mechanical Services, which had been granted access to Target’s network for electronic billing and contract management purposes. The breach exposed payment card data of approximately 40 million customers. Target ultimately paid $18.5 million to settle multi-state attorney general investigations and agreed to pay $10 million in a class action consumer settlement, among other costs. Target’s total breach-related costs exceeded $292 million.

The Target case illustrates two critical failures in vendor security management: first, the vendor was granted access to network segments beyond what was required for its work; second, Target’s network monitoring failed to detect the attacker’s lateral movement through the network for weeks after the initial intrusion. A well-designed vendor access program uses network segmentation to ensure that a vendor’s credentials, even if compromised, cannot be used to access systems beyond the vendor’s authorized scope.

Contact a Data Breach Attorney

Our data breach attorneys can assess your current vendor risk profile, review your vendor contracts for legal adequacy, or in the case of a data breach, help with notification compliance. Contact us using the form on this page or call us at 855-473-8474.