Do you sleep well at night knowing your vendors are appropriately securing your clients’ sensitive data? In the age of big data, every company must devote significant resources to protect itself from cyberattacks on its systems, and most companies have significantly invested in their own cybersecurity as a result. But an inward focus is not enough. One area of vulnerability increasingly subject to exploitation is the access to systems and data given to third-party vendors. Many of the world’s most notable (and costly) data events involved hackers exploiting vendor access or systems. One of the largest data breaches in history—the Target breach—did not occur due to a breach of Target’s systems at all. Rather, the systems of a third-party HVAC vendor were compromised, and the access given to that vendor was subsequently exploited. Similarly, noteworthy breaches of Wyndham Hotels’ data did not occur due to a breach of the hotel’s main network. Hackers instead accessed third-party hotel networks that used the Wyndham brand, and in turn gained access to Wyndham systems.
As a result, it is increasingly important for companies to pay close attention to relationships with any vendors that access personal data or sensitive commercial data. Although we typically think of this protection as a highly technical affair based on encryption and multilevel passwords, there are practical, commonsense steps that a general counsel can use to minimize liability in the case of a breach of a vendor’s systems.
