Blog

"Pay Attention to the Man Behind the Curtain"

We have been explaining the risks of third party data access for years, and this week Ericka Chickowski of Dark Reading put together an excellent article on some of the costs and concerns associated with it.

We have been explaining the risks of third party data access for years, and this week Ericka Chickowski of Dark Reading put together an excellent article on some of the costs and concerns associated with it: Data Breach Costs: Beware Vendor Contract Fine Print Organizations often end up paying the consequential costs of data breaches when third-party vendor contracts aren't scrutinized. Whether it's from a vendor improperly securing database information it's hosting for a customer or a storage company that leaves backup information unlocked in a truck, data breaches caused by third parties happen all the time. If organizations are not careful in the way they construct their contracts with those vendors, the organization itself could end up being on the hook for far more of the breach liability than it expected. But if they do it right, they could use that contract as a tool to mitigate risk to their organization. Litigation in these cases of third-party breaches is a common occurrence, frequently with the third-party organization ducking under the radar as their customer gets hammered by class action suits. For example, when a breach that exposed data for 4.9 million active and retired U.S. military personnel was caused by the theft of backup tapes from the car of an employee at Science Applications International Corp. (SAIC), working on behalf of Tricare, in September, the $4.9 billion lawsuit by affected individuals filed last week was lodged against TRICARE and the Department of Defense, not SAIC. Similarly, Stanford Hospital had a $20 million lawsuit filed against it after an employee at its billing contractor, Multi Specialties Collection Services (MSCS) inadvertently posted patient information on a homework help site online. Stanford has been on a publicity blitz claiming its outsourcer was totally to blame for the breach. These examples are quite common- and costly! It's a lot easier to avoid becoming a PR nightmare...