With massive data breaches that have recently wreaked havoc on privacy concerns among U.S. businesses and consumers, a growing number of companies are now demanding that vendors fill out questionnaires to show proof of cybersecurity measures. Should your business do the same?
Businesses of all industries generate, store, use, and otherwise come into contact with numerous pieces of data that constitutes “personally identifiable information” belonging to consumers. The risks are not only limited to businesses in the health or medical industry — virtually every business that conducts any business or receives or stores information online is at risk.
Back-Door Access to Protected Information
Recently, CIOs and hackers are discovering that the quickest way to a company’s classified data is often through a third party. The hackers that stole 40 million credit cards and debt card numbers from Target Corp., for example, broke into the company’s network by stealing credentials from its heating and air conditioning contractor. In these circumstances, the risk is not that the company’s data gets hacked because of something the company did, but because of something the company’s vendors did not do. With the ongoing security threats targeting vendors, payment processors, data storage sites, and information clearinghouses, businesses must demand greater cybersecurity measures from their vendors or find themselves exposed for not taking enough precautions, if a data breach were to occur.
The Basic Checklist
Off-Shore Contractors. Businesses should ask whether their vendors make use of any off-shore contractors. India, Pakistan, Bangladesh, China, and Malaysia often provide very cheap sources of labor for a variety of transactions, including product sales, information technology, e-commerce, payment processing, sales, marketing, and website development, including back-end consumer databases. Labor from any of these or other countries can be utilized by U.S. based vendors who outsource most of the work that is actually being performed for clients. Businesses that place confidential consumer information in the hands of their vendors should make sure they ask and are aware of how much of that information is being transmitted overseas, where data breaches are far more prevalent and more difficult to detect.
Encryption. Recent court cases have spared some companies accused of data breaches from liability when they have been able to demonstrate the data allegedly accessed was encrypted or not plainly accessible by the intruders due to being accessible only through special proprietary software, or other as a result of restrictions. Businesses should inquire whether their vendors encrypt files that are being transmitted, how and where files are stored, the level of security that protect such data, whether the vendor uses secure email, and how much of information transmitted is unencrypted.
Portable Devices. In today’s age, most professionals are expected to have workplace email access installed on their PDAs and smartphones. But what happens to vendors whose employees’ quit or have their PDAs lost, stolen, or accessed by unauthorized intruders? Some companies are demanding that their service providers ensure that company data does not reside on flash drives, iPads, or other portable devices. At the very least, businesses should take steps to ensure that consumer or client data does not reside on vendor PDAs, or that the vendor uses remote wipe software if employee PDAs are lost/stolen, or if employees depart.
Professional Data Breach Software. Businesses should also inquire whether their vendors are using professional security software and equipment. In the case of Target Corp.’s data breach, for example, the heating/air conditioning vendor used by Target admitted that their security software consisted of a free version of downloadable software that did not provide real-time protection, and only consisted of an on-demand scanner. Obviously, service providers handling substantial amounts of consumer data or with access to a businesses’ network should be protected through enterprise-level security software. But, it is the businesses’ duty to inquire, given that vendors may not volunteer information about poor security measures. It can be tough to avoid responsibility for catastrophic data breaches such as this, if not even inquiries are made about a vendor’s ability to detect and protect against intrusions.
Desktop Security. A significant number of breaches have also been the result of phishing schemes, often through innocuous email sent to low-level employees who may not suspect they are the targeted entry-door to a corporation’s networks and information systems. Businesses should ensure that vendors make it a priority to ensure that computing infrastructure provided to clerks and support staff are as equally secure as those used by the vendors’ executives.
Insurance. Businesses are also increasingly demanding that vendors carry liability insurance covering data breaches. When a service provider falls victim to a massive data breach, repairing the damage can be overwhelming, and unless the service provider has the resources to handle the response effort required, the quality of services (or even its existence) could succumb to the time, effort, and expense needed to handle the data breach. An insurance policy providing coverage for data breaches may provide additional support and resources for the victim company, in the event of a data breach.
Axis Legal Counsel’s Privacy & Data Security practice represents clients with numerous privacy and data security matters, including security breaches, unauthorized access, privacy violations, and threats by insiders, outsiders, and hackers. Axisprovides a wide variety of legal services to corporate clients, including crisis management, general corporate legal services, business litigation, director/officer representation, technology/internet law, and others. For information on retaining Axis Legal Counsel, contact email@example.com or call (213) 403-0130 for a confidential consultation about your legal issue.