TK Data Privacy and Cybersecurity Blog

Posted by: Brandon King and Rachelle (Shelley) Glazer

The past year has shed light on many litigation issues stemming from cybersecurity events. Several courts have clarified what it takes for someone whose data has been compromised to satisfy Article III’s injury-in-fact requirement. The US Supreme Court has decided to resolve a circuit split over whether the Computer Fraud and Abuse Act’s “exceed[] authorized access” language requires merely the “improper use” of computer systems, or more, like bypassing a password. Courts have also tackled claims of immunity arising from foreign cyberevents, addressed claims of privilege with respect to cyberattack reports and, most recently, interpreted federal regulations governing the protection of electronic health data. This post provides a brief summary of these litigation developments.

The Value of Lost Data and Standing to Sue – A Maryland federal district court held that customers of a hotel chain—the subject of a vast data-security breach that compromised the private data of its customers—satisfied Article III’s injury-in-fact requirement for several reasons. One of the more notable injuries, however, was “based on the loss of value of their personal information.” In doing so, the court recognized “the value that personal identifying information has in our increasingly digital economy.” This decision implicates one of the most common and complex issues in data-breach litigation—standing—and will provide guidance as courts grapple with advances in technology and the corresponding gap in precedent. See In re Marriott Int’l, Inc., Customer Data Sec. Breach Litig., 440 F. Supp. 3d 447 (D. Md. 2020).

Biometric Privacy– State biometric privacy laws—which dictate the conditions under which collectors of biometric data may obtain, retain, and use biometric data (for example, using a fingerprint scan at a vending machine)—continue to serve as fruitful ground for litigation. Two recent Seventh Circuit decisions analyzed whether plaintiffs satisfied Article III’s injury-in-fact requirement under Illinois’s Biometric Information Privacy Act, which requires private entities to, among other things, make certain disclosures, obtain informed consent before acquiring a consumer’s biometric data, as well as develop a publically available retention-and-destruction policy. In one decision, the court held that a private entity’s failure to obtain the requisite consent or provide the relevant disclosure before acquiring the plaintiff’s fingerprint constituted an injury-in-fact. In another decision, the Court held that an employer’s alleged failure to develop, publicly disclose, and comply with a data-retention schedule and guidelines for the permanent destruction of biometric data when the initial purpose for collection ended was sufficient to constitute injury. In doing so, the Seventh Circuit observed that “regulating the collection, storage, and use of biometrics is closely analogous to historical claims for invasion of privacy.” See Bryant v. Compass Group USA, Inc., 958 F.3d 617 (7th Cir. 2020) and Fox v. Dakkota Integrated Sys., LLC, 980 F.3d 1146 (7th Cir. 2020).

The Supreme Court and the Computer Fraud and Abuse Act – The CFAA imposes liability on persons who “exceed[] authorized access” to computer systems. But does the mere improper use of a computer satisfy that standard (like violating company policy by watching sports on a work computer), or does the phrase refer to violations of restrictions on access to information (like bypassing a password to obtain access). The First, Fifth, Seventh, and Eleventh Circuits apply the former, broader approach, while the Second, Fourth, and Ninth Circuits apply the narrower, access-based approach. In April 2020, the Supreme Court recently granted certiorari to resolve the split; in the interim, however, the Sixth Circuit adopted the narrower approach but, acknowledging the Supreme Court’s pending decision, noted that its interpretation “might not be the final word.” See Supreme Court Docket No. 19-783, Van Buren v. United States.

Foreign Actors and Subject-Matter Jurisdiction – WhatsApp and Facebook sued NSO Group, an Israeli mobile surveillance software company, alleging that NSO sent malware using WhatsApp’s system to over 1000 mobile devices to monitor users. NSO claimed the court lacked subject-matter jurisdiction “because the conduct giving rise to the complaint was performed by foreign sovereigns.” The Court rejected this argument and, in doing so, analyzed the “two relevant doctrines implicated by defendants’ argument: foreign official immunity and derivative sovereign immunity.” As to the former, because the defendants were sued in their individual capacities and the plaintiffs did not seek compensation from the Israeli government, the defendants did not “qualify as foreign officials under the content-based prong of the foreign official immunity test.” The court also rejected the latter argument, reasoning that “there [was] no compelling reason to extend derivative sovereign immunity to a foreign entity working on behalf of a foreign sovereign.” Although an appeal is pending, with the recent SolarWinds breach and allegations that agents affiliated with foreign governments were involved, the opinion will have impact going forward. See WhatsApp Inc. v. NSO Group Techs. Ltd., 472 F. Supp. 3d 649 (N.D. Cal. 2020).

Cyberattack Reports: Privileged or Not? A D.C. federal court recently held that a cybersecurity report commissioned by a law firm and generated by a consultant wasn’t protected by the work-product or attorney-client privileges. As to the work-product privilege, the court observed that the “fact that the Report was used for a range of non-litigation purposes reinforces the notion that it cannot be fairly described as prepared in anticipation of litigation.” The court rejected the attorney-client privilege, reasoning that the law firm’s “true objective was gleaning the consultant’s expertise in cybersecurity, not in ‘obtaining legal advice from its lawyer.’” See Wengui, v. Clark Hill, PLC, No. CV 19-3195 (JEB), 2021 WL 106417 (D.D.C. Jan. 12, 2021).

Electronic Protected Health Information – The Fifth Circuit recently vacated a civil penalty levied against MD Anderson Cancer Center stemming from the loss of electronic protected health information (ePHI) that was not encrypted. There, the unencrypted electronic devices of several MD Anderson employees were stolen or lost. The Government, citing violations of two federal regulations governing the encryption and disclosure of ePHI, imposed civil penalties of $4.3 million. The Fifth Circuit held the penalties were arbitrary and capricious and vacated in full. The regulations at issue were the “Encryption Rule,” which requires HIPAA-covered entities to implement “a mechanism to encrypt” ePHI, and the “Disclosure Rule,” which prohibits HIPAA-covered entities from disclosing ePHI to outside entities. The Court held that MD Anderson satisfied the Encryption Rule because it had implemented various “mechanism[s]” such as furnishing encryption devices to its employees; in doing so, the Court made clear that whether MD Anderson could have done more was not relevant—the only inquiry was whether MD Anderson implemented “a mechanism” (and it did). MD Anderson also complied with the Disclosure Rule, which defined disclosure to “mean[ ] the release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information.” The Court rejected the argument that HIPAA-covered entities violate this rule merely by “losing control” of ePHI; rather, as worded, the regulation required some affirmative act to violate the rule—but that wasn’t present in this case. See Univ. of Tex. M.D. Anderson Cancer Ctr. v. United States Dep’t of Health & Human Servs., No. 19-60226, 2021 WL 127819 (5th Cir. Jan. 14, 2021).

Posted by Michael C. Titens, Justin S. Cohen, and Stephen E. Stein

Cybersecurity and data privacy issues have both been overshadowed and strongly impacted by 2020’s dominant story – COVID-19. As employees shifted to working from home and Zoom and other video conference services became the new norm, new cybersecurity issues arose. As testing, contact tracing and return to work questions took the forefront privacy concerns correspondingly increased. Below are some of the most significant privacy and data security developments of 2020.

1. Federal Legislation: On December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (“IOT Act”) was signed into law. The IOT Act establishes security standards for IoT devices owned or controlled by the Federal government. While limited to securing devices at the federal level, the IOT Act requirements are naturally expected to impact IOT devices in the commercial sector (i.e. a federally qualified device can be sold in the commercial sector). Under the IOT Act the National Institute of Standards and Technology is charged with developing standards and guidelines for the appropriate use and management of IOT devices for federal agencies (and to the extent practical will be consistent with best industry practices).

The defense bill signed by the President in December creates a national cyber director within the president's office. The director would be tasked with coordination of federal cybersecurity policies. The hope is that leadership at the executive level will help both government and private sector security defenses.

2. California Privacy Rights Act Enacted: As covered in our Blog Post [link] on November 3rd the State of California passed the California Privacy Rights Act, or “CPRA.” This Act broadens the scope of the previously implemented California Consumer Privacy Protection Act (“CCPA”) and creates a new agency (effective July 2023) to enforce privacy obligations. As with the CCPA, this Act is expected to directly affect many companies that do business in California as well as influence legislation in other states.

3. Solar Winds Attack: The IT management company SolarWinds was subject to a data security breach believed to have started in March of 2020 and not identified until December. The breach, widely believed to be carried out by Russia, has impacted a large number of Fortune 500 firms as well as the Treasury Department, Department of Homeland Security, National Nuclear Security Administration and others. As SolarWinds sent out periodic software updates this year, the updates included code that had already been hacked, allowing access to the IT systems of up to 18,000 SolarWinds customers.

4. FireEye Attack: In early December FireEye, a recognized leader in intelligence-led security-as-a-service, reported that it was attacked by a highly sophisticated threat actor which FireEye believes to have been a state-sponsored attack by a nation with top-tier offensive capabilities. Per FireEye, “Consistent with a nation-state cyber-espionage effort, the attacker primarily sought information related to certain government customers.” The hackers are also believed to have stolen FireEye’s “Red Team tools” – the hacking tools that FireEye uses when conducting penetration tests and attempting to access its clients’ systems. As with the SolarWinds attack, the direct target may have been government agencies but the attack potentially affected thousands of customers across the globe.

5. Ransomware: Ransomware continued to be a significant cyber threat in 2020. Victims included municipal and county governments, universities, and local school districts, as well as manufacturing, service and other businesses. On October 28, the FBI and other government agencies issued a special warning to hospitals and other healthcare providers. Ransomware attackers adapted their methods to increase the pressure on victims. In addition to blocking access to computer systems and encrypting data, modern ransomware attackers also attempt to encrypt data backups, making it far more difficult for a victim to recover its files without paying the ransom. Attackers also exfiltrate data from a victim’s network, including personal information of customers and employees, and then threaten to release the data publicly on “walls of shame” unless the ransom is paid.

Further increasing the risks for ransomware victims, U.S. government agencies issued advisories in October warning that ransomware payments to certain attackers could violate U.S. sanctions laws. A party making such a payment, as well as others involved in the process such as forensics firms and insurance providers, can face civil liability even if they did not know they were dealing with a sanctioned group or individual at the time the payment was made.

6. Schrems II and Transatlantic Data Flows: On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR). The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR. This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.” The Swiss and Israeli governments issued similar rulings shortly after the European high court decision, adding to the importance of this decision.

These decisions have placed increased emphasis on the “standard contractual clauses” as a potential lawful means of transatlantic data flow; however, the Court cautioned against blindly applying the standard clauses without a case-by-case analysis of the risk of the transfer. In November, a draft of updated standard clauses was published with a final set of updated standard clauses expected in 2021.

In December, the Senate Committee on Commerce, Science, and Transportation held hearings on the invalidation of Privacy Shield and the future of transatlantic data flows highlighting a growing fear of data localization.

7. Texas Privacy Protection Advisory Council Issues Interim Report: In September of this year, the Texas Privacy Protection Advisory Council released is interim report to the 87th Legislature. The Council was created following an amendment to proposed consumer privacy bills in Texas with a goal of studying existing data privacy laws in Texas, other states, and relevant foreign jurisdictions and making recommendations to the members of the legislature on specific statutory changes regarding the privacy and protection of personal information deemed necessary based on the study. While the report does not ultimately propose specific statutory provisions, it does provide a framework for future Texas privacy legislation based on six general recommendations:
a. State agencies should adhere to privacy standards that are continually reviewed and updated;
b. Legislative proposals should consider a balance between consumer privacy concerns and business compliance;
c. Legislative proposals should consider the impact on highly regulated data (e.g., PHI and financial information) and complement existing federal laws;
d. Legislative proposals should be written broadly enough to allow for the adoption of new technology and business standards;
e. Legislative proposals should consider existing laws in Texas and in other states so as not to create conflict; and
f. Texans have a right to know how their personal information is being used.

8. Insurance Market Tightens: Cyber insurers are charging more for coverage and being more careful with their underwriting due to a sharp rise in the frequency and severity of ransomware claims. However, ransomware is not the only concern. Cyber losses have also been driven by social engineering attacks, specifically business email compromise. The sharp uptick in claims may even push some insurers out of the cyber market. Premium increases reportedly range from 5% to 15%, with certain instances of even greater increases. Ransom payment is only part of the claim expense. Other large costs include IT expenditures related to investigating, identifying and containing attacks, and then restoring systems. Business interruption claims are also making up an increasing amount of the expense for the downtime after the attacks. Underwriters have started to introduce specific ransomware question sets during the underwriting process. Policyholders who give answers satisfactory to underwriters may obtain lower premiums but cannot expect discounts in this insurance market. Given the expected increase in attacks for 2021, this tightening of the market is unlikely to lessen anytime soon.

Posted by Michael Titens

Ransomware attackers are concentrating their efforts on hospitals and other health care providers according to a warning issued by the FBI and other government agencies on October 28.  Attackers know that prolonged computer shutdowns in hospitals can be catastrophic and that hospital administrators may have few viable alternatives to making a ransom payment, making hospitals desirable targets.  Numerous hospitals have already been hit, leading to postponed procedures and at least one patient death reported by the Washington Post. 

Ransomware is not new but attackers have adapted their methods to increase the pressure on victims.  In addition to blocking access to computer system and encrypting data, modern ransomware attackers also attempt to encrypt data backups, making it far more difficult for a victim to recover its files without paying the ransom.  Furthermore, researchers have found that in nearly half of all ransomware attacks, attackers exfiltrate data from a victim’s network, including personal information of customers and employees.  The attackers then threaten to release the data publicly on “walls of shame” unless the ransom is paid.  Delays in payment result in partial data releases and threats to release more.  As a result, even when a victim can rebuild its network and recover its files without agreeing to attacker demands, the threat of public data disclosure often compels the victim to pay the ransom.

Ransomware responders have adapted to this new environment.  In addition to restoring a victim’s network, some forensics firms and cyber insurance providers assist with ransom negotiations and, if necessary, facilitate ransom payments. With more cyber insurance policies providing coverage for ransom payments, cost is less of an impediment to payment.  And as ransom payments become more routine, attackers expand their criminal activities.

Counteracting this trend, and increasing the risks for ransomware victims, U.S. government agencies issued advisories last month warning that ransomware payments to certain attackers could violate U.S. sanctions laws.  The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”  OFAC has already imposed sanctions on organizations and individuals located in Russia, North Korea, and Iran and plans to continue adding other cyber actors to its list of specially designated nationals.  Under U.S. sanctions law, making or facilitating payments, directly or indirectly, with specially designated nationals is prohibited.  A party making such a payment, as well as others involved in the process such as forensics firms and insurance providers, can be held civilly liable even if they did not know they were dealing with a sanctioned group or individual at the time the payment was made.

As part of its strategy to deter ransom payments, the government is also targeting other potential participants in a ransomware transaction.  The OFAC warning specifically identifies financial institutions, cyber insurance carriers, and incident response firms that facilitate ransom payments as potential violators of U.S. sanctions laws.  Furthermore, at the same time OFAC issued its warning, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an advisory to banks and other financial intermediaries that they should file Suspicious Activity Reports and comply with related regulations whenever they participate in any aspect of a ransom transaction.  Not only ransomware victims, but also the firms they choose to assist them in responding to an attack, must now reevaluate the costs and benefits of making a ransom payment, particularly where the attacker’s identity is unknown or the attacker is suspected to have already been designated by OFAC for sanctions.

The new guidance bolsters law enforcement’s view that victims should promptly report cyber incidents to the proper authorities (typically the FBI or Secret Service) and should not make ransomware payments.  According to the OFAC advisory, “OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

While we anticipate that victims will still give serious consideration to making ransom payments, reasonable compliance procedures of forensics firms and financial intermediaries, including a possible requirement to involve law enforcement, may complicate any response.  Furthermore, cyber insurance carriers may be reluctant to provide coverage for certain ransom payments.  We have even heard that some insurance carriers may attempt to deny coverage for notification, legal, and other expenses related to a ransomware attack perpetrated by a sanctioned group.

So what can a business do in light of these increasing costs and risks associated with ransomware?  Companies should take steps to minimize the likelihood and impact of any potential attack.  For example, phishing e-mails are one of the most common attack vectors for ransomware.  Network users should be trained to identify and avoid malicious e-mail and in particular, malicious e-mail attachments such as those masquerading as Google Docs or .pdf attachments.  Also, businesses should maintain off-line back-ups of their network data and should consider segmenting their networks to restrict the ability of an intruder to move laterally within the network.  Other suggestions can be found in the recent advisory from the Cybersecurity and Infrastructure Agency and in this update from our friends at Stroz Friedberg.

Ransomware remains a threat to businesses large and small.  Recent attacks in the healthcare industry illustrate the potentially dire consequences of a network disruption.  For advice and assistance preparing for, or responding to, a ransomware attack, please contact any member of the Thompson & Knight cybersecurity team.

Posted by Stephen Stein

Proposition 24, the California Privacy Rights Act (or “CPRA”), was passed by California voters on November 3.

Both modifying and enhancing aspects of the California Consumer Privacy Protection Act (“CCPA”) which became effective January 1 of 2020, the CPRA provisions will go into effect on January 1, 2023.

Why a new Act passed so soon after CCPA? Proponents felt that in many respects CCPA did not go far enough toward protecting personal data.  Proponents successfully argued that the state should adopt privacy protections comparable to those found in the European General Data Protection Regulation (“GDPR”).

What’s New?  Key provisions of the CPRA include:

• New Enforcement Agency: CPRA creates the California Privacy Protection Agency (beginning July 2023) which will take over responsibility from the state attorney general for enforcement of privacy obligations. In theory, this will allow greater resources to be dedicated to privacy enforcement.
• Liability for Violations by Service Providers: Collectors of Data who share a resident’s data will be responsible for compliance by any service providers with whom they share data.
• CCPA Clarifications: CPRA would clarify some of the issues raised with CCPA, including, (i) confirming that loyalty and discount programs would not be prohibited under CPRA, (ii) extending the moratorium on B2B and employee data, and (iii) removing “devices” from the determination of the thresholds of when a business would be subject to CPRA.
• Sensitive Personal Information: Consistent with GDPR, sensitive personal information is now defined and subject to more rigorous security requirements.
• New Consumer Rights: Consumers will have the right to update personal information already collected by companies.

Why Should I Care?

• As with the CCPA, companies that collect data on California residents (including via a website accessible to a California resident) will be subject to the law.
• California has been the bellwether state for a number of laws in the past. California privacy law, including the CPRA, can be expected to influence other states considering privacy legislation.
• Texas is among those states considering consumer data privacy legislation (see the September 2020 Report of the Texas Privacy Protection Advisory Council here. While aiming to meet public expectations concerning data privacy, the Legislature is also likely to seek to avoid some of the costly results of the CCRA and the GDPR. Progress on these matters may, however, be delayed by limitations on the scope of what the Legislature will undertake in a session constrained by COVID-19.

Posted by Craig Carpenter

On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR).

The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR.

This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”[1]

The Court also called in to question the efficacy of the “standard data protection clauses” as a means of cross-border data transfer, particularly in countries like the Unites States where public authorities have significant data access. The court stopped short of invalidating the standard clauses as a lawful means of transfer altogether, but the court emphasized the need to consider the practices of the countries in which the standard clauses are used, seemingly inferring that they might not be appropriate in places like the United States.

We do not yet know the U.S. response to this decision; however, without Privacy Shield, U.S. companies will have to rely on a different means of lawful data transfer. Examples include Standard Contractual Clauses discussed in Article 46 (subject to the comments above), Binding Corporate Rules (Articles 46 and 47), explicit consent (Article 49), necessity for performance of a contract (Article 49), exercise or defense of legal claims (Article 49), or the other “derogations for specific situations” identified in Article 49 of GDPR.

[1] CJEU Press Release, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf (July 16, 2020).

Posted by Michael Titens and Vlad Markovic - IS Security Manager

Over the last few months, many of us have been adapting to new work environments featuring less reliable wifi, videoconference cameos by our children and pets, and more casual dress codes.  At the same time, cyber criminals have been adapting their methods to target us in our new environs.  Here are a few of the latest threats:

Videoconference Vulnerabilities.

• There has been an increase in phishing e-mails and social engineering attacks, especially related to Zoom and other videoconference credentials.  Beware of any email containing links and stating you missed your meeting, need to activate your account again, or that your web conferencing software is vulnerable. 
• Malicious software can be sent using fake web conferencing invitations.  The emails may appear to be coming from a potential client or other contact claiming to be available for a call via one of the popular videoconference services.  In many cases, the invitation will contain a malicious Excel file supposedly containing the sender’s schedule.
• Cyber criminals are also registering look-alike domains to phish for videoconference credentials. Recommended precautions include only joining meetings from known contact, that you are expecting, and scrutinizing the videoconference link in your invitation – for example, a Zoom link should send you to zoom.us not zoom-meeting [dot] org or any other “strange” site.

Business Email Compromise (BEC) Scams

BEC scams include altering wire transfer and direct deposit instructions and efforts to divert escrow or other payments.  Recently, BEC Scams have been incorporating COVID-19 into their fraudulent appeals.  Some examples to look out for include:

• Using COVID-19 as an excuse to request a fraudulent switch or rescheduling of payments or a change to other business or government plans
  • Fraudsters posing as clients requesting that all invoices be changed to a different bank account due to “Corona Virus audits”
  • Attempts to exploit federal government stimulus plans and payment options
  • Posing as a CEO asking to switch payments “due to the Coronavirus outbreak and quarantine processes and precautions.”
• Scammers using claims of positive COVID-19 cases in their area to start an “urgent” email conversation

If you receive a payment or other request that appears to be out of the ordinary, take additional steps (including a confirmation phone call to a person you know on a number you have used before) before making any payment.  More generally, it is a good time to review existing relationships that provide for payment or receipt of funds by wire transfer to ensure multi-factor authentication is in place, identify which party is responsible for wire transfer fraud, and clarify insurance coverage for misdirected funds.

Other Malicious Activity

We have seen a spike in emails with malicious attachments that are disguised as invoices, purchase contracts, wire confirmations, and other documents that one would be inclined to open. One example of this type of a threat was a cleverly obfuscated document that stated it was a wire confirmation. In reality it was a new variant of a crypto-locker that at the time was undetectable by most antivirus tools.

The Weakest Link

Our home networks are only as strong as the weakest link.  Potential attack vectors include ancillary devices, such as printers, and other devices (like routers) that still use the manufacturer’s default login (e.g., “admin”) and password.  To strengthen cyber defense of routers, use strong passwords and select WPA-2 encryption.  Also, disable UPnP (universal plug and play) and keep your firmware up to date (some routers can be set to allow for automatic firmware updates).

Other computers on your home network might also be the weakest link.  All family members should be reminded to follow sound practices and view with suspicion any unexpected emails, attachments, or links.  Also, all computers should be updated with the latest security patches to protect against newly-discovered vulnerabilities.

Based on reports from some large employers, a full-time return to the office may be weeks or months away for many of us.  Maintaining good security practices and remaining vigilant will help protect our computers and networks from being compromised.

Posted by Justin Cohen, Craig Carpenter, and Vlad Markovic - IS Security Manager

When we think about cybersecurity, we often focus on our own people and systems. However, our vendors play a critical part of cybersecurity given how often we share data and integrate our IT systems with others. The 2018 Ponemon statistics estimated that over 50% of organizations have experienced a data breach due to a vendor’s security shortcomings. Here are some recent examples of breaches caused by third parties:

-        Hanna Anderson (over 10,000 California customers affected due to alleged malware in Salesforce Commerce Cloud’s e-commerce platform)(2019)

-         Quest Diagnostics (11.9M records via American Medial Collection Agency)(2019)

-         Target (at least 41M customer payment card accounts accessed via HVAC vendor; $18.5M settlement)(2013)

-         US Customs and Border Protection (Lost 100,000 records via a subcontractor network)(2019)

-         FBI (Lost 3 terabytes of confidential information – including FBI investigation records, millions of department files, personal data, system credentials, and even internal communication records)(2019)

So what should we do first?

Ensure you have a risk assessment and mitigation plan in place for managing vendors. Some may categorize vendors by risk and develop specific policies, procedures, and technical measures to reduce cyber risks for categories of vendors.

Then what?

Ensure proper vetting to understand the risk posed by new and existing vendors. Such vetting can be done in-house through cybersecurity and data privacy questionnaires, or via legal counsel and/or other third parties that assess cyber risks posed by vendors. While initial vetting is critical, routine vendor audits are recommended to ensure that each continues complying with your company’s policies, processes, procedures, and technical measures deployed for purposes of safeguarding their data.

What about their contracts?

Like anything else, if it’s important, put it in writing. Ensure that each vendor contract specifically addresses and allocates the costs and risks associated with that engagement. Common contractual provisions include representations and warranties to abide by your company’s cyber and data privacy policies and procedures. Depending on the circumstances, a warranty regarding compliance with industry standards (e.g. SOC2 or PCI-DSS) with data security audit rights and certifications may be appropriate. Depending on the circumstances, you should also consider including prompt notice provisions when a breach involving your company’s data is suspected. You may also want to allocate the costs of a data breach investigation and remediation in the agreement to avoid unknowns if an incident occurs, including which party should be responsible for the fees and costs associated incident investigation and remediation. If this engagement poses a significant data privacy risk (e.g., your company’s most sensitive data is involved), you should consider requiring that a vendor maintain a certain level of cyber insurance that covers your costs should a breach investigation take place. Finally, specifying the procedures for handling a suspected data privacy or cyber breach in your vendor contracts can save valuable time when an incident occurs.