Breach Liability- 3rd Party Vendor Guarantees
Who is liable in the case of a data breach for your organization? Is it your internal IT team? The 3rd party vendor you chose for fraud prevention, encryption, or tokenization? Enterprise organizations worldwide are looking for their 3rd party vendors to accept full liability for a data breach. This seems only fair, because organizations are spending billions to lock down their environment, and all too often their customer data (PII, PCI, Usernames and Passwords, etc.) is exposed despite what they thought was a robust data security platform/stack. So, you have to wonder, will your 3rd party security vendor assume liability if they’re responsible for a data breach? Is this something that you can define in your Service Level Agreements (SLAs)? Will your cyber-insurance policy cover all of the fallout that comes with exposed customer data in a breach? What types of guarantees should your organization demand from their 3rd party providers and vendors? 3rd Party Accountability is stepping into the limelight as more enterprise organizations refine and expand their cyber security protections, and it is about time for those providing data security services to play their part.
Organizations want their security vendors to guarantee their platforms/stacks with both policy and technology. Some organizations have gone as far as extending financial guarantees in the event that their security stack is found to have not performed successfully in the wake of a breach, beyond traditional service disruption payouts. If you are offering the world’s best tokenization solution, then at a minimum you should do your part in the event of a data breach. Do your vendor’s technology and security policies equate to a successful prevention of a data breach? Let me be very clear that any policy which exists without the technology to back it up, or vice versa, is most likely going to fail. In short, the technology needs to actually perform with no fallback that will expose sensitive customer data.
Cyber Insurance Policies
Cyber insurance policies were born out of the constant conflict of traditional policies and data breach coverage policies with the primary focus on securing PII (personally identifiable information). The tricky part with cyber insurance policies is that they are often filed on a claims basis as opposed to having the option of a claims basis or occurrence basis. Oftentimes data breaches can go undetected for months or even years, so it is imperative to have your legal team include retroactive language. The majority of policies will cover first party (response expenses) and third party liability. However, there will be gaps in the policy, and it is up to your legal team to be exhaustive in defining the cyber risks and understanding coverage conditions that your company faces, and that certainly includes third party liability.
3rd Party Risk Management
Contractual agreements that include SLAs (Service Level Agreements) and any other derivation of organizational agreements with 3rd party vendors rely heavily upon language, as opposed to consistent audits and assessments to evaluate the security and best practices of third parties. Most organizations do not perform consistent assessments of 3rd party security policies and technologies to make sure they are in line with current security best practices. The unfortunate reality is that the FTC (Federal Trade Commission) has routinely held breached organizations responsible, even when a 3rd party was found to have misled an organization, or when the security platform did not adequately protect customer data. Including consistent audits and assessments should be part of the agreement with the 3rd party, to guarantee that your organization is never put in harm’s way
3rd Party Vendors Have to Accept Liability
The age-old adage, the buck stops here, is more relevant than ever in the world of data security. 3rd party vendors need to accept 100% of the responsibility for their part in any data security breach. And, to take that a step further, they should have no problem naming the customer they protect in their insurance policies. As referenced above, the FTC has routinely ruled against organizations even where their security stacks failed them. The thinking is that it is an organization’s responsibility to perform due diligence in understanding every last detail of how the security platform will secure customer data, and any shortcomings fall under negligence. An organization’s data security is necessarily ever-evolving, and for that reason any solution should be constantly tested, validated, assessed, etc., and that translates into money. Considering that the average cost of a data breach is $4,000,000, I guess it's up to you how you want to spend your money. Personally, I would be looking for the written assurances.