Inside InfoSec Law

An Elkins PLC Blog on Information Security, Cybersecurity, and Privacy Law

Protection of Company Data Means Ensuring That Other Companies Protect Themselves As Well

On September 1, 2017 it was reported that 4 million records detailing the personal information of Time Warner Cable customers were exposed in a data breach. Time Warner Cable was purchased last year by Charter Communications and is now called “Spectrum.” Just one day later it was reported that TigerSwan, a private security firm, had suffered a similar data breach exposing the personal information and expertise of individuals with security clearances ranging from classified to top secret.

These data breaches have two things in common: (1) the sensitive data exposed was stored on an Amazon server without password protection, and (2) the security standards of Charter Communications and TigerSwan were not to blame, but rather the lax security standards of a third party vendor used by the companies to process their data. In both cases third parties hired to process the data held by other companies did not employ the simplest and oldest of data protections: passwords. Unfortunately, in instances such as these, companies will find that the blame ultimately lies with them for the lack of security of their third party contractors, resulting in costly legal exposure.

Data breaches of third party contractors handling sensitive information of bigger companies will often lead to bigger breaches. Scenarios like this are nothing new, and happen quite often. Target famously suffered a breach in 2013 which ultimately cost them $202 million. Although there were many things that went wrong for Target that led to the breach, the first thing that went wrong was a data breach of the company that supplied HVAC services to Target. The HVAC company had access to Target’s network, which led to hackers breaching Target and exposing the personal information of 70 million customers, including 40 million credit card records.

In today’s world, companies need to be concerned not only with the security of their network, but also the network security of their partners and the companies they contract with. When services involve sensitive data, legal review of contracts should aim to protect companies by including data protection and privacy provisions. Contracts should include clauses addressing confidentiality, specifying the particular use of information and mandating no further use of such information other than for the purposes contracted. Additionally, contracts should require that the included privacy and data protection terms flow down to all subcontractors, address data flow across country borders, and require notification and disclosure of breaches. Finally, it is important that contracts include standard information security provisions that detail data protection procedures and security controls. This can include clauses on encryption of data, network security, access controls, segregation of data, employee background checks, and audit rights.

The above contract considerations are meant to be illustrative and not exhaustive. The extent to which companies can address these issues will always depend on the context of the contractual relationship and the sensitivity of the data at stake. It is crucial in this day and age that companies not only face the cyber threats to themselves, but also the cyber threats to their partners and contractors. The first step to doing this is ensuring that such parties are contractually bound to put in place appropriate privacy and data protections.

Disclaimer: The materials available at this web site are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this web site or any of the e-mail links contained within the site do not create an attorney-client relationship between the author or Elkins PLC and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Leave a Reply