06.30.15

Publication,

Managing the Cyber-Security Risks Posed by Vendors to Minimize the Risk of a Data Breach and Litigation or Regulatory Enforcement

PRACTICE GROUPS

Data security breaches are big news these days. As companies scramble to fortify their networks and protect personal information, an often-overlooked risk is becoming increasingly important: inadequate data security practices by vendors. For example, the massive 2013 Target data breach originated with hackers gaining entry to Target’s network through a third-party heating and cooling vendor, and other recent breaches have involved the theft of a company’s employee or customer information while it was on a vendor’s network. Unfortunately, a data breach at a vendor has many of the same effects as a breach of a company’s own network, including shattering public confidence and leading to lost business at the company that “trusted” the vendor. To counter this growing threat, this article provides a basic checklist of considerations for companies to use in managing security risks in vendor relationships.

As background, vendor data security management is quickly becoming a hot area for regulatory enforcement. In particular, the Federal Trade Commission (“FTC”) has been taking an increasingly aggressive role as a top data safety enforcer. One of the FTC’s primary mandates is to enforce the consumer protection provision of Section 5(a) of the FTC Act, which prohibits any “unfair or deceptive acts or practices in or affecting commerce.” 15 U.S.C. § 45(a)(1). The Act broadly defines “unfair” practices as those that cause, or are likely to cause, substantial injury to consumers, which is not reasonably avoidable by consumers themselves and not outweighed by benefits to consumers or competition. 15 U.S.C. § 45(n). The FTC has seized on that broad language as an authorization to initiate regulatory enforcement action against companies that the FTC perceives as having lax data security practices that put consumers’ or employees’ personal information at risk.


Published by Association of Corporate Counsel – Washington – 2Q, 2015

For more information, contact Gavin Skok.

Read entire article (PDF).