Among many other things, 2020 has been the year of vendor security incidents and data breaches. More than ever, we have responded to incidents for clients that were caused not by the client, but by a third-party vendor.
When a vendor causes a security incident, it will commonly report the incident to you and then walk away. Many will follow their contractual obligations and provide you with precisely the information they are required to provide per the contract, but then when you ask for more information, they clam up. They obviously are worried about legal liability and are trying to mitigate their losses.
A vendor’s security incident is not just a problem for the vendor. If a business has disclosed personal information, protected health information or other sensitive information to the third-party vendor, there are legal obligations for notification in the event of an unauthorized access, use or disclosure of that information. That becomes the company’s problem.
Once a third-party vendor reports an incident, a company must determine its legal obligations following the incident, which may include notification to individuals whose information was compromised as well as regulatory authorities. Making those determinations is costly and involves expending company resources. Following the determination, companies rightfully request reimbursement of those expenses from the third-party vendor because it was caused by the third-party vendor.
When a company requests reimbursement of actual costs expended from a third-party vendor, the third-party vendor will point to the vendor contract and often are able to say they are not responsible because there is no indemnification language in the contract, or the third-party vendor has limited its liability to the amount of the contract or another negotiated amount, which is often less than what was expended.
When negotiating contracts with third-party vendors, business folks are usually not thinking about the consequences of a security incident and what happens following an incident caused by the vendor. They may want to do business with a particular vendor because the vendor has a product or service that is perfect for the business’ needs, or they are in a rush to get the contract done. It is only when an incident occurs that we all go back and look at the contract to see what the obligations are and what requests can be made. Unfortunately, this year many of the incidents that occurred included contracts that were negotiated many years ago and had not been updated, or included out-of-date language that was onerous to the company that expended the resources following the incident because there was no indemnification language or severe limitations of liability. If that is the case, the next option is to sue the vendor, which is a long, expensive and drawn-out process that is unappealing.
To mitigate this unfortunate outcome, companies may wish to prioritize the review, amendment and negotiation of contracts with their highest risk vendors in anticipation of a security incident. It is a good time to start this project in view of many state data security laws that require contractual measures to be in place with third-party vendors that have access to personal information. Not only will the review and amendment of these contracts assist with compliance, but such diligence will assist with mitigation of risk and loss in the future.