Thinking about sharing data with a new vendor? Will you be responsible if the vendor’s systems are breached?

In recent months, our firm has counseled clients through data breaches that were the result of unauthorized access into a third party’s systems.  In these scenarios, our clients were not compromised directly, but hackers attacked a third party that hosted or had access to our clients’ data.  The responses to these events varied, depending in large part on the extent to which the third party stepped up to handle the fallout.

These events serve as a good reminder that data is frequently shared or integrated with third parties such as vendors and cloud-based providers.  Sharing data with these parties creates its own set of risks that if overlooked can create real problems in the future.  Vendor management is key, and it must be exercised with discipline not just at the outset of a new relationship, but throughout its course.  When selecting vendors, include in your process detailed questions about the security the vendor will deploy and its insurance coverage for security incidents.  Negotiate for specific contractual terms including the level of security, segregating your data from other businesses’ data, and notification requirements in the event of an incident (not just a breach).

Be careful to examine contractual clauses such as the indemnification obligations and limits of liability.  If the vendor’s liability is capped, make sure that amount is sufficient to cover the damages that might flow from a breach.  Even better, make sure the limit of liability does not apply to the indemnification obligation.  As consumers’ privacy rights expand, make sure the indemnification clause extends to claims arising from these emerging statutes.  Consider including audit rights to ensure continued compliance with these contractual promises after the contract is signed.

Whether your vendor is the real cause or not, your customers will look to you for answers if their information is compromised.  So, tread carefully as you enter into relationships to integrate your data.  Force yourself into the exercise of imagining a breach of your vendor’s systems.  How does the contract address that situation?  A little bit of negotiating while the vendor is trying to earn your business can go a long way to saving you in the event of a breach.