With massive data breaches that have recently wreaked havoc on privacy concerns among U.S. businesses and consumers, a growing number of companies are now demanding that vendors fill out questionnaires to show proof of cybersecurity measures. Should your business do the same?
Businesses of all industries generate, store, use, and otherwise come into contact with numerous pieces of data that constitutes “personally identifiable information” belonging to consumers. The risks are not only limited to businesses in the health or medical industry — virtually every business that conducts any business or receives or stores information online is at risk.
Back-Door Access to Protected Information
Recently, CIOs and hackers are discovering that the quickest way to a company’s classified data is often through a third party. The hackers that stole 40 million credit cards and debt card numbers from Target Corp., for example, broke into the company’s network by stealing credentials from its heating and air conditioning contractor. In these circumstances, the risk is not that the company’s data gets hacked because of something the company did, but because of something the company’s vendors did not do. With the ongoing security threats targeting vendors, payment processors, data storage sites, and information clearinghouses, businesses must demand greater cybersecurity measures from their vendors or find themselves exposed for not taking enough precautions, if a data breach were to occur.
The Basic Checklist
Off-Shore Contractors. Businesses should ask whether their vendors make use of any off-shore contractors. India, Pakistan, Bangladesh, China, and Malaysia often provide very cheap sources of labor for a variety of transactions, including product sales, information technology, e-commerce, payment processing, sales, marketing, and website development, including back-end consumer databases. Labor from any of these or other countries can be utilized by U.S. based vendors who outsource most of the work that is actually being performed for clients. Businesses that place confidential consumer information in the hands of their vendors should make sure they ask and are aware of how much of that information is being transmitted overseas, where data breaches are far more prevalent and more difficult to detect.
Encryption. Recent court cases have spared some companies accused of data breaches from liability when they have been able to demonstrate the data allegedly accessed was encrypted or not plainly accessible by the intruders due to being accessible only through special proprietary software, or other as a result of restrictions. Businesses should inquire whether their vendors encrypt files that are being transmitted, how and where files are stored, the level of security that protect such data, whether the vendor uses secure email, and how much of information transmitted is unencrypted.
Portable Devices. In today’s age, most professionals are expected to have workplace email access installed on their PDAs and smartphones. But what happens to vendors whose employees’ quit or have their PDAs lost, stolen, or accessed by unauthorized intruders? Some companies are demanding that their service providers ensure that company data does not reside on flash drives, iPads, or other portable devices. At the very least, businesses should take steps to ensure that consumer or client data does not reside on vendor PDAs, or that the vendor uses remote wipe software if employee PDAs are lost/stolen, or if employees depart.
Professional Data Breach Software. Businesses should also inquire whether their vendors are using professional security software and equipment. In the case of Target Corp.’s data breach, for example, the heating/air conditioning vendor used by Target admitted that their security software consisted of a free version of downloadable software that did not provide real-time protection, and only consisted of an on-demand scanner. Obviously, service providers handling substantial amounts of consumer data or with access to a businesses’ network should be protected through enterprise-level security software. But, it is the businesses’ duty to inquire, given that vendors may not volunteer information about poor security measures. It can be tough to avoid responsibility for catastrophic data breaches such as this, if not even inquiries are made about a vendor’s ability to detect and protect against intrusions.
Desktop Security. A significant number of breaches have also been the result of phishing schemes, often through innocuous email sent to low-level employees who may not suspect they are the targeted entry-door to a corporation’s networks and information systems. Businesses should ensure that vendors make it a priority to ensure that computing infrastructure provided to clerks and support staff are as equally secure as those used by the vendors’ executives.
Insurance. Businesses are also increasingly demanding that vendors carry liability insurance covering data breaches. When a service provider falls victim to a massive data breach, repairing the damage can be overwhelming, and unless the service provider has the resources to handle the response effort required, the quality of services (or even its existence) could succumb to the time, effort, and expense needed to handle the data breach. An insurance policy providing coverage for data breaches may provide additional support and resources for the victim company, in the event of a data breach.
► Getting Legal Help
AXIS Legal Counsel’s Business and Corporations Practice provides legal advice to numerous businesses with a wide range of business matters. Axis represent small, medium-sized, and large business clients with a wide variety of business and corporate law matters. We represent early-stage companies as well as established businesses on a wide variety of business law matters, ranging from contracts and transactions, intellectual property, labor/employment law, business financing, mergers and acquisitions, real estate, insurance, business succession planning, and general advice and counsel. For information on retaining AXIS Legal Counsel to represent your business in connection with any legal matter, contact firstname.lastname@example.org or call (213) 403-0100 for a confidential consultation.
Our Business & Corporations Practice
► Download All 2020 Business Essentials Package – $49 Only
Check out our complete line of handy forms and templates for California small businesses.
Download Our Entire Suite of
Templates, Policies, and Procedures
Our 17 Most Popular Forms – Only $49
*** NOW UPDATED FOR 2019 ***
► Submit a Question
Have a question that is not answered? Submit your question below so we can help other businesses by contributing to the knowledge base.