Vulnerabilities / Threats
10/31/2011
12:52 PM
50%
50%

Data Breach Costs: Beware Vendor Contract Fine Print

Organizations often end up paying the consequential costs of data breaches when third-party vendor contracts aren't scrutinized.

My Mistake: 10 CIOs Share Do-Over Worthy Moments
Slideshow: My Mistake: 10 CIOs Share Do-Over Worthy Moments
(click image for larger view and for slideshow)
Whether it's from a vendor improperly securing database information it's hosting for a customer or a storage company that leaves backup information unlocked in a truck, data breaches caused by third parties happen all the time. If organizations are not careful in the way they construct their contracts with those vendors, the organization itself could end up being on the hook for far more of the breach liability than it expected. But if they do it right, they could use that contract as a tool to mitigate risk to their organization.

"As it currently stands, the focus of risk mitigation with respect to security are technical controls and other security measures, and the importance of the contract as a risk mitigating tool is overlooked," said David Navetta, founding partner of the Information Law Group. "As litigation increases in this area, for risk-conscious organizations, the protections in the service provider contracts are going to become very important."

Litigation in these cases of third-party breaches is a common occurrence, frequently with the third-party organization ducking under the radar as their customer gets hammered by class action suits. For example, when a breach that exposed data for 4.9 million active and retired U.S. military personnel was caused by the theft of backup tapes from the car of an employee at Science Applications International Corp. (SAIC), working on behalf of Tricare, in September, the $4.9 billion lawsuit by affected individuals filed last week was lodged against TRICARE and the Department of Defense, not SAIC.

Similarly, Stanford Hospital had a $20 million lawsuit filed against it after an employee at its billing contractor, Multi Specialties Collection Services (MSCS) inadvertently posted patient information on a homework help site online. Stanford has been on a publicity blitz claiming its outsourcer was totally to blame for the breach.

In most cases like those, the details of the actual contract between the organization and the supplier never really become public. Typically they're buried in closed settlement deals and kept locked down with non-disclosures. But John Nicholson, counsel for the global sourcing practice at the Washington, D.C.-based law firm of Pillsbury Winthrop Shaw Pittman, said that suppliers frequently evade the bulk of liability due to poorly drafted service contracts.

Read the rest of this article on Dark Reading.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0174
Published: 2015-04-27
The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

CVE-2015-0175
Published: 2015-04-27
IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.