In previous blogs, we’ve discussed some of the struggles organizations have when responding to cyber incidents. For many, it is the recovery aspect, and specifically vendor liability for the data or privacy breach, that poses many questions. In trying to assign liability, the obvious place to start is the contract with the vendor. Generally, most vendor contract language limits liability to some small percentage of the contract value, and most contracts have limited liability clauses that completely remove vendor liability relating to damages even if the vendor is negligent in its implementation of the product or service.
The recent breach involving Ticketmaster UK provides an interesting illustration. In this incident, it was identified “that malicious software on a customer support product . . . was exporting U.K. customers' data to an unknown third-party.” This puts Ticketmaster UK in a challenging position. First, Ticketmaster seemed to be doing everything correctly by providing notification (https://security.ticketmaster.co.uk/), providing free identity monitoring for notified customers, and encouraging all Ticketmaster customers to reset their passwords. However, due to the nature of the compromise, they may still be in jeopardy of violating GDPR requirements. There is a lot of money at risk for Ticketmaster via fines, potential lawsuits, etc.
This is where the vendor’s contract liability clauses become extremely relevant. Pertinent questions for Ticketmaster include, how much of the burden of this breach is going to be covered by the responsible vendor, or will the vendor’s exposure be limited thanks to the limited liability clauses in their contract with Ticketmaster?
One obvious takeaway is to review vendor contracts to determine whether data and privacy breaches are, or can be, excluded from the liability clause in the vendor contract. Beyond that, ensure you have a vendor risk management program that provides visibility into which vendors are most critical and/or pose the most risk. For those vendors that are most critical to maintaining business operations, it may make sense to include them as part of the incident response lifecycle. This could be as simple as requiring the vendor to demonstrate their ability to respond to and recover from a cyber incident. It may also require the vendor’s participation in the organization’s incident response tabletop testing.
All this relates to incident response recovery in a few ways. First, knowing your potential exposure to a vendor breach will help the organization better define their recovery strategy. Second, understanding the vendor’s contract liability for a breach gives your organization a chance to share risk with the vendor or transfer risk by engaging a different vendor with more friendly limitations of liability clauses. Finally, by knowing which vendors are critical and which present greater risk to the organization, you can employ risk mitigation strategies, reducing recovery time and expense.
If you rely on vendors (and who doesn’t?), remember to review and update your contracts so they address liability, and where possible, include those critical vendors in tabletop testing of your IR Plan.