Incident Response: Do Your Vendor Contracts Have Claws (for Liability)?

Doug Hudson, Senior Director, Cyber Risk Advisory, Coalfire

In previous blogs, we’ve discussed some of the struggles organizations have when responding to cyber incidents. For many, it is the recovery aspect, and specifically vendor liability for the data or privacy breach, that poses many questions. In trying to assign liability, the obvious place to start is the contract with the vendor. Generally, most vendor contract language limits liability to some small percentage of the contract value, and most contracts have limited liability clauses that completely remove vendor liability relating to damages even if the vendor is negligent in its implementation of the product or service.

The recent breach involving Ticketmaster UK provides an interesting illustration. In this incident, it was identified “that malicious software on a customer support product . . . was exporting U.K. customers' data to an unknown third-party.” This puts Ticketmaster UK in a challenging position. First, Ticketmaster seemed to be doing everything correctly by providing notification (, providing free identity monitoring for notified customers, and encouraging all Ticketmaster customers to reset their passwords. However, due to the nature of the compromise, they may still be in jeopardy of violating GDPR requirements. There is a lot of money at risk for Ticketmaster via fines, potential lawsuits, etc. 

This is where the vendor’s contract liability clauses become extremely relevant. Pertinent questions for Ticketmaster include, how much of the burden of this breach is going to be covered by the responsible vendor, or will the vendor’s exposure be limited thanks to the limited liability clauses in their contract with Ticketmaster?

One obvious takeaway is to review vendor contracts to determine whether data and privacy breaches are, or can be, excluded from the liability clause in the vendor contract. Beyond that, ensure you have a vendor risk management program that provides visibility into which vendors are most critical and/or pose the most risk. For those vendors that are most critical to maintaining business operations, it may make sense to include them as part of the incident response lifecycle. This could be as simple as requiring the vendor to demonstrate their ability to respond to and recover from a cyber incident. It may also require the vendor’s participation in the organization’s incident response tabletop testing.

All this relates to incident response recovery in a few ways. First, knowing your potential exposure to a vendor breach will help the organization better define their recovery strategy. Second, understanding the vendor’s contract liability for a breach gives your organization a chance to share risk with the vendor or transfer risk by engaging a different vendor with more friendly limitations of liability clauses. Finally, by knowing which vendors are critical and which present greater risk to the organization, you can employ risk mitigation strategies, reducing recovery time and expense.

If you rely on vendors (and who doesn’t?), remember to review and update your contracts so they address liability, and where possible, include those critical vendors in tabletop testing of your IR Plan.

Doug Hudson


Doug Hudson — Senior Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS