• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar

Alston & Bird Privacy, Cyber & Data Strategy Blog

  • Home
  • Services
  • Events
  • Contacts

The Importance of Strategic Vendors in Breach Response

January 25, 2016 By Karen Sanzaro and James Harvey

Alston & Bird recently issued an Advisory, co-authored by Jim Harvey and Karen Sanzaro, on the complexities of managing a data breach that implicates strategic third party vendor relationships.

Cybercrime and data security incidents are on the rise.  Security breaches and the ensuing investigation and remediation process can be costly and complex.  The process is further complicated if the breach implicates a company’s third party service provider, or the services provided by such third party, particularly where the services or the service provider are strategic or essential to a company’s ongoing operations.  In these circumstances, the company has the customer relationships and likely has the compliance and notification responsibility, but must rely on the cooperation and assistance of its service provider in order to meet these obligations and otherwise mitigate the effects of the breach.  If the service provider is the one that experienced (or was responsible for) the breach, the incident response process may be further complicated by a service provider’s (sometimes) conflicting motivations to support its customer while avoiding facts that might indicate a breach of the underlying services agreement (to the extent those facts exist).

Regulatory guidance regarding management of vendor risk generally focuses on breach prevention activities, with an emphasis on due diligence, ongoing oversight, robust contract protections, and breach notification requirements, leaving companies on their own to plan for and manage the complexities of the vendor relationship during post-breach investigation and remediation activities.  Yet, despite the ubiquity of cyber threats and the increased awareness by businesses of the need for robust cyber security and vendor management policies, many companies have not adequately addressed the risks posed by vendors or contemplated appropriate breach response activities for security incidents involving, or requiring cooperation of, their vendors.

In the event of a significant third party intrusion, a company must investigate the situation to find out what is causing the unauthorized data access or exfiltration, take steps to eliminate that access and/or exfiltration, and then engage in remediation activities to repair the damage done by the attack and prevent similar attacks in the future.  This is a complicated endeavor, as information from the network and affected systems must be gathered and preserved (in a forensically sound manner) and the ensuing analysis may often require deployment of software agents to search for malware and other indicators of compromise, creation of monitoring capability for network traffic, investigation of live memory (RAM), and forensic deep dives on individual systems, all of which is becomes even more complicated when you add a third party vendor to the mix.

In addition, companies should take into account the attorney-client and work-product privilege in determining who will be responsible for conducting the investigation and engaging independent investigators. If the vendor or vendor’s investigator will be conducting the investigation, or if the vendor insists on a confidentiality agreement being signed by the company’s outside investigator, the company will need to consider what impact that may have on the privileged nature of the investigation.

Companies can avoid (or minimize) potential complications for critical vendor relationships by documenting each party’s breach response rights and obligations as part of the contractual documentation before a breach occurs, rather than trying to negotiate terms in the midst of an extreme crisis.  The Advisory includes some practical considerations to factor into cyber risk management and incident response strategies.

The Advisory can be found on our website here.

Filed Under: Advisories, Cyber Risk, Data Breach, Regulation Tagged With: Third Party Service Provider

About Karen Sanzaro

Karen Sanzaro is counsel in Alston & Bird’s Technology Group and Privacy & Data Security Team. Karen’s practice focuses on complex outsourcing and technology transactions and privacy counseling.

[Read Bio]

About James Harvey

Jim advises clients on a wide range of data, privacy, cybersecurity, and technology services initiatives. Jim founded and co-chairs our Privacy & Data Security and Cybersecurity Preparedness & Response teams. His practice crosses all data, privacy, and security lines and ranges from all aspects of breach and incident response to board-level advice to proactive data transfer and data governance counseling.

[Read Bio]

Primary Sidebar

This blog is a service of Alston & Bird’s Privacy, Cyber & Data Strategy team and focuses on key data privacy and data security issues.


Receive email notifications when new posts are added.

Receive email notifications when new posts are added.


THE DIGITAL DOWNLOAD
Click here to see the editions

PRIVACY & CYBER EVENTS
Click here to see upcoming and past events

PRIVACY & CYBER MAILINGS
Click here to sign up

@ALSTONPRIVACY
Click here to follow us on Twitter

Secondary Sidebar

Categories

Recent Posts

  • European Commission Adopts Draft UK Adequacy Decision
  • NYDFS Issues Best Practices for Cyber Insurance Risk Management
  • Fifth Circuit Decision Raises Cyber Enforcement Complications for the U.S. Department of Health and Human Services
  • Virginia Ready to Pass First State Privacy Statute after CCPA
  • The EDPB-EDPS Joint Opinion on Data Processing Standard Contractual Clauses: Key Takeaways
Copyright © 2021 · Alston & Bird · All Rights Reserved. Privacy.