Alston & Bird recently issued an Advisory, co-authored by Jim Harvey and Karen Sanzaro, on the complexities of managing a data breach that implicates strategic third party vendor relationships.
Cybercrime and data security incidents are on the rise. Security breaches and the ensuing investigation and remediation process can be costly and complex. The process is further complicated if the breach implicates a company’s third party service provider, or the services provided by such third party, particularly where the services or the service provider are strategic or essential to a company’s ongoing operations. In these circumstances, the company has the customer relationships and likely has the compliance and notification responsibility, but must rely on the cooperation and assistance of its service provider in order to meet these obligations and otherwise mitigate the effects of the breach. If the service provider is the one that experienced (or was responsible for) the breach, the incident response process may be further complicated by a service provider’s (sometimes) conflicting motivations to support its customer while avoiding facts that might indicate a breach of the underlying services agreement (to the extent those facts exist).
Regulatory guidance regarding management of vendor risk generally focuses on breach prevention activities, with an emphasis on due diligence, ongoing oversight, robust contract protections, and breach notification requirements, leaving companies on their own to plan for and manage the complexities of the vendor relationship during post-breach investigation and remediation activities. Yet, despite the ubiquity of cyber threats and the increased awareness by businesses of the need for robust cyber security and vendor management policies, many companies have not adequately addressed the risks posed by vendors or contemplated appropriate breach response activities for security incidents involving, or requiring cooperation of, their vendors.
In the event of a significant third party intrusion, a company must investigate the situation to find out what is causing the unauthorized data access or exfiltration, take steps to eliminate that access and/or exfiltration, and then engage in remediation activities to repair the damage done by the attack and prevent similar attacks in the future. This is a complicated endeavor, as information from the network and affected systems must be gathered and preserved (in a forensically sound manner) and the ensuing analysis may often require deployment of software agents to search for malware and other indicators of compromise, creation of monitoring capability for network traffic, investigation of live memory (RAM), and forensic deep dives on individual systems, all of which is becomes even more complicated when you add a third party vendor to the mix.
In addition, companies should take into account the attorney-client and work-product privilege in determining who will be responsible for conducting the investigation and engaging independent investigators. If the vendor or vendor’s investigator will be conducting the investigation, or if the vendor insists on a confidentiality agreement being signed by the company’s outside investigator, the company will need to consider what impact that may have on the privileged nature of the investigation.
Companies can avoid (or minimize) potential complications for critical vendor relationships by documenting each party’s breach response rights and obligations as part of the contractual documentation before a breach occurs, rather than trying to negotiate terms in the midst of an extreme crisis. The Advisory includes some practical considerations to factor into cyber risk management and incident response strategies.
The Advisory can be found on our website here.