Can You Be Liable for Your Vendor’s Data Breach?
By Kathy Winger, Attorney at Law
As a business attorney, one of my most important obligations is to help clients manage their legal risks, which these days include exposure in the cybersecurity/data breach arena. One expanding area of concern is liability for a third-party vendor’s data breach. If your business shares confidential information with third-party vendors in its line of work, you are now obligated to ensure that those vendors keep that information secure. If the vendor fails to do so, your business could be liable for the damages that flow from a data breach involving your information. Luckily, there are a several ways to help protect your business on this front.
First, be crystal clear about the details of your contract with any third-party vendors. The contract should address your liability versus the vendor’s liability and require indemnification in the event of a vendor data breach. You should also research your vendor’s data security standards and practices to confirm that they are as good or better than your own and are being followed and updated. This should be done at the beginning of the relationship and periodically throughout the contract term. Since you will be depending on your vendor’s security to protect the information you share, it makes sense for you to be mindful of their standards, to make certain that they are followed and to be compensated if you suffer a loss.
Finally, your third-party vendors should confirm that they have adequate and appropriate cyber insurance to cover you in the event of a breach. In fact, if and where possible, the vendor should name your business as an additional insured on its cyber insurance policy.
If you’d like to learn more about this topic and other legal risks that business owners and technology professionals face in the world of cybersecurity and data breaches, join me at Global Security Exchange at 11 am on Tuesday, 25 September for Session #5333, Cybersecurity and Data Breaches from a Business Lawyer’s Perspective.
The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.