The US legal system rarely holds third-party IT and cybersecurity providers liable for data breaches, but experts say that could – and perhaps should – change in the near future.
Recent lawsuits following on from high-profile data breaches have highlighted the issue of third-party vendors’ liability for data incidents. On 24 July, plaintiffs pursuing Marriott in the wake of a massive data breach named its cybersecurity provider Accenture as a defendant. Nearly two weeks later, alleged victims of the Capital One data breach also pulled the bank’s cloud provider Amazon Web Services into a proposed class action lawsuit.
Naming third-party IT providers as defendants in data breach cases is rare. Under most privacy frameworks, data holders, rather than their vendors, are held responsible for data breaches, and must keep the data secure.
The same holds in the US under the Gramm-Leach-Bliley Act, which makes financial companies responsible for ensuring their affiliates and service providers safeguard customer information in their care, according to Alan McQuinn, a senior policy analyst at the Washington, DC-based Information Technology & Innovation Foundation. The actions against the third-party vendors in the Marriott and Capital One cases were not brought under the Gramm-Leach-Bliley Act, but most privacy and security laws function similarly, McQuinn says.
Along with the fact that most laws place more responsibility on data holders to protect their customers’ information, companies and vendors typically use contracts to distribute liability between them. Kenneth Dort, a partner at law firm Drinker Biddle & Reath LLP, notes that most contracts also include indemnification clauses – so “in the event of a breach, [the IT vendor] would owe a duty of indemnity to its customer — the company the affected people are dealing with,” he says.
Dort suspects the plaintiffs will have a difficult time holding Amazon Web Services and Accenture liable in the current cases against them.
“You would rarely see third-party claims because the plaintiff has to allege that the third-party vendor has a direct duty to the customers,” Dort says. “That’s pretty hard to show… most courts really don’t look at this very supportingly.”
But vendors can still be on the hook if they are responsible for breaches. Alongside indemnification clauses, companies successfully sued for data breaches could turn around and pursue their own claims against the IT providers, Dort says. Victoria Beckman, co-chair of Frost Brown Todd's data security team, says companies can also name their IT providers as third-party defendants – meaning that if lawsuits against the companies are successful, the providers would be liable.
Why, then, are the plaintiffs in the Marriott and Capital One cases naming the third-party providers as defendants? The plaintiffs in both cases allege that Accenture and Amazon Web Services acted negligently.
Beckman says naming those third-party providers as defendants could be a typical class action lawsuit tactic: “Name everyone as defendants and see what sticks.”
But one cybersecurity expert thinks the recent actions against the third-party vendors could expose a deep problem within the IT industry: that providers are not providing their customers with sufficient tools to protect consumer data. “That’s the dirty little secret,” says Ken Morris, the founder of cybersecurity company KnectIQ.
Morris explains that most companies and governments still operate under the assumption that encryption is the best practice for securing data. Indeed, the US Federal Trade Commission is in the process of upgrading its Safeguard Rules under Gramm-Leach-Bliley Act to require all financial institutions to encrypt their data.
But while encryption is a strong defence against brute-force attacks – when, for example, hackers repeatedly guess passwords until they find the correct one – most hackers have employed more sophisticated methods around encryption. Those methods largely revolved around stealing encryption keys; once they have those keys, they can enter systems undetected, Morris says.
Luckily, Morris says there are solutions that allow companies to encrypt their data without having to store encryption keys. The problem is that most companies have yet to adopt such measures.
“The data holders, frankly, are using what the third parties are telling them they should use. It’s up to third-parties to secure data,” Morris says. “The public and governments and the legal profession are starting to look at this and say, ‘Wait a minute, who’s providing tools, training, and infrastructure?’ At some point, those providing the tools will have to respond.”
Ideally, the US federal government would pass legislation assigning more responsibility to third-party IT providers when it comes to cybersecurity issues, Morris says. Beckman makes similar remarks, saying that the lawsuits involving Amazon Web Services and Accenture are likely the result of a legislative lacuna.
“I do think these lawsuits are a growing trend because people are more aware of how their privacy is being violated and want to hold companies accountable and because there are no other real remedies available, in part because of the lack of legislation at both the state and federal level,” she says.
In Beckman’s home country of Colombia, the law allows regulators to investigate data breaches and assign blame accordingly, she says.
But even without Congress passing a new law, US courts could still act, Morris argues, acknowledging that decisions holding third-party vendors liable would probably result in a lengthy appeal process. Courts could find against the vendors by finding them negligent for providing outdated cybersecurity solutions – “That’s the argument I would make,” Morris says.
Dort says he is more sceptical that courts could assign more liability to vendors. If a court rules against a third-party defendant, vendors and their customers would then simply adjust their contracts accordingly, he says.
“What companies do – not just in the cybersecurity area – is they’re always looking at what courts do in respect of holding companies liable,” Dort says. “Even if a court finds that vendors have a common law duty of care, you’ll see them renegotiating existing contracts – implementing different provisions to protect themselves from those kinds of contingencies.”
Lawmakers explicitly assigning liability to third-party vendors in the event of data breaches would also bring its own problems, Dort says, as it could cause the price of IT services to skyrocket.
Dort paints a bleak picture for those hoping that US courts or Congress can hold third-party vendors responsible for data incidents.
But if there’s a silver lining in all this, it could be that the data breaches and their accompanying lawsuits and negative publicity could encourage IT providers and data holders to increase step up their cybersecurity efforts, Beckman says.
“Companies are going to realise how important it is to have cybersecurity plans and response plans for how they handle breaches,” Beckman says. “It’s almost impossible to avoid breach even under most sophisticated breaches, but it’s how you respond.”
