Yesterday TARGET announced that the hackers who committed the breach that has potentially affected as many as 110 million customers gained access to its systems through one of its vendors. Although the details are still emerging as the forensic investigation continues, this early report is a reminder that your vendors can be a potential source of vulnerability for you.
An intrusion into the systems of a vendor or other business partner can be the launching pad for an attack against your systems. If you have vendors or other business partners that have access to your systems, now is a good time to take a look at your contracts with those third parties. Do those contracts appropriately impose obligations on the vendor to maintain reasonable cybersecurity measures? Do you have the contractual right to conduct data security audits to ensure compliance with those obligations? What do the contracts say about indemnification by the vendor if an attack on its system results in an attack on yours?
Good vendor management is an important part of an overall data security plan, and taking proactive steps now to address vendor vulnerabilities will help reduce your risk of a breach and your litigation exposure if one occurs.
Speaking of litigation, TARGET’s litigation nightmare only gets worse, as the first shareholder derivative suit was filed this week accusing TARGET’s officers and directors of, among other things, breach of duty for allegedly failing to take adequate steps to prevent the breach and then making misleading statements in the aftermath. Data privacy and security class-action suits have become the ambulance-chasing of the 21st century, and shareholder derivative suits are just the latest variation as plaintiffs’ lawyers scramble to find new ways to blame the victim for the breach. Increasingly, it’s not enough to blame the corporate victim; now the individual officers and directors are being blamed as well. Now more than ever, boards of directors need to be directly engaged on data security and privacy, ensuring that the company has done a data security assessment (including fully testing the company’s incident response plan), to protect the company and its customers and shareholders — and themselves.