The number of cybercrime incidents has steadily increased in recent years, and that number will likely continue to climb as businesses, educational institutions and governmental agencies are increasingly relying on digitized data. Organizations across a wide range of industries rely on third-party vendors to provide services that frequently involve access to customer and other sensitive data. These organizations should ensure that their vendor contracts contain robust confidentiality and data breach remediation provisions.
In its 2018 Data Breach Investigations Report, Verizon noted that there were more than 2,200 confirmed data breaches worldwide in 2017. Verizon stated that ransomware – malware that makes information on file servers and databases unusable through encryption until a ransom is paid – had become the most prevalent variety of malicious code, with ransomware being used in 39% of all malware-related data breaches. Malwarebytes found in its 2019 State of Malware that the use of ransomware declined in 2018 but it noted that bad actors attempted to use ransomware more than 5.9 million times in 2018.
The U.S. Congress has enacted some industry-specific laws, but there is no comprehensive federal data security law. The Federal Trade Commission has used its authority under Section 5 of the Federal Trade Commission Act to target businesses that failed to adhere to their privacy policies, but this act does not apply to everyone and, in any event, an investigation does not return the horse to the stable. Many states have some form of data security law, but they are not uniform.
Under the federal Gramm-Leach-Bliley Act, certain financial institutions are required to safeguard the confidentiality of “nonpublic personal information” about consumers that they collect. The federal Family Educational Rights and Privacy Act requires educational institutions and other entities that receive funds for programs administered by the U.S. Department of Education to safeguard the confidentiality of a student’s “personally identifiable information.” And, health plans, providers and certain other health-related entities that transmit health information in electronic form (and vendors who have access to such information) are obligated pursuant to the federal Health Insurance Portability and Accountability Act to maintain the confidentiality of a patient’s “protected health information.”
In Maryland, each business that owns or licenses personal information about a Maryland resident is required to implement and maintain reasonable security procedures and practices to protect that information and to notify affected residents and, under certain circumstances, the Office of the Maryland Attorney General and consumer reporting agencies in the event of a data breach. It is generally a crime in Maryland for a financial institution to disclose, and for any person to induce or attempt to induce a financial institution to disclose, a customer’s “financial record.” Under the Maryland Attorneys’ Rules of Professional Conduct, a lawyer is obligated to protect the confidentiality of electronic data about his or her clients.
Providing a vendor with access to sensitive data obviously increases the risk that it will fall into the wrong hands, because protection depends on the implementation and maintenance by both parties of systems, policies and procedures necessary to prevent a data breach. Aside from the legal consequences that might arise from a breach of the vendor’s systems, an attack that encrypts data and prevents its use can be enormously disruptive and can result in thousands, if not millions, of dollars in losses.
Financial institutions commonly make customer information accessible to vendors, and the federal banking regulators have issued guidance to address the associated risks. Among other things, this guidance requires institutions to conduct due diligence on potential vendors and include appropriate data security provisions in their vendor contracts. All entities can take a lesson from this guidance, as its principles can translate to any industry.
Aside from thorough due diligence, the parties’ contract should be drafted with the assumption that a data breach attack will occur. A well-drafted contract should require the vendor to safeguard and protect information in accordance with the laws that are applicable to both parties, and the vendor should be forced to institute and maintain commercially reasonable procedures to ensure the confidentiality of that information. In addition, the vendor should be required to monitor those procedures to ensure that information remains confidential, to promptly notify the client of any data breach or misappropriation, and to take all actions that the client may reasonably request to limit, cease or otherwise remedy the breach, including assisting the client with any required notifications to customers and law enforcement authorities. Finally, the contract should include indemnification provisions that require the vendor to cover losses suffered from a breach of its data security obligations (including the cost of required consumer notifications).
Although the product is relatively new, some insurers offer insurance coverage for data breaches, including ransomware attacks. Policies differ, but many will cover the payment of the ransom under various circumstances in addition to the insured’s other losses suffered on account of the breach. Data security professionals almost universally believe that paying a ransom should be a last resort, but even the Cyber Division of the Federal Bureau of Investigation acknowledged in its February 8, 2016 memo, Responses to Senator Wyden’s Questions on Ransomware, that it might be the victim’s only solution to avoid long-term paralysis and resulting financial losses. Entities that rely on digitized data should consider the purchase of data breach coverage, and those that provide access to third-party vendors should consider requiring the vendors to do the same.
Of course, paying a ransom will not guarantee freedom. And, it is a federal crime to engage in most financial transactions with foreign terrorist organizations and persons on the Specially Designated Nationals and Blocked Persons List promulgated by the Office of Foreign Assets Control, and it will likely be difficult to determine the true identity of a hacker.
Taking steps to prevent, or at least minimize the impacts of, a data breach is the best defense, and those steps should include a thoughtful review of any third-party contract data access.