The Risk, the Cost and What You Can Do to Protect Against Them
The following article emphasizes that data breaches – especially within the supply chain – are increasingly costly and often stem from human error or third-party vulnerabilities. It highlights the importance of employee training, third-party due diligence, and proactive contract negotiations to mitigate risks before a breach occurs. SBAM offers members practical solutions to these challenges through RiskAware assessments to identify vulnerabilities, SensCy services to strengthen cyber hygiene and training, and cyber liability insurance coverage to manage financial risk. Together, these resources help small businesses reduce the likelihood of an attack and minimize the impact if one occurs.
Data breaches are increasing in frequency and cost for U.S. corporations, and businesses in the supply chain are often prime targets for bad actors. It’s critical for suppliers to understand the risk and costs of data breaches, as well as the steps they can take to prevent them.
As we often note in other contexts, bad actors only need to get lucky one time, while organizations need to protect themselves against every potential threat. Given the sophistication of cybercriminals, the proliferation of technology within organizations and the rise of artificial intelligence, many companies view a cybersecurity incident not as a matter of “if” but “when.”
Even though external attacks garner headlines, the greatest threat to any organization is its own people — employees, service providers, agents or volunteers — as the majority of breaches still stem from human error. If an organization wants to strengthen its security posture, the two easiest things it can do are to emphasize training and to vet all service providers thoroughly.
Training
Ongoing training for employees, vendors and contractors is essential to reinforce a culture of security awareness. Organizations should review policies and procedures and revise when necessary to ensure consistency. With the rapid pace of technological change, policies and procedures can quickly and easily become out of sync. A regular review of both will help identify any inconsistencies and allow organizations to correct them before major issues arise.
A thorough review is not a one-person job, either. The organization should involve multiple stakeholders to fully understand the uses of sensitive data and the means of transit both inside and outside the organization.
Third-Party Due Diligence
Despite their best efforts, many organizations will eventually experience a data breach. The most difficult to protect against is a third-party data breach involving company data. By the time such a breach occurs, it’s often too late to negotiate with the third-party service provider over who will cover the costs. At that point, substantial damages may have been incurred, and both parties are likely to shift blame to avoid responsibility for these potentially extensive costs.
Costs can include attorneys’ fees, required notification to both individuals and the media, staffing a call center and providing credit monitoring services, to name a few. If the breach involves confidential information from other parties, additional obligations may also need to be analyzed, potentially adding even more costs.
Most statutory and regulatory schemes do not set out ex ante who should be responsible for data breach costs. As such, parties are often left without any guidelines as to how liability should be apportioned between them. State attorneys general are also increasingly imposing fines and penalties when a data breach affects their residents.
Given this backdrop, there’s no doubt supply chain companies should carefully evaluate their service providers before entering into any agreement. Discussions regarding liability for data breaches need to take place during initial contract negotiations, where parties can determine, often based on relative negotiating strength, who should be responsible for data breach costs.
Key Contract Considerations
Given the nature of a breach and associated costs, organizations should be careful to avoid waivers of consequential damages that are often boilerplate in many agreements. A court would likely categorize the types of breach-related expenses listed above as consequential damages. As a result, without a carve-out, the third party could escape any liability for associated costs.
If uncapped liability is not a possibility, organizations should explore the possibility of a “super cap,” often a multiplier of fees paid. Alternatively, the parties may agree to a set dollar limit in the event of a breach. Pay close attention to the trigger events that can create a payment obligation. A data breach may occur even without a contractual breach, so clarity is essential.
With proper planning and foresight, as well as an ounce of prevention, organizations can reduce the probability of experiencing a data breach and limit damages when and if one occurs.
If you are seeking guidance regarding the steps you can take to protect your business from the risks and costs of a cyberattack, please reach out to Nate Steed or another member of Warner’s Cybersecurity and Privacy team. Our team has substantial experience developing incident response plans and can help you draft or update your incident response plan before an attack happens. In the unfortunate event of a cyberattack, Warner can help you navigate the aftermath to minimize the impact.
Article courtesy of Warner Norcross+Judd
Click here for more News & Resources.