Verizon Data Exposure Incident Highlights Importance of Third-Party Due Diligence
ALM Media
Updated
The news that a Verizon Communications Inc. vendor exposed millions of customer records has highlighted the serious risks related to trusting third-party vendors with company data.
When there's a breach or data is exposed, no matter where it originates, the responsibility often comes back to the company, said current and former in-house counsel, so legal departments must ensure that they conduct proper third-party vendor due diligence.
On June 8, a cyber risk analyst at cybersecurity company UpGuard Inc. discovered that millions of Verizon customer records were unprotected on a storage server controlled by an employee of third-party vendor NICE Systems. The exposed information which included customer names, addresses, phone numbers and account personal identification numbers was generated from customer service calls from January through June of this year and was downloadable by anyone who accessed it. According to UpGuard, Verizon was notified of the exposure on June 13 and the data was secured on June 22.
In response to request for comment on the exposed information, a Verizon spokesperson pointed Corporate Counsel to a July 12 statement from the company. "[A]n employee of one of our vendors put information into a cloud storage area and incorrectly set the storage to allow external access," the statement said, adding that the number of exposed accounts is around six million. "We have been able to confirm that the only access to the cloud storage area by a person other than Verizon or its vendor was a researcher who brought this issue to our attention. In other words, there has been no loss or theft of Verizon or Verizon customer information."
In a statement, a NICE spokesperson said that a "human error that is not related to any of our products or our production environments, nor their level of security, but rather to an isolated staging area with limited information for a specific project" allowed customers' data to be made public for a limited time.
As companies rely on these vendors more and more, often handing over sensitive data, in-house counsel have to be increasingly concerned about minimizing risks, said Paul Sieminski, general counsel at Automattic Inc., parent company of WordPress. "We care a lot about security but it definitely doesn't end with just your own practices," he said. "[Vendors] are responsible for their own security practices and if there is a breach, if they failed in those obligations, they should bear responsibility for it. But you as the customer are responsible for selecting good partners."
Part of that is doing thorough vetting of the vendors that receive a company's data, Sieminski said, to ensure that "they actually have the technical infrastructure in place to handle it."
Another key to the relationship is the contract, Sieminski said. "If you are using third-party vendors, at the top of the things that we vet on the legal side are their contractual commitments to follow good security practices," he said. "And then, what is the allocation of liability and responsibility if there are issues?"
But contracts will only get you so far, he added. "I always feel that we're ultimately responsible for [our data] and when we choose partners, we can't wash our hands of it," he noted. "A user whose account was breached is not going to accept: 'Oh, that wasn't us' [as an excuse]."
Even if a company is not to blame for a breach or exposed information, the company may be held accountable in the public eye, said K Royal, senior privacy consultant at technology compliance and security company TrustArc Inc., who was formerly privacy counsel at medical device company Align Technology Inc. "Attorneys are very worried about this because if there is a breach of the vendor, it's not the vendor that's going to be held accountable, it's the company," she said. Everything from bad press to angry customers and focus from regulators, Royal said, "could destroy a small company and it can cost a large company a whole lot."
While it's all but impossible to completely eliminate the risks, Royal said there are certainly steps in-house counsel can take to minimize them. The biggest one, she said, is to do the due diligence when it comes to vendors, which means investigating potential vendors and regularly following up on those selected. It's also helpful to make sure employees are trained on the issues, she added. And like Sieminski, Royal said it's important to have contracts in place that clearly outline who's accountable for what.
Royal explained that before a breach and "while everything is healthy," in-house counsel should make sure there is an incident response plan in place. It's also wise to forge relationships with, for instance, state attorneys general and contacts in the FBI "so they can give you the expert perspective" on certain hypothetical scenarios, she said.
"Everybody is getting hit more often, but I do think that there is a particular issue with vendors," Royal noted. "I see this becoming a bigger issue because no matter how smart we get at protecting the data, the bad guys are getting better at grabbing it."
