It’s firmly established that everyone needs to be thinking about cybersecurity these days. The stats are as familiar as they are staggering: an average cost of $4 million per corporate data breach; almost five months spent before the typical breach is detected; four thousand ransomware attacks every day; over $126 billion spent by victims to deal with cybercrime since 2015.
Attorneys are, of course, a tempting target. Law firms are considered “soft targets,” easier to hack than their counterparts in, say, finance or government. They’re also full of sensitive information, whether it’s personally identifiable information, valuable IP, or corporate secrets.
Awareness is finally starting to catch up to the risks. Last month, for example, the ABA issued a formal ethics opinion confirming what seemed obvious to most: cybersecurity concerns may require attorneys to encrypt sensitive communications, in order to prevent inadvertent or unauthorized disclosures. More attorneys are starting to pay attention to cybersecurity risks in the discovery process, and at least one firm has faced a malpractice suit over allegedly lax cybersecurity practices.
This year’s Legalweek West was, understandably, full of cybersecurity exhortations. The keynote address began with a warning from M.K. Palmore, Assistant Special Agent in Charge of cyber security for the FBI’s San Francisco office: “The cyberthreat actor is the most diligent criminal that I have ever seen,” and one attorneys and corporate officers need to be prepared for.
Less frequently addressed, however, is the role of vendors in cybersecurity events—and that role can be significant. In BakerHostetler’s 2017 Data Security Incident Response Report, the law firm found that, of the over 450 incidents the firm worked on in 2016, vendor “wrongdoing” was responsible for 15 percent of successful network attacks. Fifteen percent.
To put that in perspective, employee wrongdoing was behind only 9 percent of successful criminal network attacks.
Third-Party Risks Are Clear, But Many Are Still Operating in the Dark
Third-party vendors are behind some of the biggest data breaches in recent years. Target’s massive 2013 data breach, which compromised the credit card information of over 40 million consumers, was traced back to an email attack on one of Target’s vendors -- a small HVAC company, of all things. The vendor reportedly fell victim to an email malware attack that allowed hackers to steal their passwords. Using the vendor’s credentials, the hackers were able to access Target’s network and consumer data.
The federal Office of Personnel Management hack may have followed a similar pattern. That hack saw personal information of potentially more than 20 million people compromised. A breach at a federal contractor may have given the hackers the credentials they needed to access the OPM’s network and pillage the government’s background check data, information that included everything from names and birthdates to Social Security numbers to security clearance interviews with family members and old roommates.
Yet many businesses are unsure of whether whether their vendors are able to safeguard their information, or even if their vendors would inform them if that information was compromised. A 2016 survey by the Ponemon Institute looked at third-party risks for nearly 600 individuals across multiple industries. It found that 37 percent of respondents didn’t believe that their primary vendors would even notify them if they experienced a data breach involving sensitive and confidential information. That demonstrates a stunning lack of confidence in third-party vendors.
Worse, 34 percent of respondents said their organization had experienced a data breach because of a cyber attack against their third-party vendor, and 30 percent were unsure—numbers that are significantly higher than BakerHostetler’s. And such risks are growing. Seventy-three percent of those polled by the Ponemon Institute said that cybersecurity incidents involving vendors were becoming increasingly common.
It’s Time to Start Asking Tough Questions
The lesson is clear: Legal professionals need to make sure they are managing their vendors. “Organizational obligations regarding data privacy and security extend not only to the data in a company’s possession, but also to its data in the possession of a third-party service provider or business partner,” explains BakerHostetler’s Alan L. Friel in a follow-up “deeper dive” into vendor management. “Outsourcing information processing to a third party, or sharing data with business partners, does not relieve an organization of its privacy and security obligations.”
Anyone handling sensitive data (businesses, lawyers, pretty much everyone) needs to understand who their vendors are and how they interact with their data. The BakerHostetler report offers ten questions you should ask to understand how your data is being shared and protected, questions like:
- Does your vendor have an incident response plan? Have they shared it with you?
- Are the standards you set likely to become quickly outdated?
- How are your vendors audited or monitored?
- Are you ensuring that your vendor contracts include provisions on confidentiality, limitations on usage and transfer, and processes to govern information disposal?
In his follow up, Friel goes even further, listing over two dozen points to consider when developing a vendor data protection program, covering everything from the role of RFPs to the application of force majeure carve-outs.
If you deal with vendors, these are key questions you should be keeping in mind. If you haven’t been having these conversations with your vendors, now’s the time to start. Just like legal professionals can not ignore cybersecurity concerns generally, they can no longer afford to bury their heads in the sand when it comes to the vendors’ data security processes.