Mitigate a company’s liability when a data breach is suffered by a vendor or service provider | Ervin Cohen & Jessup LLP



Big business data breaches have been in the news for some time. In recent years, several companies, including Marriott, Yahoo and Volkswagen, have fallen victim to hackers who have entered a company’s computer network. In some cases, hackers have put confidential company information on the Internet. In other cases, hackers have held company information hostage through ransomware.

While businesses are rightly concerned about the security of their own networks, there is another risk. Recent court cases test the liability of companies and their directors for data breaches suffered by their suppliers or service providers.

This is not surprising since companies often need to share confidential information with their suppliers or service providers. An example that immediately comes to mind is when a company outsources its payroll management to an outside vendor. In this case, the payroll provider will necessarily have the names, social security numbers and other private information of the employees of the company. If the payroll provider experiences a data breach, that private information can be released, causing damage to company employees.

In such a case, it is virtually certain that legal action will be taken not only against the payroll service provider, but also against the company itself. In these cases, the legal action will be primarily based on negligence – the concept that the company did not take due care when selecting the seller or monitoring the security system of the seller’s computer network. .

A recent case in Delaware went further. In this case, Laboratory Corporation of America (LCA) contracted with a vendor to assist with the collection of overdue accounts. The provider suffered a data breach that resulted in the disclosure of the private medical and financial information of more than 10 million LCA patients. As a result, LCA was the subject of a class action lawsuit on behalf of a class of patients whose personal information was compromised due to the data breach.

But LCA’s legal danger did not end there. Following the filing of the class action, a shareholder of LCA brought an action against the directors of the company. In his lawsuit, the shareholder claimed that LCA directors authorized the company to provide personal financial and health information to a vendor with poor cybersecurity and data breach detection. The shareholder also claimed that the administrators failed to ensure that the seller was using appropriate cybersecurity measures to adequately secure patient information.

These liability risks mean that businesses not only need to focus on their own cybersecurity and data breach safeguards, but they also need to be concerned about those safeguards to their own vendors. Here are some ideas for risk management:

  • Make sure that the definition of “insured computer network” in your own cyber insurance policy includes the networks of your vendors and other service providers. By doing this, you will potentially benefit from protection under your own insurance program against claims for damages resulting from data breaches suffered by your suppliers or other service providers.
  • Make sure that you have cyber insurance and that you have sufficient limits under this insurance policy. This means that the amount of insurance available under this policy will be sufficient to protect the business in the event of a data breach incident.
  • Make sure your vendor or other service provider has their own cyber insurance policy with sufficient limits and that your business is named as an additional insured under that policy. The seller’s obligation to carry such insurance, and your right to be named as an additional insured under this policy, must be expressly set out in the written agreement between your company and the seller or other service provider.
  • Require a written agreement between the company and the seller or other service provider which, among other things, obliges these parties to defend and indemnify the company from any claims arising from a data breach suffered by these parties which results in the disclosure of company information or the private or confidential information of company employees. This indemnification obligation must be backed by the seller’s or service provider’s own cyber insurance policy which has sufficient limits to support this indemnification obligation. This written agreement should also give the company the right to conduct periodic audits of the cybersecurity guarantees of the supplier or service provider.
  • Perform regular cybersecurity audits of your vendor or other service provider to ensure that appropriate safeguards are in place.

Liability for a data breach involving confidential information of a company or its employees cannot be transferred by contract. Since a business runs the risk of being sued if its vendor or third-party service provider experiences a data breach, it should implement the risk management techniques described above.


Previous PCOM medical students in South Georgia participate in research opportunities
Next UMass Lowell researcher receives $ 2.7 million NIH grant to shed light on Alzheimer's disease

No Comment

Leave a reply

Your email address will not be published.