The Accellion breach led to personal data from universities, governments, and multiple global companies, including telecom providers, law firms, and banks, being exposed and exploited. Wired has described the fallout as an “extortion spree”.
Last month, we discussed how companies can reduce the cost of data breaches. In this Weekly Brief, we outline 3 tips to reduce the risk third-party providers pose to your business data:
1. Implement Data Minimization Wherever Possible.
Data minimization comes in many forms but it essentially means that your business should collect, store, access, and use only the data you need for your operations. Avoid collecting or keeping data “just in case” you might have a use for it in the future. Remember, the less data you have, the less data you can lose.
You can embed data minimization practices into your relationships with third-party vendors in a number of ways, including the following:
- Minimize the number of locations your data is stored. Wherever possible, require that your vendors access the personal data you hold as and when they need it, instead of transferring all the data to them in bulk for them to store. This minimizes the likelihood of your data being affected if they experience a breach.
- Use pseudonymisation or anonymisation if possible. Consider whether your vendors need access to the raw data in order to do their work. If not, consider pseudonymizing or anonymizing the data they will use. This reduces the risk of your data being identifiable if it is accessed by anyone who isn’t authorized.
2. Practice Ongoing Evaluation of Your Providers.
The Accellion FTA product, which was the target of the breach, has been relied on by Accellion clients for decades to safely transfer large sensitive files. However, Accellion has been planning to retire the FTA product and clients have been encouraged to migrate to its newer product, Kiteworks, for about three years. We’d predict that some of its clients became complacent, knowing that past transfers through the FTA product had taken place without issue and consequently ignoring Accellion’s recommendations to migrate and failing to assess whether Accellion and the FTA product were still the best option available.
Cyber risk is dynamic, with new threats emerging continuously. You can’t assume that what worked last time is your safest option this time. The lesson here is to avoid settling for what has worked in the past. Routinely evaluate your service providers, as well as their competitors, to ensure your third-party vendors are the best choice.
Also, if your third-party provider is requesting that you update to a newer, more secure system, it’s best to heed their warning.
3. Embed Contractual Protections for Your Organization.
Your third-party vendor contracts can provide crucial protections for your organization. Be sure that your contract lays out your expectations with respect to how you want your data used and protected. Specifically, you can include the following protections:
- Make maintenance of particular security standards a key provision in your contract, where failure to maintain those standards constitutes a breach of contract.
- Require that the vendor indemnify you in the event they experience a breach. This will minimize the financial repercussions of a breach, but won’t mitigate harm to your reputation.
- Embed requirements for routine audits in your contracts.
If you need assistance with reducing your organization’s data privacy or security risk, reach out. We’re here to help!
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
