In the immediate aftermath of the May 7, 2021 Colonial Pipeline ransomware attack, the focus, naturally, is on the rush to get the pipeline back on line after identifying and patching any vulnerabilities that caused the incident. When this crisis passes, and before the next inevitable ransomware attack on a high-value target, the Colonial Pipeline ransomware attack should serve as a cautionary tale for any business that outsources control of its data to third parties. Colonial Pipeline is a private company that assists the US government in supplying nearly half of the East Coast’s oil and gas. The government outsourced its energy operations to this private company, and in doing so, relied on Colonial Pipeline to protect it. The Colonial Pipeline attack exposed a blind spot in the government’s reliance on third parties to manage its operations of critical infrastructure.
Outsourcing data or data-related tasks to third parties, service providers, or even cloud storage companies is common for most businesses. The risk of such outsourcing of data is that it opens additional windows of vulnerability or avenues for attack.
If a data breach, ransomware attack, or other catastrophic data loss compromises a company’s data, that company will still be responsible for the consequences — lawsuits, regulatory actions, civil penalties, fees and, costs. Most state data protection statutes do not shield from liability companies that outsource collection, control or use of data to third parties.
Public and private sector companies must be selective in hiring vendors to manage their data and must stay vigilant once that they have transferred data to a third party. Before signing any agreement with a third-party vendor, the company must familiarize itself with the vendor’s data collection, retention, and security policies and procedures. Companies should also insist on reviewing the company’s breach notification and response policies and cyber insurance coverage, and insist that vendors promptly report any incidents that might implicate the company’s data or any changes to internal policies that might affect the vendor’s data security.
Companies should negotiate aggressively with their third-party data vendors. Most standard vendor contracts are vendor-friendly. Vendors will often attempt to limit their liability for consequential damages or to only a certain subset of costs incurred in data incidents. Vendors may also attempt to set caps on liability altogether, often limited to the amount of fees the company has paid to the vendor.
Even after signing the contract, companies should adhere to the old adage, “Trust but verify.” Companies should not be complacent and expect that the vendors are adhering to best practices. Companies should conduct routine audits of vendors’ compliance and data policies and procedures. Blindly trusting vendors may prove to be far more costly than the time and expenses for reasonable oversight of those entrusted with a company’s most critical information.