United States: Surviving The Service Provider Data Breach

Last Updated: August 2 2019
Article by Edward J. McAndrew

It's summer, and life's a breach. A data breach, that is. It's your service provider's breach, but it involves your (more likely, your customer's) data. So put down the beach reading, for some breach reading.

Service provider cyber incidents have exploded in volume, type, frequency, response time and cost. That makes sense, because the surface attack area for most organizations now expands beyond their networks and devices to those controlled by third parties. From the bad guy's perspective, why hack one organization directly when you can hit a service provider with potentially weaker defenses and the sensitive data of many organizations?

Effective cybersecurity requires organizations to move beyond perimeter defense of their own network to protecting sensitive data in the hands of service providers. If security alone isn't a sufficient motivator, a flood of new cybersecurity laws and regulations now require businesses to bear responsibility for the cybersecurity issues of their service providers. From a security and legal perspective, service provider cybersecurity requires significant attention and coordination by all parties both before and after hitting the breach.

Who "owns" a data breach?

Let's begin with legal responsibility for data breaches involving personal information. Each state's data breach notification law generally applies to all organizations that conduct business in that state and that own, license, maintain, collect, compile, store or manage "personal information" of state residents. A supermajority of states generally define a "breach" as unauthorized acquisition of electronic data that compromises the security, confidentiality or integrity of "personal information" – the legal definition of which varies by state, but continues to grow broader to include governmental identifiers; financial, health, biometric information, and even login credentials to online accounts. All of this means that more data is legally protected – and the "who, what, when, where and how" of a "breach" may reside on someone else's system.

Even though it may be a service provider's system that is "breached," state data breach notification laws (and a number of federal laws) generally require the "owner" or "licensor" of the breached personal information, or the "covered entity," to notify affected individuals and regulators of the breach. A quick review of sample data breach notices published by at least nine states confirms that many reported breaches were of a service provider's system – not that of the covered entity legally required to report the breach.

Under most state and federal laws, the service provider is merely required to notify the covered entity of the incident, and perhaps to cooperate in investigating the incident and notifying relevant parties. This puts the covered entity on the legal hook for incidents that are often beyond its capability to prevent, detect, investigate and remediate. It also makes it very hard for the covered entity to mitigate any harm to affected parties.

Beyond data breach notification laws relating to personal information, the covered entity and service provider's rights and obligations relating to cyber incidents are often defined by contract. Some key terms include: (1) requirements, representations and warranties relating to the implementation of "reasonable" security controls; (2) data governance and security audit and assessment rights/responsibilities; (3) definitions of protected information and of a "breach" or "incident" that triggers contractual rights and duties; (4) notification, investigation and cooperation obligations upon discovery of a "breach" or "incident;" and (5) indemnification and limitation of liability provisions.

Do "reasonable" cybersecurity controls extend to third parties?

Third-party service provider management is one of the hottest areas of cybersecurity law development. For example, federal laws ranging from the GLBA to HIPAA to the FTC Act either expressly require (or have been interpreted to require) that covered entities impose cybersecurity requirements on their service providers, ranging from particular types of administrative, technical and physical safeguards, risk assessments and audit trails, to incident notification, investigation and remediation requirements.

Roughly half of the states now legally require businesses to implement "reasonable procedures and practices" to prevent and respond to cyber incidents. Most do not define "reasonableness," instead effectively regulating by enforcement action and agency guidance. Some states – such as Alabama, Massachusetts and New York (for financial services companies) – prescribe particular requirements of a "reasonable" cybersecurity program. At least nine states expressly extend these requirements to service providers. While some of these states require the covered entity to supervise and contractually require cybersecurity measures of the service provider, others (such as Alabama) statutorily require the service provider itself to maintain reasonable cybersecurity safeguards.

What's the fallout from a service provider breach?

Service provider cyber incidents are legally perilous for both the service provider and the organization that entrusts it with sensitive data. Covered entities generally cannot contract away all responsibility for cybersecurity or cyber incident response.  Once an incident is disclosed, both the covered entity and the service provider may become the focus of regulatory investigation, law enforcement inquiry and allegedly aggrieved civil litigants.

Just last month, the FTC settled a data security enforcement action against a  SaaS provider that suffered a breach exposing the personal information of about 12.5 million consumers, which the provider was storing for 130 auto dealers. The same company also settled an enforcement action brought by the New Jersey Attorney General's Office as a result of the breach. This spring, HHS OCR published a fact sheet on direct liability of business associates under HIPAA for violations of the security and breach notification rules.

It is often the covered entity that ends up embroiled in regulatory enforcement actions due to service provider data breaches. Last year, for example, a physician group settled a HIPAA enforcement action based on a website service provider's exposure of patient billing data. Various regulators have brought actions against financial services companies for service provider breaches. The FTC has proposed significant revisions to the Safeguards Rule that will implicate cybersecurity oversight of service providers.

Covered entities and their service providers are ending up as co-defendants in data breach class action litigation brought by consumers, employees and others. Covered entities are also suing service providers that cause them cybersecurity related injury or financial loss. Typical claims in cybersecurity-related litigation include negligence, breach of express or implied contract, unfair or deceptive trade practices, and violations of state data security and data breach notification laws.

As of January 1, 2020, we can add the private data breach cause of action under the California Consumer Privacy Act to the mix. The CCPA claim will likely focus on whether a covered "business" violated "the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information [at issue]." Plaintiff's lawyers will undoubtedly argue that various laws, regulatory guidance and industry standards include cybersecurity management of service providers as a fundamental component of "reasonable security procedures and practices."

In both defensive and affirmative litigation relating to data breaches, the interests and strategies of covered entities and service providers may quickly diverge (if they are not diametrically opposed from the outset). This actual or potential divergence is severely complicating the response and investigation processes related to service provider cyber incidents. Instead of focusing on working together to respond to and recover from the incident, all parties are increasingly assuming pre-litigation postures in an effort to minimize their own exposure. "Every man for himself" may be a reasonable litigation strategy, but it is not often the most effective response to service provider cyber incidents.

How to best protect against service provider incidents?

Take reasonable proactive steps to avoid them wherever possible. But cyber incidents happen. Liability results, though, only if the organization acted unreasonably either before or after the incident occurred. Acting proactively to manage risk and being prepared for those incidents that cannot be avoided is therefore crucial to limiting assorted injuries and liability.

Proactive steps

  • Establish policies and practices for managing cybersecurity risk posed by service providers that have access to your systems or legally protected information. Create a matrix of all relevant providers, agreements and provisions for incident response use.
  • Catalog all legal obligations and potential liabilities under statute, regulation, contract and common law in the event of a cyber incident involving legally protected information held or accessible by service providers.
  • Include cybersecurity-related provisions in contracts that hold service providers to any legal standard that you must meet, while shifting liability risk appropriately. Some examples:

    • Appropriate administrative, technical and physical safeguards, such as identity and access controls; data, device, systems and personnel inventories and mapping; encryption of sensitive data in transit and at rest; patching and updating of software and hardware; physical access restrictions; multi-factor authentication for remote access; limited user privileges; frequent data backups; and periodic cybersecurity training.
    • Audit and assessment provisions that allow you to evaluate the effectiveness of the service provider's cybersecurity program.
    • Proof of adequate cyber insurance coverage.
    • Requirement of quick notification upon discovery of an actual or suspected incident impacting your data or systems, along with investigative cooperation requirements.
    • Robust indemnification clauses.
  • Develop an incident response plan that integrates the service provider's incident response team and process for foreseeable service provider incidents (e.g., ransomware/extortion/loss of service; malicious data breach of legally protected information; non-malicious data exposure/leakage; account takeover/financial fraud).

Key service provider incident response steps

  • Activate integrated incident response teams as appropriate for the incident.
  • Execute key containment, remediation and investigative steps based on the incident and known facts.
  • Ensure that relevant evidence is collected and preserved across both controller and service provider environments.
  • Develop and follow integrated response team communications plans.
  • Coordinate all external communications and legally required notifications.
  • To the extent feasible, coordinate on pre-litigation planning and litigation strategy (particularly for motions to dismiss, class certification and discovery issues).

Originally published by The Legal Intelligencer's Cybersecurity Supplement

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions