facebook linked in twitter


August 2017

Third-Party Cybersecurity Strategies Critical to Preparedness

By David F. Katz, Richard D. Smith

American Lawyer Media’s Cybersecurity Law & Strategy

Reprinted with permission from ALM's Cybersecurity Law & Strategy

Understanding third-party service provider relationships and the security risks they present to any organization is an essential element of cybersecurity planning. Bad actors continue to exploit the risks presented by third-party service providers that maintain access to corporate-owned information systems. Over the last several years, companies have found themselves the victim of costly and high profile data breaches occurring as a result of a third-party service provider’s security failures. See, e.g., In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014); In re: The Home Depot, Inc., Customer Data Sec. Breach Litig., No. 1:14-MD-2583- TWT, 2016 WL 2897520, at 1 (N.D. Ga. May 18, 2016).

In an era of ubiquitous data collection, reliance on these third parties for virtually all aspects of the business’ technical operations has become standard operating procedure for many companies. At times, this reliance makes sense, as the provider may be better positioned to reduce risk in providing this service. To that end, the client must ensure it has the oversight capability to ensure the provider is successfully managing risk.