MSSPs, Be Warned: You Can Be Liable for a Client’s Data Breach
Kathy Winger, attorney at the Law Office of Kathy Delaney Winger, will help partners and MSSPs understand their own liability when a client incurs a data breach, and what to do to protect them both.
She’s giving this timely and in-depth talk, “Cybersecurity and Data Breaches From a Business Lawyer’s Perspective,” as part of the business strategy conference track sponsored by Nextiva, April 10, at the Channel Partners Conference & Expo in Las Vegas.
Channel Futures’ MSSP Insider talked to Winger ahead of her presentation to get her thoughts on some of the new liabilities for partners, MSSPs and their clients. We edited her answers for length and clarity.
Channel Futures’ MSSP Insider: Data breaches are common, unfortunately, so everyone is interested in hearing how best to protect themselves legally from liability. I know you’ll cover more in your presentation, but as a preview, what are a few steps channel partners and their customers should take before, during or after a data breach?
Kathy Winger: Before a data breach occurs, there are a wide range of actions that business owners can take to help protect their electronic data. From a legal perspective, businesses must be able to establish that they took commercially reasonable measures to prevent a data breach.
These measures can vary depending on the size of the business, the amount and type of data it possesses and the manner in which it uses that data. Nonetheless, commercial reasonable measures typically involve what security experts refer to as “best practices,” which include things like securing wireless networks, using antivirus software, backing up critical data and educating employees about cybersecurity.
Once a data breach occurs, businesses have a duty to carefully investigate its cause in a timely fashion and comply with various legal obligations, such as providing notice of the breach to affected parties and reporting the breach to regulators. It’s wise to involve a lawyer who is well-versed in cybersecurity in the process as soon as possible. After a breach has occurred, businesses must take whatever measures are necessary to help ensure that it does not happen again.
|Hear from Winger and 100+ industry-leading speakers at the Channel Partners Conference & Expo, April 9-12, 2019, in Las Vegas. Register now!|
CFMI: Third-party risks are a hot topic in security these days. But what liability do third-party providers like channel partners face?
KW: In the cybersecurity arena, third-party risk typically involves vendors (i.e., the third parties) that businesses hire to perform services. If a business shares its electronic data with a vendor and the vendor experiences a data breach, both the business and the vendor can be held liable for the breach. Because of this, businesses must choose vendors carefully and insure that that their vendor’s data security practices are as good or better than their own.
Vendors, on the other hand, should not be surprised if their business customers require them to prove that they have implemented and follow good cybersecurity practices. Moreover, because of this distribution of liability, businesses and vendors often must address …