Your clients might use third-party vendors to outsource their payroll, HR, IT infrastructure, and all sorts of essential small-business functions. Unfortunately, as Business News Daily reports, this means that multiple companies have access to their sensitive data.
With added access comes added liability – especially for small businesses. Security experts are quick to point out that small business bear the brunt of third-party vendor liability.
Small businesses outsource infrastructure because it's more cost-efficient for a business of their size. But this also means they often don't have the IT security in place to handle vendors that access their data and networks. Before we look at the specific risks vendors can bring, let's examine a recent data breach caused by weak vendor security.
Hack Your Grandma: How a Vendor Caused a Senior Home Data Breach
Assisted Living Concepts is a nursing home company based in Chicago, and recently, its employee data was exposed in a data breach. Who's to blame? The HR contractor who handled the company's payroll.
According to an article on Senior Housing News, a leading industry publication, records for more than 40,000 current and former ALC employees were exposed when the vendor was hacked. The breach involved names, addresses, birthdates, social security numbers, and financial information.
What makes working with vendors so risky? Here are some of the specific risks you and your clients face when hiring vendors.
Vendor Risk: Why Third Parties Expose Your Clients to More Threats
Vendors and third parties hired by your clients increase your data liabilities in four ways:
- Vendors bring their own devices to your office (BYOD liability). If a contractor uses their laptop on your network or a client's network, they're potentially exposing your network to any malware that might be on their device. That is, as they say, risky business. (For more on device security, see The Mobile Future and Why You'll Need E&O in It.)
- Vendor networks can be hacked, exposing your clients' private data. If a third-party vendor stores any of a client's data (employment records, customer information, etc.) on its devices, a data breach at its office could affect your business.
- Accidental disclosures. Working with vendors probably means you'll be transferring data back and forth. If a vendor (or your client) makes a mistake and attaches / uploads the wrong file, they could cause an unintentional disclosure.
- A breach on a vendor's network can lead to a breach on yours. The data breach at Target occurred when malware on its HVAC vendor's computer spread to its own network. This kind of breach is fairly common. Over the summer, numerous news agencies (including The New York Times) were hacked after the vendor that posts links and ads at the bottom of articles was hacked.
Can IT Companies Be Sued for a Vendor Data Breach?
The sad truth is that clients can sue you when a vendor causes a data breach. Here's why you can be held responsible:
- IT companies are liable for any vendors they recommend. If you recommend a cloud-based HR company or other vendor, you can be sued if the vendor is hacked. You are liable for recommendations and the work of subcontractors you hire.
- Security consultants, sys admins, and network designers are responsible for establishing secure network practices. Let's say you’re a system administrator. If you don't design a client's network to allow vendors secure access, you can be liable. You can also be responsible for teaching clients about security threats (like BYOD liability) and making sure they have the right security in place to prevent these kinds of data breaches.
Being an IT professional is, in some ways, like being a security guard. You're responsible for monitoring your clients' security and preventing any break-ins. Those liabilities are increased any time you let third parties access their data or network.
For small tech companies, Errors and Omissions Insurance can cover these network, data, and IT liabilities. For more on E&O coverage and the cost of small business insurance, check out these sample insurance quotes.
