The United States has 328 ports of entry. Each day more than 1 million individuals enter or leave the country; their movements and identities are recorded for U.S. Customs and Border Protection (CBP) to use under a strict data policy that stresses use limitation and information security. Despite the CBP’s stringent precautions, the agency announced on June 10 that a data breach at one border crossing, including digital images of travelers and their license plates collected over the span of 90 days. The exact port of entry has not yet been identified, though officials acknowledged that it was along the Canadian border.
The attack was systematic and targeted, focusing not on CBP’s networks, but rather on the subcontractor that operated the border cameras. CBP did not name the subcontractor, but a UK website, The Register, identified the hacked company as Perceptics, noting that some travelers’ information had been made freely available on the dark web. An article in the New York Times, however, stated that neither the name of the subcontractor nor the presence of hacked data on the dark web had been substantiated. CBP asserted that the subcontractor violated security protocols by transferring images to its company network without the agency’s authority and in violation of agency policy.
While far from the first data breach of a government agency, this incident shows how third-party subcontractors can expose their partners to potentially unanticipated risks. The liability lies with the organization that contracts with the vendor, even if the incident occurs solely on vendor or subcontractors’ networks, as in the case of the border data breach, which did not expose data on CBP’s own network.
“Outsourcing certain business services or data or security does not absolve you of the risk. You are still responsible for the protection and integrity of that information,” explained David Derigiotis, Certified Information Privacy Professional, Corporate Vice President and National Professional Liability Practice Leader, Burns & Wilcox, Detroit/Farmington Hills, Michigan. “You are the ultimate data owner, and a partner’s cyber incident, breach, or privacy violation could have a ripple effect on you as a business.”
The consequences of an attack on third-party vendor systems can be widespread. Two of the largest clinical testing laboratories, Quest Diagnostics and LabCorp, are currently embroiled in investigations and lawsuits relating to a data breach at American Medical Collection Agency (AMCA), a medical billing collection vendor used by both companies. The data breach included demographic and financial data—and in the case of Quest, Social Security numbers—and may have affected up to 20 million patients. Attorneys general from Illinois and Connecticut are launching an investigation into the attacks, focusing not only on AMCA but also on LabCorp and Quest Diagnostics. On June 6 it was revealed that over 400,000 patients’ data from OPKO Health subsidiary BioReference was also exposed during the AMCA breach, prompting an investigation by Michigan’s attorney general. U.S. Senators from New Jersey, Cory Booker and Robert Menendez, are also launching inquiries that include all involved companies, due in part to the duration of the data exposure, which began in August 2018 and continued to March 2019.
On June 18 Bloomberg reported that Retrieval Masters Creditors Bureau Inc., AMCA’s parent company, had filed for Chapter 11 bankruptcy protection, illustrating the devastating business consequences of its massive data breach.
Third-party data vendors are especially vulnerable to cyberattacks
Third-party vendors play a vital role in the supply chains of larger companies. Hackers target security gaps at smaller companies to gain access to the larger companies’ stores of valuable private data. While larger companies often have complex, multilayered security protocols in place, the smaller companies that handle their data may not.
Exacerbating the problem is larger companies’ tendency to ignore the threat; only 15 percent of organizations have taken basic steps to protect against data breaches via their third-party vendors, according to a recent security survey. While government agencies like CBP have complex federal regulations guiding the use and handling of their data, it is difficult to ensure that smaller companies follow these guidelines. Defense Department contractors, for instance, must abide by the National Defense Industrial Association Regulation Supplement, yet in a recent survey, less than 60 percent of small and medium-size defense contractors indicated they were familiar with the terms outlined in the supplement.
Taking control by mitigating exposures
Concerns about third-party vulnerabilities are a result of the interconnected nature of business today. What affects one company may quickly impact others in its supply chain. “To be truly interconnected makes it very easy for people to access and use your shared information,” said Neil Gurnhill, CEO, Node International, London, England, a provider of digital, cyber and technology risk insurance solutions. “As a business owner, you are completely at the mercy of that third party.”
The insurance industry has developed specialized solutions to help businesses manage their data security risks. Cyber and Privacy Insurance coverage addresses data security threats by providing policies that are both responsive and protective, including relief for losses associated with viruses, privacy violations, hacking and business interruption, as well as supporting policyholders’ digital and cybersecurity measures.
Cyber and Privacy Insurance coverage differs from some other types of insurance, Derigiotis noted, in the breadth of resources it provides. “Before a lawsuit is filed, these policies offer value,” Derigiotis explained. “You need to figure out right away what happened: what information was accessed or acquired; how long has the network been compromised; what are the privacy implications; and who should be notified. Cyber and Privacy Liability Insurance can help with all of that.”
Coverage provided through Cyber and Privacy Insurance policies includes helping affected companies navigate data privacy rules, laws and regulations. The sprawling reach of the internet can complicate matters, particularly when it comes to safeguarding users’ privacy, which is stringently protected in Canada and the European Union. While there are also U.S. regulations governing data privacy, the protections are less stringent than in other developed countries. Understanding the applications and implications of regulations is essential to providing robust protection, explained Nathan Rose, Senior Underwriter and Business Development Specialist, Burns & Wilcox Canada, Vancouver, British Columbia. “The focus should be on making (regulatory compliance) part of the insured’s risk-management process, rather than waiting for mandatory breach notification under Canadian or U.S. law.” Derigiotis affirmed that Cyber and Privacy Insurance can be particularly helpful in guiding policyholders’ compliance with the complex array of laws and regulations.
Vendors and contractors can protect themselves
Cyber and Privacy Insurance policies can also include attacks on policyholders’ data that occur via a third-party vendor. “If your vendor exposes data, your policy can respond to that,” Derigiotis said. Coverage can include Contingent Business Interruption or System Failure coverage as well. Such coverages can apply when an incident occurs within a vendor company and in turn impacts your business, even if the incident does not involve your data or property directly. System Failure protects against unintentional and unplanned outage of an insured’s computer systems. “If one of your third-party vendors is taken offline by a security incident,” Rose explained, “most good Cyber and Privacy Insurance policies should provide that Contingent Business Interruption coverage to keep you going while your vendor is offline.”
Vendors are well served by investing in their own Cyber and Privacy Insurance policies, as they are properly protected and increase their marketability to larger partners. “We are certainly seeing a shift in contractual requirements within this space, including stipulations that different vendors and individuals need varying levels of Cyber and Privacy Insurance,” Gurnhill said. Given hackers’ active targeting of supply chain vendors, these businesses can also benefit from the breadth of protections afforded by their policies. “Any (business that) touches data or operates online should have Cyber and Privacy Insurance,” Derigiotis said.
Vigilant cyberattack prevention is vital
Having coverage in case of a cyberattack is invaluable, however preventing an attack from occurring is better yet. Cyber and Privacy Insurance aids preventive efforts as well. “Some of the best policies and carriers will provide resources before there is an incident,” Derigiotis said. Such resources include security training for associates and assistance drafting incident response and data management plans. “(These proactive protection measures) will help harden an organization’s security posture and reduce their risks.” Other resources provided by Cyber and Privacy Insurance policies include assistance from legal and technical experts to help policyholders achieve regulatory compliance or restore data and systems following an incident. “The Cyber and Privacy Insurance policy gives you access to a (broad range) of resources to get you back up and running,” Gurnhill said. “These resources can save businesses.”