Data Breach and consequences
Non-compliance of cybersecurity laws, rules and regulations, resulting in data breach, trigger fines, penalties, criminal prosecution and imprisonment. In addition to such liabilities, lurk potential liabilities in the nature of material and/or non-material damage claims arising from consumers affected by the data leak. When consolidated the liabilities would be staggering.
Reliance on Third-Party Vendors (TPV’s) and Related Potential Risks
Service vendors appoint necessarily appoint TPVs to provide services which they relyupon but are not skilled to perform. Illustration: A festive fun-fair organizer appoints a TPV to facilitate online payment for those attending. In the course of providing its services, the TPV gets access to a user’s credit/debit card details and the bank accounts linked to them. This creates a potential risk of occurrence of a data breach. It would be extremely pertinent to note that the ‘risk’ is (a.) beyond the direct control of
the service provider and (b.) is directly attributable to a deficiency or flaw in the services provided by the TPV to the service providers.
The Mechanism of Shifting…
Bearing well in mind the fact that the risk emanates entirely from the TPV, a service provider is well within its rights to (a.) firstly apportion the risk directly attributable to a deficiency or flaw in the services provided by the TPV to the service providers and
thereafter (b.) contractually shift such apportioned risk to the TPV.
Contract of Indemnification
However, it would be relevant to note that in shifting, what shifts to a TPV is only the financial burden or responsibility and not the primary liability of the primary service provider itself. Shifting is only a mechanism through which financial liability of the
primary service provider can be controlled and mitigated, both.
Unambiguous and Water Tight Contract of Indemnification with TPV
In order to be effective, the contractual terms and conditions (a.) firstly identifying the risk attributable to a TPV and (b.) thereafter determining the consequences in which a service provider may seek an indemnification from a TPV, must be explicit and not
open to interpretation. Shifting enables a service provider to seek indemnification from a TPV for liability arising on account of any deficiency or lacuna in the services provided by the TPV.
Other Meashures
Service providers should periodically meet with their TPVs and review existing Contracts. Service providers should ensure that TPVs are adequately covered by cyber insurance.