Cravath, Swaine & Moore took the rare step last week of publicly acknowledging its computers were breached this past summer, putting it in the headlines.
As might be expected, the firm declined to discuss how or if it notified clients about the incident. If clients only learned about the breach through press reports, it may not be that surprising.
According toa survey released Monday, many companies are concerned that they’re not being notified when their vendors experience a data breach. Recent news of the breach at Panama law firm Mossack Fonseca is adding fuel to the fire.
About 600 individuals familiar with how their companies manage cyber security participated in the survey, which was conducted by the Ponemon Institute and sponsored by the law firm BuckleySandler and the compliance company Treliant Risk Advisors.
It found that most companies rely on contractual agreements rather than audits to assess the security practices of third-party vendors.
The legal department is most likely to be responsible for ensuring that privacy safeguards are included in contractual agreements. But responsibility for making sure that third party vendors are living up to contractual obligations is decentralized. Any number of department heads — from the general counsel, chief information security officer, chief risk officer, head of procurement to others — may have responsibility for ensuring sensitive data residing with vendors is protected.
“What we’re seeing here is there’s no one person who’s accountable — it’s diffuse,” said Rena Mears, a managing director focused on cybersecurity at BuckleySandler.
But Mears said the legal department is “the first line of defense,” noting 61 percent of survey respondents said their company relies on contractual agreements to obtain visibility into their vendors’ data practices. Specifically, the respondents said this is how they know if their vendors have shared their information with another vendor.
“I think that it is entirely possible that the general counsel or the legal department will become more and more integrated into third-party management,” she said, adding that managing third-party cyber risk is still an “immature” process at most companies.
In the meantime, 37 percent of the survey respondents said they did not believe a vendor would notify their company if it experienced a data breach and their sensitive or confidential information was compromised. Seventy-three percent said they did not believe their vendors’ vendors would notify them in the event of a data breach.
The respondents came from multiple industries and were all from companies with a vendor data risk management program and were familiar with how their company manages data risk created through outsourcing.