A recent data breach involving U.S. Customs and Border Protection information has brought further scrutiny to an agency beset by controversy.
Even more significant however is that the CBP data breach has brought focus on the cyber-security risks surrounding third-party subcontractors.
According to a CBP e-mail shared with news outlets, the breach involved thousands of images of license plates and traveler IDs collected from border crossing stations. CBP claimed one of its subcontractors breached its obligations to CBP by transferring copies of these images from federal servers to the subcontractor’s own network in violation of CBP policies, the contract, and without CBP’s knowledge or consent.
The images were apparently stolen when the subcontractor’s network was compromised, but no CBP systems were compromised.
Although CBP declined to name the breached subcontractor, a document shared with news outlets by CBP was entitled “CBP Perceptics Public Statement.” It subsequently appears, Perceptics, a well-known vendor of license plate readers with a 35-year relationship with CBP, may be the subcontractor in question.
All of these revelations come fresh off the heels of several laboratory companies filing SEC disclosures related to a large data security incident involving a different third-party subcontractor. The risks of sharing or making available critical data with third parties have likely never been more pronounced.
Given the information CBP has provided about the breach, the investigation of the breach will likely include trying to identify the root cause and the threat actors. In addition to trying to find the bad guys, there will likely be an internal review of where government safeguards failed. For example, the data and management systems involved may implicate the Privacy Act of 1974 and the Federal Information Security Modernization Act (FISMA).
The subcontractor here can face a more daunting panoply of consequences, starting with debarment from government contracts and other government sanctions, potential civil liability from the government and individuals, and if misrepresentations, concealment or acquisition of the data was done with the requisite intent, potential criminal sanctions.
While CBP may bear some liability here, the catastrophic consequences will largely roll downhill if the subcontractor violated its data sharing understandings with the government. Invariably, they may try to make the case that CBP itself tacitly approved the conduct, and therefore CBP should bear the brunt of the responsibility. If it goes poorly, bankruptcy may become necessary.
Under current law, a data owner is potentially liable for losses resulting from a data breach under a negligence theory, even if the security failures are the fault of the third-party data vendor.
For example, shareholder and third-party civil lawsuits are common when cybersecurity standards, breach responses, and/or disclosures are deficient. In addition, all states require notification to customers, and in some cases regulators, if certain data breach standards are met.
Further, there are financial and reputational costs associated with internal and external breach investigations, identity theft protection, and remediation efforts that are frequently borne by the data owner.
CBP and law enforcement continue to monitor the dark web for possible sale of the stolen images. There could in fact be many motives for this hack. We have previously seen nation-states acquire government-held personal information for their own intelligence purposes, as seen in the Office of Personnel Management hack.
Here, the information could also be sought by any number of threat actor groups who have different objectives, such as identity theft, social engineering fraud, social activism, and corporate espionage. Exploiting stolen personal information can be a lucrative pastime, but there has to be a demand for the data, and here the market may be smaller given the specialized nature of the stolen images.
Data owners should take several steps to mitigate third-party subcontractor risks. At a minimum, they should conduct cybersecurity due diligence on the data partner. Data owners should aim to show that they are conscientious and require high standards for their own cybersecurity as well as those with whom they contract.
Many data sharing relationships are also governed by some form of Data Protection Agreement that outlines required privacy and security practices, including compliance with third-party audits and industry standard security protocols. Some go further by providing external audit rights and reporting requirements. Data owners should periodically exercise these rights in order to remain comfortable with a potential data partner.
Moreover, the services agreements with third-party data processors can explicitly address liability, through representations, indemnification obligations, and/or limitations of liability.
Agreements may similarly require data vendors to maintain specific insurance requirements. While insurance cannot prevent such an incident, requiring and maintaining appropriately scoped cyber-insurance is an important component for dealing with first and third-party liability.
Third-party data partners are essential in today’s economy, but it still pays to trust but verify.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Aloke Chakravarty, partner at Snell & Wilmer, is the co-chair of the firm’s Investigations, Government Enforcement and White Collar Protection practice group. He represents corporations, boards of directors and corporate management with a broad range of preventative services in the event of crisis, security vulnerability and liability, government investigations, enforcement actions, internal investigations and white collar assistance.
Tony Caldwell, associate at Snell & Wilmer, helps clients navigate complex issues with law and technology. His day-to-day practice focuses on commercial transactions and contracting matters, including issues related to licensing, manufacturing, supply chain, intellectual property, data use, privacy and security, collaborations, mergers and acquisitions, and technology transfers.