Data Breach Confusion: Who’s Responsible When a Third-Party Vendor Is Compromised?

Cybersecurity & Technology

Recently, we had the opportunity to advise some clients who worked with a third-party vendor that maintained custody of personal information pertaining to our clients’ respective end users.  The vendor suffered a data breach in which our clients’ information was exfiltrated.  In the aftermath, some confusion arose over critical questions concerning responsibilities in a breach situation. Who was responsible for communicating that the breach occurred?  Who were the affected individuals that needed to be informed? What information should be included in the notifications?

With data breaches involving third-party vendors becoming increasingly common, having a clear understanding of your responsibilities ensures you're ready to act quickly and decisively in the event of a breach.

What Are My Responsibilities if My Vendor Experiences a Data Breach?

It might seem logical that the vendor should handle breach notifications when something goes wrong on their end. However, it's not always that simple. If your organization collects sensitive information and shares it with a third-party vendor, the general rule in virtually every situation is that the legal obligation to ensure proper notification still falls on the original data collector—you.

That means you must ensure that the appropriate parties are notified in a timely manner when sensitive data, like Social Security numbers or medical information, is compromised.  Even if your vendor has agreed to provide notifications to third parties on your behalf, you are ultimately responsible for making sure the vendor does it properly and in accordance with the law.   

Who Needs to Be Notified When There Is a Breach?

Notification requirements typically depend on the type of information compromised and the applicable legal framework.  For example, all states require notification to affected individuals when certain personally identifiable information (such as Social Security numbers, driver's license numbers, or financial account information) is exposed.  There are also federal rules that might apply instead of - or in addition to – applicable state rules.  Additionally, credit monitoring services may be required for breaches involving certain types of data. 

In addition to notifying affected individuals, the applicable legal framework(s) might also require notification to regulators, law enforcement and/or credit reporting agencies.  Understanding these requirements will help ensure that your organization complies with legal obligations and protects affected individuals, even if your vendor is handling the notifications.

How Can I Protect My Organization Before a Data Breach Happens?

One way to protect your organization from data breach complications is by addressing the issue before entering into an agreement with a new vendor.

During contract negotiations, include a provision that allocates responsibilities in a breach situation.  For example, consider identifying which party will be responsible for notifying affected individuals and other third parties, as well as providing credit monitoring services, in the event of a breach. It’s also a good idea to consider adding appropriate data security commitments in your contracts with vendors.   

Subscribe now to receive the latest insights from our Cybersecurity & Technology Team. 

If you have questions about how to handle a third-party data breach or other questions related to data security, please contact Bobby Turnage, Jr. or a member of our Cybersecurity & Technology Team.

Subscribe for Updates

Subscribe to receive useful articles, legal updates and firm news to keep you informed and up-to-date on important issues and trends.

Sign Up

Media Contact

Rachel Lufkin
804.783.6799

Email Rachel 

Jump to Page

Sands Anderson Cookie Preference Center

Your Privacy

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek