Questions to Ask After a Vendor Data Breach
What to ask your vendor after a breach
After a data breach by a vendor, people want to know “Who is responsible for the breach?” It turns out both parties may be subject to liability after a data breach. This liability is based on a number of factors, including the agreement between both parties as to how the data will be managed.
But after a data breach, there are a myriad of questions to ask. In this blog, we will examine the top questions to ask after your vendor data breach.
Get ahead of the breach
Before storing and exchanging data with third parties, ask questions of your vendors to determine the risk associated with their data management practices. Choose vendors who have risk scores appropriate for the nature of your data. Throughout the year, conduct regular checks by outside parties to audit data privacy and security. Global enterprises rely on our company, CybelAngel, as an outside party to assess the data security of their strategic third parties.
In the infographic to the right, see the top questions to ask after a vendor data breach. For best results, run through these questions from top to bottom. Ideally, you’d like to stop a data breach before it can damage your organization. Have your Incident Response Plan and Communications Plan ready to execute before a data breach occurs.
1 – Immediate questions to ask after a vendor data breach
An InfoSec Team faces multiple pressing issues after a data breach. It’s difficult to choose a course of action. Of first and primary concern is the need to size up your enemy. What kind of threat are you facing and can they still do damage to your organization? Ask these questions immediately after a data breach:
- Are attackers still present?
- Have we stopped the data breach?
- How did they access our IT environment?
- What was the motive for the attack?
- Was the leak intentional or caused by negligence?
- Who was responsible?
After you size up your threat, then you need to define the scope of the data breach.
2 – Scope of data breach
Sometimes there is a data leak, but it’s not yet a breach. This means, no one has exploited the data; although it is freely available on the web. In this case, the priority is remediating the leak by securing your data. Ask these questions to determine the scope of the data leak:
- What is the scope of data leak?
- Did a data breach actually occur?
- Was data compromised and exploited?
- What type of data was stolen?
- Is the incident a violation of a privacy regulation such as GDPR, HIPAA, CCPA, et al?
Once you’ve identified that an actual breach has taken place, you need to determine which data was stolen and how it is being used. The type of data stolen will inform the scope of the data breach. Is it in violation of standards set for GDPR (General Data Protection Regulation), PCI (Payment Card Industry) or HIPAA (Healthcare Insurance Portability and Accountability Act), et al.
3 – Legal liabilities
After you know the scope and type of your data breach, you must ascertain your potential legal liabilities, including fines, lawsuits, and other costs that may arise from the data breach. Ask these questions:
- Have we alerted outside counsel who specialize in data privacy law?
- Have we researched our legal obligation to notify affected parties of the breach?
- Who is affected by this data breach; and have we alerted the parties or people affected?
Some companies have cybersecurity insurance to protect against data breaches. With data breaches on the rise, it’s no surprise that CISOs and CFOs now have the painful job to forecast lost equity and costs from future data breaches.
4 – Communication and encryption
You will want to make sure your company has a defensible path to prevent future data breaches. From that plan and your Incident Response Plan, your Crisis Communications Plan can be updated and executed. Ask these questions:
- How do we roll out our Incident Response Plan? Have we set a defensible path?
- Have we executed our Crisis Communications Plan?
- What about encryption? Should this data that was breached be encrypted at rest and in transit?
Encryption plays a critical role to prevent data breaches. Consider whether the type of data breached needs to be encrypted at rest — and in transit. Encrypting sensitive data can help to alleviate concerns among your vendors of similar data breaches in the future.
Proactive steps to prevent data breaches
The risk of a major data breach is significantly higher than in past years. Digital transformation initiatives and migrating to the cloud have jettisoned data far beyond the corporate security perimeter and placed it at great risk. To secure data, take proactive steps and use an enterprise-grade platform to detect your data leaks anywhere they occur on the web, including your third-party vendor sites.
When you face the task of remediating and reporting data breaches, remember to ask the right questions. If your company is concerned about the security of its data on third-party sites, get our free data exposure dashboard to find your data leaks. You will be surprised to find what data is freely accessible through your vendor network.
To stay ahead of hackers, use CybelAngel to prevent data breaches.Because data leaks are inevitable; but damage is optional.