By Seth Jaffe.
Third-party cyber security programs got a shot in the arm this week in the form of two legal actions.
The first, well summarized by Sue Ross over at Norton Rose Fulbright, is a proposed consent agreement by the Federal Trade Commission against mobile phone manufacturer BLU Products, Inc., alleging that BLU’s failure to oversee its vendor’s security practices amounts to a violation of Section 5 of the FTC Act. FTC consent orders are generally 20 years in length, and require adherence to a strict “never-let-this-happen-again” program. Indeed, BLU would have to implement a comprehensive data security program with a biennial assessment and all sorts of compliance obligations. In short, consent decrees come with an operational and monetary sting, and violation of one can find the company staring down the barrel of steep fines (see, e.g. FTC Commissioner Chopra’s memo calling for more serious penalties for violations of consent orders).
The second, as described by Kevin LaCroix on the D&O Diary, is a settlement in the shareholder derivative suit against Wendy’s for a 2016 data breach caused by the compromise of third-party credentials. We’ve seen a number of these derivative suits before, such as against Wyndham, Target, and Home Depot, where a shareholder steps into the shoes of the company and sues the directors. Unsuccessful in previous cases, Wendy’s had a different outcome. If adopted, Wendy’s would agree to implement remedial and prophylactic cyber security measures, form a cyber executive steering committee, and push cyber obligations down to franchisees. Oh, and pay the plaintiff’s attorneys’ fees of nearly $1M.
Because both cases are settlements, we don’t know what pressure was being applied to the defendants. Perhaps this is the beginning of a shift toward holding companies more accountable for the cyber missteps of their vendors. In the present, there are a number of steps companies can take, such as beefing up their contractual security provisions, conducting security audits of vendors, network isolation, vendor access control, and log management, to name a few. For a more comprehensive list, feel free to reach out to one of LEO’s experienced CISOs.