DoorDash followers were served a bit of a harrowing blog post Thursday.
The food delivery service alerted people to “unusual activity involving a third-party service provider” resulting in unauthorized third-party access to user data. While any number of companies have been through this drill before, this latest data incident serves as a reminder that not only do companies need to mind their own cyber-security—they also need to keep an eye on the data protection practices of their third-party vendors.
“Attackers don’t always use the front door to acquire data from an organization,” observed Jose Ramos, a senior principal consultant at ACA Aponix. Instead, bad actors “often look for the weakest link,” he continued. “Many times, this is a provider who has access to sensitive data.”
Indeed, those third parties might be even more alluring to cyber-criminals than their well-secured customers are. “Hackers know they can maximize their investment of time and exploits by targeting vendors, because one successful vendor hack can provide access to a range of clients as to which the vendor has sensitive access or data,” explained Luke Dembosky, a partner at the law firm Debevoise & Plimpton and co-chair of its cyber practice.
In this particular instance, as of this writing, DoorDash opted not to identify the third-party services provider that appears to be sporting poor cyber hygiene. While DoorDash’s customers, drivers, and even its other vendors may be anxious to learn the identity of the third party, the company might actually have good reasons for shielding its vendor for now.
“Oftentimes in situations involving a breach and a third-party service provider, there are disputes over who is responsible and the degree to which one party is more responsible than another,” said Stephen Reynolds, a partner at the law firm Ice Miller. “While I do not know the specifics of this instance,” he continued, “it is possible that if DoorDash named a third party as responsible, that third party would respond with finger-pointing of its own.”
That is a showdown that may best be avoided until more is known about what happened. “This is going to be only the beginning for DoorDash,” observed Joshua Mooney, a partner at the law firm White and Williams and co-chair of its Cyber Law and Data Protection Group. The data incident could ultimately trigger a consumer lawsuit or a government investigation, in which case it is quite possible that “these two entities are going to want to cooperate together and they could form a joint defense team,” Mooney noted.
You say ‘breach,’ I say ‘data incident’
Although a number of mainstream media outlets described what transpired at DoorDash as a breach, DoorDash’s own announcement used somewhat less alarmist nomenclature to explain profile information, the last four digits of credit cards, and the last four digits of bank account numbers of 4.9 million consumers, “Dashers” (delivery drivers), and merchants had been accessed prior to April of last year.
While DoorDash’s chosen verbiage may reflect a concerted effort to minimize any hysteria, whether what happened actually is appropriately labeled a “breach” “is going to depend on the jurisdiction that you are in,” cautioned Kenneth Dort, a partner at the law firm Drinker Biddle.
“Under certain laws, information that is only accessed and not acquired may not be a breach,” Dort explained. Yet, in other jurisdictions, mere access of data is considered to be a breach, he said, pointing to the recently enacted New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act as an example. “When that goes into effect in March , simply accessing information will be deemed a breach of security for notification laws,” Dort said. Right now, though, an actual acquisition of data must be shown for an incident to be deemed a breach, Dort noted.
A dose of prevention
No matter how the DoorDash mishap is labeled, it serves as a reminder to monitor third parties. “Oftentimes companies overlook or fail to appreciate the security risks posed by third-party vendors,” Reynolds said. “Doing due diligence with regards to these vendors and drafting contractual language that imposes specific data security obligations on vendors can mitigate some of the third-party vendor risk,” he explained.
“Vendor management can be daunting for anyone, but particularly challenging for businesses that lack resources for this task (and everyone has limited resources),” noted India Vincent, a partner at the law firm Burr & Forman. “Do not give vendors more data than they need to do their job and limit any direct access the vendor has to the business systems,” she cautioned. Once the vendor has the data, “confirm the vendor has and follows proper procedures to protect the data as well as to respond to any data incidents,” Vincent suggested.
While a contract might allow for a full-blown onsite audit of a third-party vendor, less invasive steps can also be taken. Security questionnaires can provide information, Dort noted. If a vendor has received some sort of certification of its cyber-security practices, a company might ask to see the report, he suggested.
“Third-party vendors continue to pose a threat of data security incidents, and it is typically the consumer-facing company that bears the brunt of the publicity—even if the vendor is at fault,” Reynolds said.
Lori Tripoli is a writer based in the greater New York City area who focuses on legal and regulatory issues.