slider

Federal Court Ruling: Corporate Liability for Law Firm Data Breaches

A recent federal court decision has significant implications for corporate cybersecurity and third-party risk management. The court ruled that a company could be held negligent for a data breach that occurred at its law firm, allowing a negligence claim against Mondelez Global LLC to proceed following a breach at its law firm, Bryan Cave Leighton Paisner, LLP.

Case Background

Mondelez Global LLC, a leading snack food manufacturer, hired Bryan Cave to handle legal services. During this engagement, Mondelez provided Bryan Cave with sensitive personal information (PII) of its employees, including names, dates of birth, social security numbers, and addresses.

In early 2023, Bryan Cave discovered unauthorized access to its systems, revealing that hackers had stolen the PII of 51,100 current and former Mondelez employees. This breach put the affected individuals at risk of identity theft, prompting them to take protective measures such as signing up for credit monitoring and securing their financial accounts.

Legal Arguments

Following the breach, the affected employees filed lawsuits against both Mondelez and Bryan Cave. Mondelez sought to dismiss these lawsuits, arguing that it could not be considered negligent merely for sharing employee information with its law firm. However, the plaintiffs argued that Mondelez had a duty to ensure that its law firm adhered to proper data security practices and that unnecessary personal information should have been deleted rather than shared.

The court declined to dismiss the negligence claim against Mondelez, allowing the plaintiffs to further develop their case. This decision suggests that Mondelez will likely incur significant legal fees during the discovery phase and may ultimately settle to avoid an adverse ruling at trial. If Bryan Cave and its insurers cannot satisfy any judgment, Mondelez may be exposed to further liability.

Implications for Corporate Cybersecurity

This ruling underscores several critical areas for corporate cybersecurity and compliance:

  1. Third-Party Risk Management (TPRM)
    • Comprehensive Evaluations: Businesses must conduct thorough and ongoing evaluations of their third-party vendors’ data security practices, including regular audits and continuous dialogue about cybersecurity protocols.
    • Security Questionnaires and Checklists: Detailed assessments should be implemented to ensure compliance with the latest security standards.
  2. Data Minimization
    • Assessing Necessity: Companies should determine what information is essential for their operations and ensure that unnecessary PII is securely deleted.
    • Reducing Risk: Minimizing data shared with third parties reduces the exposure risk in the event of a breach.
  3. Contractual Safeguards
    • Mandating Data Protection: Contracts with third-party vendors should include clauses that mandate stringent data protection measures, including regular security audits and breach notification requirements.
    • Provisions for Updates: Contracts should allow for periodic review and updates to security provisions as threats evolve.
  4. Continuous Monitoring
    • Real-Time Visibility: Advanced monitoring tools and technologies should be deployed to provide real-time visibility into third-party vendor activities.
    • Security Information and Event Management (SIEM): Implementing SIEM systems and intrusion detection systems (IDS) can help promptly identify vulnerabilities.
  5. Incident Response and Recovery
    • Robust Plans: Companies should have clear incident response protocols for third-party breaches, including immediate action, communication with affected parties, and coordination with vendors.
    • Breach Simulations: Regular breach simulations can ensure preparedness and effective response to real incidents.

Impact on Corporate Policy and Strategy

The court’s decision has broader implications for corporate policy and strategy. Companies must recognize that their responsibility for data security extends beyond their internal systems to include their entire supply chain. This ruling could lead to an increase in litigation against companies whose vendors suffer data breaches, emphasizing the need for proactive third-party risk management.

Moreover, the case highlights the importance of cross-functional collaboration within organizations. Legal, compliance, IT, and procurement departments must work together to manage third-party relationships with a focus on security. This collaborative approach can help identify potential risks early and implement appropriate safeguards.

Recommendations

  • Vendor Assessment: Develop a comprehensive framework for evaluating third-party vendors, including detailed security questionnaires and regular audits.
  • Data Minimization: Implement strict data retention policies that mandate the deletion of unnecessary PII and limit data sharing to essential information.
  • Contractual Obligations: Include clear data security requirements in contracts, with provisions for audits, breach notifications, and penalties for non-compliance.
  • Ongoing Monitoring: Use advanced monitoring tools to maintain real-time visibility into vendor activities and ensure compliance with security standards.
  • Incident Response Planning: Develop and regularly update incident response plans to include third-party breach scenarios and conduct breach simulations to ensure preparedness.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

https://www.netizen.net/contact


Copyright © Netizen Corporation. All Rights Reserved.