In an article published last week, SC Magazine reported that software publishing company TaxSlayer experienced a data breach enabled by one of its third-party partners. The breach, which apparently affected some 8,800 TaxSlayer customers, has prompted the company to provide, for the next year, credit monitoring services for those affected, as well $1 million in identity theft insurance.
That’s more than $1.7 million* worth of cleanup costs for TaxSlayer, all because of a data breach caused by a third party it worked with. That’s a lot of money, considering fewer than 10,000 records were exposed.
Though it was the behavior of the unnamed third-party vendor that reportedly enabled the breach, TaxSlayer is on the hook for compensating its customers. If reading that makes you want to batten down the hatches and never trust anyone besides yourself with your customers ever again, remember: third parties are essential to any business.
When Do IT Businesses Work with Third Parties?
A small technology business works with third parties when they…
- Hire a subcontractor to complete part of a project.
- Hire an accountant to handle taxes.
- Outsource marketing to a marketing service provider.
- Purchase other services from vendors.
So who can be held liable when all these parties are involved in a project?
The Chain of Liability When Dealing with Third Parties
To understand the chain of liability, it’s important to see things from the customer’s perspective: the customer entered their sensitive personal information into tax software, did nothing wrong, and found out they were the victim of a breach, which could compromise their credit for years.
Obviously, they want and deserve some kind of compensation. But who’s liable?
That depends on the language in contracts and possibly the laws in the state where the business is operating. For example:
- If TaxSlayer indicated in its user agreement that it would take reasonable measures to keep customer data secure, it would be legally responsible for the breach and have to pay for customer damages (which it would hopefully be able to do via a Cyber Liability Insurance policy).
- Even if TaxSlayer had no language in its user agreement promising data security, there’s a good chance they could be held liable for the losses in court. Again, a Cyber Liability policy may be able to cover the costs.
- If TaxSlayer had a contract with its third-party partner indicating that the vendor had to take reasonable measures to keep data secure, TaxSlayer (or its insurance provider) could conceivably sue the partner and recover any damages it paid customers.
There are two key concepts here: the contract and the recovery of damages. With appropriate contract language in place, IT businesses can give themselves excellent odds of recovering any lost money caused by a third party’s failure on the job. Unfortunately, only 47 percent of current TechInsurance customers use formal written contracts with their subcontractors.
How does that recovery happen? Through the Errors & Omissions Insurance policy of the third party you’re working with. Just as you can make a claim on your policy when something you do causes a client a loss, your subcontractors, vendors, and associates can make a claim on their policy when something they do causes you a loss.
3 Steps to Verifying that Third Parties Have Enough Insurance
To make sure the subcontractors, vendors, and others you work with have adequate E&O Insurance to minimize your financial losses, follow these four steps:
- Include language in your contracts requiring E&O Insurance. Typically, IT contracts require either $1 million or $2 million in Errors & Omissions Insurance. That requirement will seem normal to any third parties you’re working with.
- Request a Certificate of Liability Insurance from third-party vendors, subcontractors, and others you work with. Make proof of insurance a condition of signing the contract. A Certificate of Liability [PDF] is a single-page document that summarizes the coverage a policy offers. You can see at a glance whether they’ve complied with your contract terms.
- Verify the information on the certificate by calling the insurance company that issued it. Make sure the Certificate is up to date by dialing the number provided and checking with the carrier that your partner’s coverage is active.
Minimizing Liability Exposure with Technology Errors & Omissions Insurance
It’s worth noting here that your contractors aren’t the only ones who should carry Errors & Omissions Insurance. Your business, too, can benefit from having an active policy. After all, your E&O Insurance policy is the one that handles the initial cost when a mistake caused by one of your third-party partners leads to a lawsuit against your business.
That’s the beauty of E&O Insurance: it can pay benefits even if you’re not in the wrong.
And here’s the thing: when a third party is truly at fault for an incident that triggers a lawsuit, your E&O Insurance provider may sue that third party in an effort to recover whatever it spends defending you. And that’s when it’s important for your third parties to have their own E&O policies; without them, your insurance company has to eat the cost of defending you and may raise your premiums to compensate.
Summary: 4 Steps to Minimizing Third-Party Risk for IT Professionals
To prevent a mishap like the data breach that hit TaxSlayer from having a serious negative impact on your business, take these four steps:
- Identify any third parties you work with.
- Confirm that your contracts require them to carry Errors & Omissions Insurance or update contracts for future relationships to require this coverage.
- Verify third parties’ coverage by contacting the insurance company named on their Certificate of Insurance.
- Make sure you have an active technology Errors & Omissions Insurance policy.
*Costs estimated from The Simple Dollar’s review of credit monitoring services and Zander Insurance’s identity theft insurance quote.