As many organizations have transitioned to conducting business digitally, software tools have taken on an increasingly important role in their day-to-day operations and are used to perform critical functions involving the storage, transfer, and processing of data.

For organizations that perform essential functions digitally, these tools are critical to business operations and continuity. Whether for email and communications, customer relationship and project management, or cloud storage—these applications provided by third party vendors are oftentimes used by hundreds of organizations across industries.

Software as a service (SaaS) has become a prevailing delivery model for such applications, with the vendors remaining in control of critical infrastructure utilized by the relevant application, including servers and/or cloud storage. The use of the relevant application, and this underlying shared infrastructure, is then offered as a service to client organizations, and made accessible to them remotely via the web.

While this comes with benefits like convenient scalability and the ability to receive prompt and ongoing software updates, it also comes with security risks.

The rise of vendor data breaches

The SaaS model requires client organizations to entrust the data stored on or processed using the third-party applications to the vendor, including reliance on the vendors' security safeguards and protocols. Sophisticated vendors generally implement a range of security safeguards to protect shared remote infrastructure and mitigate the risks of connected access.

However, malicious actors, whose business it is to breach cyber security safeguards to encrypt data or compromise the data for ransom, are motivated and sophisticated. These threat actors continue to evolve their tactics to locate and leverage vulnerabilities in these platforms and circumvent safeguards.

To a malicious actor, targeting vendors that offer their connected applications to other organizations represents an efficient avenue to access significant volumes of data. If they are able to successfully hack into such a platform, they can potentially access, and leverage for ransom, the data of hundreds of organizations at once.

In a 2022 report, "The cyber threat from supply chains", the Canadian Centre for Cyber Security (CCCS) reported that it was almost certain that threat actors would continue to develop their capability to compromise organizations through supply chains as an alternative to direct action against a target's network defences. The CCCS also concluded that software would continue to be a primary vector for cyber threat movement through supply chains.

Recent vendor data breaches and policy response

These predictions have since proven accurate. A significant recent example of a wide-reaching vendor data breach is the MOVEit Breach that occurred in 2023.

Threat actors leveraged a vulnerability in "MOVEit Transfer", an online secure file transfer service used by thousands of organizations worldwide, to access sensitive data of more than 1000 MOVEit customers, encompassing the data of millions of individuals. Threat actors then used the stolen data to attempt to extort payment from impacted organizations.

While the MOVEit breach impacted organizations across industries, other recent attacks have targeted vendors offering applications to critical industries, like health care. Vendors of clinical information systems and other connected tools utilized by hospitals and healthcare organizations are a frequent target for ransomware attacks, with numerous recent examples across Canada and the United States. These systems typically contain extensive sensitive patient data, and the compromise of such data can have a significant impact on health care delivery, making them an enticing target for malicious actors looking to extort payment for ransomed data.

In response to this increasing threat, governments have taken steps to implement policy changes to introduce greater defences for critical data.

For example, in May 2024, the Government of Ontario tabled Bill 194, the Strengthening Cyber Security and Building Trust in the Public Sector Act, 2024. The Bill would make a number of changes, including creating a pathway for the government to require public sector organizations to develop and implement cyber security programs and cyber incident response procedures, and introducing formalized breach reporting and notification requirements.

For more information see our article "Ontario Introduces Bill 194 to address cyber security in the public sector".

How to prepare for a vendor data breach

Vendor data breaches present a number of unique challenges for organizations, relative to a breach impacting an organization's own network or IT systems. Most challenges are rooted in the fact that the clients of an impacted vendor will not generally have direct insight into or control over how the incident is responded to by their vendors.

However, client organizations continue to have responsibility for the compromised data, and so will have legal obligations to their own clients and impacted individuals, and to regulators, with respect to the incident.

Ensuring all parties are able to meet their legal obligations requires collaboration and sharing of information between the vendor and its clients. Additionally, there may be situations where client organizations wish to participate in decision making related to the vendor's incident response, such as in deciding whether to pay a ransom for their data.

However, this collaboration must occur with the risk of future litigation looming, as clients assess whether the vendor was adequately protecting the data that was breached, and more information becomes available from the vendor regarding the cause of the breach. Reputational, privilege and liability concerns may incentivise vendors to withhold certain information, particularly about proprietary systems, or how the compromise occurred.

Organizations should consider the following issues in assessing whether their security protocols and breach response plans adequately prepare the organization to respond to a security breach experienced by a critical vendor:

Vendor relationship management

Maintaining a positive and close relationship with critical vendors, through both formal and informal channels, may increase the likelihood of transparency and collaboration during an incident.

  • Does your organization maintain a relationship with critical vendors that would encourage collaboration during a breach?
  • Does your organization have connections with senior personnel within the vendor organization that might create informal channels to seek information during a breach?

Contractual terms

While informal relationship building may result in increased transparency, in the event of a breakdown in the relationship, or if there is an anticipation of litigation, what an organization receives from its vendors may come down to what it is entitled to under the agreement governing the relationship.

  • Sub-processors: The MOVEit breach caught many organizations entirely off-guard because they were not aware of that their vendors were using MOVEit to transfer their data as part of the services. Does your organization have a right to know what sub-processors are being used and if a new one will be brought on, and are sub-processors required to adhere to the same security obligations as the vendor?
  • Notification: When is your organization entitled to be notified by the vendor of a security breach?
  • Information sharing: What specific information is your organization entitled to receive from the vendor regarding a breach?
  • Decision making: Does your organization have a legal right and/or business opportunity to participate in decision making related to breach response, such as ransom payment?
  • How often are agreements with key vendors reviewed?

Audits

Do you have a contractual right to audit your vendors' security program and if such right exists, does your organization periodically exercise the right in a manner that is commensurate with the risk? This will be a key factor examined by regulators when they evaluate whether the organization engaging the vendor took appropriate steps to safeguard information.

  • Does your organization review certifications and externally prepared vendor security reports on an annual basis?
  • For more sensitive data, does your organization perform bespoke security audits using questionnaires, independent auditors and on-site reviews?

Incident response

When a vendor-provided application is compromised, an organization will generally be limited in its ability to perform its own forensic reviews of the vendor's systems. However, in some cases, vendor technology may be used as a vector to access and compromise connected local systems.

  • Does your organization have sufficient information regarding your vendors' systems to evaluate the risks associated with a potential compromise? How will information provided by the vendor be verified?
  • What forensic reviews will be performed in the event of a vendor data breach? Are external providers required in order to respond to vendor data breaches?

Privilege issues

Given the potential for breach-related litigation, involving legal counsel in vendor communications at a sufficiently early stage will allow them to assist organizations in attempting to establish common interest privilege over communications with vendors, and in preserving solicitor-client and litigation privilege over critical documents and communications.

  • How will internal & external communications on incident response be handled, especially to preserve privilege?
  • Is legal counsel involved at a sufficiently early stage in incident response?

Indemnity

Responding to a data breach is generally very costly for impacted organizations. Costs include the costs of retaining service providers to perform forensic reviews, notify and communicate with impacted individuals or perform general public relations, or provide legal counsel; the costs of offering credit monitoring and identity protection services to impacted individuals; ransom payments; regulatory fines or penalties; remediation costs from securing compromised environments; increased cyber insurance premiums; and lost business and revenue from reputational damage.

  • Under your organization's agreement with the vendor, who is responsible for the costs of the breach?
  • If costs incurred by your organization will need to be recovered from the vendor, is the total indemnity provided for in the agreement sufficient to cover your organizations likely costs? Are there any exclusions your organization needs to be aware of and account for?

In addition to these unique vendor data breach response considerations, organizations should be aware of best practices for responding to any data breach. For an overview of best practices in breach response more broadly, see our article Data breach response 101 for Canadian businesses.

Involving legal counsel in developing your organization's data breach incident response processes, and in breach response, are important steps in ensuring your organization's data breach readiness. To learn more, contact the authors or a member of Gowling WLG's Privacy & Cyber Security Law team.