Alert
Alert
04.24.19
Wipro, the Bengaluru, India-based ITO and BPO services provider, confirmed on Tuesday, April 16th, that it fell victim to a data breach—specifically, an advanced and persistent “zero-day” malware attack. The attack may have begun in March as a phishing incident (an unauthorized attempt to access a target’s information systems, usually via fraudulent emails or other communication) involving one Wipro employee, and it has apparently led to a broader infiltration of Wipro’s email systems.
Initial reports have indicated that the attack may have impacted more than a dozen of Wipro’s customers, but the ongoing investigation has yet to uncover whether, and to what extent, those customers’ data are at risk.
While Wipro’s internal investigation of the breach apparently continues, Wipro has publicly stated that it has identified the affected employee accounts, taken remedial measures, and informed a number of its customers who engaged with the affected employees. Wipro has also apparently communicated signifiers of the attack, known as “indicators of compromise” (IOCs), to its affected customers. Such indicators may give customers insight into the methods used to effectuate the Wipro intrusion and could help such customers take appropriate measures to protect their own information systems.
Wipro is not the first—and unfortunately will not be the last—technology or outsourcing service provider to encounter a major security intrusion. In today’s world of sophisticated and seemingly ubiquitous state- and commercially-sponsored cyberattacks, what is an institution to do in the wake of a data security incident affecting a service provider?
Below we include a list of some helpful measures, both operational and contractual, that an institution should consider both to respond to, and to hopefully contain the effects of, a data security incident involving an outsourced service provider. While every data security incident is different, and every service provider relationship requires its own tailored data governance and incident response regime, the following provide some helpful starting points for consideration.
Operational Considerations
Specifically, when an incident does occur:
Contractual Considerations
Perhaps just as vital as an organization’s operational response in the face of a service provider’s security breach are the contractual obligations put in place before the breach occurs to mitigate the occurrence of an incident and manage risks in the wake of an incident. Agreements with service providers should include robust security provisions that account for the sensitivity of the customer’s data being handled, and the documentation should clearly outline the rights of the customer and obligations of the service provider in the event of an information security breach.
Following a security incident, an institution will want to quickly review the applicable agreement(s) and related attachments to confirm the security representations and requirements that the service provider agreed to in the contract, as well as the measures the service provider must take in the wake of a data security incident (e.g., providing certain information, cooperation, and data access to the customer; indemnifying the customer for certain employee- and third party-related costs or claims incurred by the customer in responding to the breach) are being followed. A customer may also need to consider its contractual audit rights, particularly in the event that its own information security practices require the customer to perform a review of (or obtain specified information regarding) the service provider’s systems following a data security event.
In more extreme circumstances, a customer may need to consider the contract’s limitation of liability and risk allocation regime, in the event that the data security incident causes harm to the customer that can only be addressed through recoupment of damages or termination.
Conclusion
In the face of a breach, both parties to a services agreement have a shared interest in working together to promptly contain the breach, and to remediate its potentially damaging effects as soon as possible. The attorneys and consultants in Pillsbury’s Global Sourcing & Technology Transactions practice are well versed in both the operational and contractual issues that emerge following a data security incident and are happy to schedule a phone consultation to discuss the Wipro breach and its potential implications for your organization.