Understanding the MOVEit attack on amazon and other companies: Legal implications and managing liability for data breaches

Written By Amy Kafetz

As a new provider of fractional legal services based in Bracknell, a key focus is on helping businesses prepare for cyber risks and the potential legal impact of data breaches. The recent Amazon data breach, where millions of employee records were exposed due to a third-party supplier’s vulnerability, highlights the importance of having robust contractual safeguards to address liability. Here’s a breakdown of the breach, its causes, and the critical contractual protections businesses should consider.

What happened?

In May 2023, cybercriminals exploited a zero-day vulnerability in the MOVEit Transfer platform, a managed file transfer tool widely used by businesses. This attack targeted numerous companies, including Amazon, where hackers accessed over 2.8 million lines of employee data, including work contact information. Although Amazon’s own systems weren’t breached, the attack on their supplier’s system exposed the interconnected risks of relying on third-party service providers.

What are the legal implications of data breaches?

Businesses can face extensive liabilities when data breaches occur, especially when they involve customer or employee personal information. Potential repercussions include:

  • Regulatory penalties: Data protection regulations like the Data Protection Act 2018 and the General Data Protection Regulation(s) impose strict requirements and hefty penalties for failing to secure personal data.

  • Reputational damage: Cyberattacks erode customer trust, often impacting long-term loyalty and revenue.

  • Financial damages and litigation: Affected individuals may pursue compensation, leading to costly litigation and settlements.

  • Operational disruptions: Beyond financial impact, breaches can severely disrupt business operations and productivity.

Why is the contract so important?

Data breaches threaten sensitive data and can significantly impact a company’s bottom line. Supplier contracts should include key terms tailored to address the unique risks of data breaches and protect you against supplier failures. Key considerations include:

  • Liability cap increases for data breaches: Suppliers often attempt to limit their liability within data processing agreements and agreements for the use of third party platforms. Given the potential financial impact of breaches, companies should negotiate a high liability cap (a super cap) specifically for data protection breaches. This ensures additional financial recourse if a supplier mishandles data.

  • Claims for indirect or consequential losses: Consequential losses, such as reputational damage, lost customers, and regulatory fine, can far exceed direct financial losses. Contracts should allow recovery of indirect and consequential losses from data breaches, ensuring full compensation for all potential damages.

  • Indemnification clauses for data breach costs: Suppliers should indemnify the company for costs related to data breaches, covering investigation, notification, remediation, and any regulatory fines.

  • Insurance requirements for suppliers: Given the unpredictability of data breaches, suppliers should be required to hold cyber liability insurance. This additional layer of security helps cover breach-related costs and offers financial protection to the contracting company

  • Compliance with laws and standards: Require suppliers to comply with applicable data protection laws and industry best practice.

  • Obligation to mitigate damages: Mandate that suppliers take immediate steps to mitigate damages, contain the breach, and prevent further unauthorised access.

  • Responsibility for remediation costs: Specify that the supplier will cover costs related to breach remediation, including investigation, containment, and recovery efforts.

  • Approval for subprocessors: Require prior approval for the use of any subprocessors who may handle personal data of employees or customers, ensuring they also comply with data security obligations. Hold suppliers accountable for the acts or omissions of their subprocessors as if they were their own.

  • Security standards and audits rights: Contracts should mandate certain cybersecurity standards and require vendors to conduct regular security audits. Clear security protocols help mitigate risk and demonstrate reasonable efforts to protect data for example complying with best practice data protection mechanisms and only appropriate international transfers take place.

  • Incident response obligations: Include clauses specifying how quickly the supplier must report a breach, what steps they will take to contain it, and how they will assist in notifying affected individuals and in reducing the impact of the breach.

  • Right to terminate for cause and exit strategy: Allow termination of the contract if a supplier experiences a data breach due to negligence or fails to uphold agreed security standards. Ensure the supplier agrees to provide assistance in transitioning data to a new provider if the contract is terminated due to security concerns. Specify that the supplier will cooperate with your team in investigating the breach, preparing reports, and notifying affected parties, if required

What else can be done to mitigate reputational risk and transparency?

Data breaches, especially those involving personal data, can lead to significant reputational damage. To mitigate this risk, companies should adopt preventative measures and have clear communication strategies for such events:

  • Crisis communication planning: Establish a breach response and communication strategy to address the concerns of affected individuals and the public. A swift, transparent response can help restore trust and reassure stakeholders.

  • Reassessing supplier vetting processes: This breach highlights the importance of thoroughly vetting suppliers’ data security capabilities and monitoring third-party risk to ensure proactive data protection.

  • Enhanced data protection policies: Companies should show commitment to security by continuously improving internal data policies and providing employee training to prevent future incidents.

  • Training of employees: Companies should regularly train their employees on the risks around personal data, best practices for protecting personal data, and how to vet a supplier to ensure they have good practices in place to protect personal data they are processing on your company’s behalf.

Why are the best defences not always foolproof?

The Amazon breach demonstrates that, despite the best defences, data breaches can still occur, particularly with zero-day vulnerabilities. This is why strong contractual safeguards are essential as they offer a legal safety net when preventive measures fall short. Clear terms and agreement on where liability lies in supplier contracts help manage liability and financial risks, protecting your business from unforeseen damages.

For more information on strengthening your business’s contracts and safeguarding against cyber risks, contact us to learn how fractional legal services can help secure your interests.

About Adaptable Legal Counsel

Adaptable Legal Counsel offers flexible, in-depth legal support tailored for small and medium-sized businesses across the Thames Valley and beyond. Specialising in comprehensive, practical solutions, we’re committed to helping businesses navigate complex legal landscapes with confidence.

As your business grows, so does its legal needs. While hiring a full-time legal team may not be feasible, that doesn’t mean you need to compromise on sound, timely legal advice. Fractional legal counsel, flexible legal support you can access as required, offers a middle ground, providing expert assistance without the overhead of a full-time hire.

About Amy

Amy is a qualified commercial solicitor with extensive experience in commercial law and legal compliance, honed during her time at Reed Exhibitions (RX Global), part of the RELX Group. RX Global, a leading global events organiser, provided Amy with a unique perspective on the complex legal needs of large-scale, international events. Her role there deepened her expertise in areas like data protection, intellectual property, and commercial contracting, enabling her to understand and anticipate the demands of event management from a legal standpoint. Now, as the founder of Adaptable Legal Counsel, Amy leverages this background to offer tailored, agile legal solutions that empower small and medium-sized businesses to navigate their own regulatory landscapes confidently and effectively.

 For more information, please visit our website to discuss how our flexible legal services can help your business succeed in partnerships with larger clients.

To book a free, no-obligation initial chat book here.

Disclaimer: This blog is for informational purposes only and should not be considered legal advice. The content provided here is intended to offer general insights into data protection and contractual considerations for businesses. For specific legal advice tailored to your individual circumstances, please consult a qualified legal professional. Adaptable Legal Counsel disclaims any liability for actions taken or not taken based on the information in this blog.

 

 

 

 

Amy Kafetz
Previous

Cross-border train company ASA ruling: CAP Code Compliance

Next

Top 5 signs your business could benefit from fractional legal counsel services