The Gap (a popular clothing retailer in the US) announced last week that one of the vendors that they use for personnel recruiting had a laptop stolen. The stolen laptop contained the job application information (including social security numbers) of more than 800,000 people, and the data was unencrypted. (See this press release.)
The Gap had a contractual trust relationship with the vendor, and that trust included an agreed upon policy that PII storage would be encrypted. Whoever stole the laptop is clearly to blame for the data breach, but the vendor did not ensure that PII was encrypted, and is just as clearly at fault for not adhering to the terms of their contract. But what about The Gap? What is their responsibility in this situation? Well, legally (and I'm not a lawyer, so all the usual disclaimers apply) as I understand it, The Gap is liable for the action of its vendors. The Gap can't avoid responsibility just by outsourcing. But practically speaking, what could The Gap have done to prevent this situation? The laptop was not under their control, the employees who managed the laptop were not under their control, the employee that managed to get the laptop stolen was not under their control, and the thief himself was not under The Gap's control. What could they have done? Did The Gap practice due diligence with the PII they were entrusted with?
The Gap should have periodically and independently verified the security practices of their vendor. This sort of provision is written into contracts all the time, but usually at the customer's (e.g. The Gap's) discretion. Did they ever audit their vendor's practices? Did they test (or have tested) the vendors controls? The press release doesn't say, but clearly whatever The Gap did do, it wasn't sufficient. I've never thought of it this way before, but when you add in the audit costs to an outsourcing contract, does it still make sense to outsource? Food for thought...
This is a great example of the porous nature of corporate networks today. This compromised data moved from a secure website, through a (presumably) encrypted database, was unencrypted and copied to a vendor's laptop (probably through a secure authenticated connection). The laptop then wandered off into space.
Clearly, the firewall is not the network endpoint we'd like to think it is.