It was recently discovered that a certain software product, in this case used by numerous cannabis companies around the country, was not secure and allowed access to consumer data of companies using the software. You can read more about it in this linked article. This isn’t the first time a security vulnerability was introduced by the use of third-party software, and it won’t be the last. The CCPA requires “reasonable security measures” be taken to protect consumer data. It is likely that employing vulnerable software will be seen to violate this standard (it has yet to be tested), but will it lead to liability of the company employing the software? I think it will.
So what is a company to do when purchasing third-party software that will store or otherwise have access to consumer data?
First, I would recommend purchasing software from established, proven, and security-focused companies. Additionally, the agreement governing the software use should be examined closely and should include a provision warranting that the software is secure and providing for indemnification against claims resulting from a violation of that warranty. Note, though, that such an indemnification is only helpful if the indemnifying entity has sufficient wherewithal to stand behind that indemnification. Thus, the first point—buying from strong companies—is important in any event. Finally, to the extent a company has the (internal or otherwise) resources to do so, it should subject third-party software to vulnerability testing (along with the testing to which it is subjecting its own systems).
There’s always risk in incorporating third-party software into company systems and networks. The CCPA creates additional risks that need to be considered.