On September 26, 2019, the food delivery service DoorDash alerted the public to “unusual activity involving a third-party service provider” resulting in unauthorized access to user data. Compliance Week spoke with Chicago partner Ken Dort and other data privacy and cybersecurity professionals about why this data incident serves as an important reminder for companies to mind their own cyber security and keep an eye on the data protection practices of their third-party vendors.
The publication reports that although a number of media outlets described what transpired at DoorDash as a breach, DoorDash’s own announcement used somewhat less alarmist nomenclature to explain that profile information, the last four digits of credit cards, and the last four digits of bank account numbers of 4.9 million consumers, delivery drivers and merchants had been accessed prior to April of last year.
While DoorDash’s chosen verbiage may reflect a concerted effort to minimize any hysteria, whether what occurred is appropriately labeled a “breach” “is going to depend on the jurisdiction that you are in,” cautioned Dort.
“Under certain laws, information that is only accessed and not acquired may not be a breach,” Dort explained. Yet, in other jurisdictions, mere access of data is considered to be a breach, he said, pointing to the recently enacted New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act as an example. “When that goes into effect in March , simply accessing information will be deemed a breach of security for notification laws,” Dort said. “Right now, though, an actual acquisition of data must be shown for an incident to be deemed a breach.”
Dort added that certain preventative steps such as security questionnaires can be utilized to ensure a company’s third-party vendor does not pose a threat of data security incidents. He suggests that if a vendor has received some sort of certification of its cyber-security practices, a company might ask to see the report.