The Rise in Class Action Lawsuits and 4th Party Risk: The Alexion Pharmaceuticals Breach
What is 4th-Party Risk and Why is it Becoming an Issue?
Organizations rely on a complex network of third parties to deliver their products and services. These third parties, in turn, depend on their own network of vendors, known as fourth parties, to provide essential functions and capabilities. For example, an IT service provider might use a cloud services provider to manage customer data, or a manufacturer might outsource the production of certain components to a fourth party.
4th-party risk refers to the potential threats these indirect vendors pose. As supply chains become more interconnected, managing these risks becomes increasingly critical. According to recent studies, 98% of organizations have worked with a vendor that experienced a breach in the last two years, and many of these breaches originate from a vendor’s supply chain. The complexity of these relationships often leaves organizations with limited visibility and control over their fourth parties, increasing their vulnerability to breaches.
The recent Alexion Pharmaceuticals breach underscores the importance of robust fourth-party risk management and the consequences of fourth-party breaches. As supply chains become more complex and interconnected, the risk of breaches through fourth parties increases, necessitating a comprehensive approach to vendor risk management.
What Happened to Alexion Pharmaceuticals?
The Alexion Pharmaceuticals breach originated from Cisiv, a fourth-party vendor. On February 8, 2024, an unauthorized party gained access to a database Alexion uses to support its Risk Evaluation and Mitigation Strategy (REMS) Program. Cisiv, the breached vendor, served as a subcontractor to PPD, the direct vendor that Alexion had engaged to handle the REMS database. It is important to note that neither Alexion’s nor PPD’s computer systems were breached as a result of the incident.
According to Cisiv’s filing with the Attorney General of Vermont, the breached database contained sensitive participant information, including names, addresses, email addresses, phone numbers, and details of participation in surveys related to Alexion’s products. Cisiv discovered the incident on February 12, 2024, and promptly secured its systems. An investigation conducted with third-party data security experts confirmed the unauthorized access. Cisiv completed its review of the compromised files on April 16, 2024, identifying the specific data and individuals affected by the breach.
The Fallout from the Breach
The breach had severe repercussions for Alexion Pharmaceuticals, including several class action lawsuits. These lawsuits were filed by affected parties, such as patients whose sensitive medical information was exposed. The lawsuits emphasize the severe consequences of security lapses in any part of a company’s extended supply chain, including indirect vendors. The rise in class action lawsuits stemming from data breaches underscores the need for comprehensive risk vendor management. These lawsuits result in significant legal expenses, settlement costs, and operational disruptions, adding to the already substantial costs associated with breach response and remediation.
The Rise in Class Action Lawsuits
Class action lawsuits related to data breaches have seen a significant increase over the last couple of years. According to Duane Morris, the number of data breach class action filings jumped from slightly more than 300 in 2020 and 2021 to nearly twice that number in 2022, soaring to 1,320 in 2023. This increase is driven by the growing sophistication of cybercriminal activities, high-profile breaches, and stronger data protection laws like the GDPR and CCPA.
Companies that experienced data breaches in 2023 not only faced a surge in class action lawsuits but also had to contend with multiple lawsuits across different jurisdictions. These included repeated and follow-up lawsuits that added to the financial and operational burden. The cost of addressing these breaches, alongside the expenses of navigating complex legal challenges, created a significant strain on these companies.
How to Manage 4th-Party Risk
As companies are being held liable for fourth-party breaches, it is critical for organizations to re-visit how they manage 4th party risk.
Managing fourth-party risk involves several key strategies:
Identify Key Fourth-Party Relationships: Understand and document fourth-party relationships, especially those handling sensitive information. Request third parties to disclose their key vendors and review their roles and responsibilities.
Assess Vendors on Their Vendor Risk Management Programs: Evaluate your vendors’ risk management frameworks, ensuring they have robust procedures for identifying, assessing, and mitigating risks related to their vendor network.
Continuously Monitor Key Fourth Parties: Implement continuous monitoring of fourth-party vendors to detect potential weaknesses in their security posture. Utilize attack surface monitoring tools that provide real-time insights into the security posture of these extended vendors.
Incorporate Contractual Obligations: Include specific clauses in contracts with third-party vendors, requiring them to manage their vendors’ risks effectively and transparently.
By implementing these strategies, companies can better protect themselves from the risks posed by fourth-party vendors and reduce the likelihood of facing severe consequences like those experienced by Alexion Pharmaceuticals.
Conclusion
The Alexion Pharmaceuticals breach serves as a stark reminder of the complexities and dangers of fourth-party risk. As supply chains grow more interconnected, the need for vigilant and comprehensive vendor risk management strategies becomes more critical. By understanding and addressing these risks, companies can protect their data, reputation, and financial stability in an increasingly interconnected business environment.
ProcessBolt offers an AI-driven vendor risk management platform that enables organizations to address the challenges of third and fourth-party risk. The platform identifies key fourth-party relationships by extracting insights from corporate documentation, assesses the quality of a vendor’s third-party risk management program, and continuously monitors the internet-facing attack surfaces of critical fourth-party vendors. Contact us today to learn more about how ProcessBolt can help you improve your strategies to manage fourth-party risk.